Phishing scams are on the rise — but that’s nothing new. According to the FBI, phishing incidents nearly doubled between 2019 to 2020, and we don’t expect it to slow down any time soon.
To mitigate their risk of becoming the next victim, many organizations turn to phishing testing: a simulation where business leaders send deceptive emails to their staff to gauge their responses. The goal is to determine which employees fell for the trap, correctly identified the malicious email, or followed proper protocol for flagging or reporting the email as a phishing attempt.
But while phishing testing can help organizations improve employee behaviors, they’re no longer enough. With the number of attacks ballooning out of control, it’s time businesses amp up their defenses.
Here are five reasons it’s time to look beyond simple phishing testing:
Hackers are Getting Better
Cybercriminals aren’t just getting luckier. Today, they have massive systems to help them grow their skills and ensure their success. They’re also well-funded from both previous wins and international crime organization backers with deep pockets. All of this means they have the tools and resources to cause more damage than ever.
And while there’s still some money to be made targeting individuals and stealing their personal identifiable information (PII), hackers know the largest rewards come from successfully attacking a company. For example, a Russian-linked hacking ring known as the DarkSide gang made out with a whopping $4.4 million from the Colonial Pipeline attack in May.
Malware is Becoming More Sophisticated
And it’s not just the hackers themselves who are getting craftier — their technology is getting more advanced too. From clickjacking and denial of service (DDoS) attacks to fake WAPs and fake WiFi access points, hackers have greater access to tools and techniques than just a few years ago.
And as information becomes democratized across the internet, so does the knowledge, skills, and technology required to pull off a sophisticated attack. Hackers in developing nations benefit significantly from this exchange and help to grow cybercriminal presence across every continent.
In other words, the sheer quantity of attacks and growth of cybercrime organizations is no match for traditional cybersecurity solutions.
Email isn’t Going Anywhere
People spend so much time in their inboxes that, when it comes to opening and interacting with email messages, they’re not always as mindful as they should be — and that’s a problem any organization is likely to solve.
“Your organization will continue to be at risk as long as email is necessary for business operations,” says cybersecurity thought leader Aviv Grafi in an article for Dark Reading.
Employees often mistrust the strength of their company’s email security and data encryption capabilities, and frequently exchange sensitive information with each other. Phishing testing isn’t enough to offset the nearly ingrained false sense of security many workforces feel for their humble inboxes.
Employees aren’t Learning Enough
Thanks to basic security education and a growing number of digital natives entering the workforce, today’s employees have a greater sense of cybercrime risks than ever before. But it’s still not enough.
Hackers are getting better at social engineering and convincing even some of the savviest individuals to fall for their scams. Instead of using sketchy-looking links, phishing emails today frequently leverage lookalike (also called “cousin domains”) that are so similar to the legitimate domain, a busy employee may not know the difference. The same is true for file attachments where malware is disguised as something innocuous like “quarterly sales report.”
At the beginning of the pandemic, we saw hackers using mass confusion around new remote work processes to trick employees into clicking malicious links or downloading virus-laden files.
Distributed Workforces Bring New Risks
And speaking of remote work, distributed workforces are creating even more challenges for security teams. With so many people working from home indefinitely, organizations have less control over employees’ environments. Team members are engaging with sensitive materials while using unsecured WiFi connections, logging on through unauthorized devices, leaving laptops around unscrupulous roommates, and more. No amount of phishing testing can overcome these bad habits.
What to Do
Phishing testing can be useful, but only when accompanied by a more robust strategy and growing culture of security. Organizations need to invest in better preventive measures — such as cohesive security awareness training and actionable threat intelligence that allows the workforce to continue learning and improving their security literacy. As threats become more sophisticated, advanced, and numerous, have a well-prepared workforce will be your best defense. Contact us today to discover the better alternative to phishing testing.