How to test whether your employees will fall for a phishing scam

Q: What can I do to test my employees to see how likely they are to fall for a phishing scam?

More than ever, businesses are a primary target of cyber criminals because they know that a business is more likely to pay more in a ransomware scam or wire fraud scam.

Not only is there more money to be made, they have a larger number of targets they can pursue to achieve their goals. All it takes is one user in the company to fall for a cleverly crafted email for the infiltration to begin.

The weakest security link

No matter how sophisticated your cybersecurity technology has been setup to prevent unauthorized access to your network, your employees are your last line of defense.

Your users are also the easiest way to gain access, so rather than trying to penetrate your technology fortress head on, thieves will simply use clever tricks on humans to bypass your security systems.

The methods used by cyberthieves continue to evolve, so continuous education and awareness of the threat is the only way to harden your employees.

Cybersecurity is never going to be a “fire and forget” process, so building a strategic plan for ongoing education is highly recommended.

It should be considered a compliance issue, much like you approach accounting and HR issues and regulations.

Free test tools

Lots of companies have created tools and resources that will both test and educate your employees.

One of my longtime favorites is a company called “KnowBe4,” which offers over a dozen free tools that any business can use to test their employees or check for breach exposures.

Another reason I like this company is because their “Chief Hacking Officer” is Kevin Mitnick, once known as the “World’s Most Wanted Hacker” in the mid-90s and author of “The Art of Deception: Controlling the Human Element of Security.”

He has since turned his talents from crime to consulting and helps companies understand how hackers think and act.

Phishing reply test

Of the 14 free tools offered by KnowBe4, one of the most helpful is the “Phishing Reply Test” because it shows you who opened the suspicious message but, more importantly, who fell for the trick and replied to the message.

You can choose from three different scenarios to send to your employees and spoof the sender’s name by using someone they would likely trust — just like real phishing scams often do — then compile the results for you within 24 hours.

CEO fraud attack

Testing to see if your employees will fall for a spoofed internal email is always a good check, as a fake message from an important person in your organization is a common attack technique.

The Domain Spoof Test will require that the person in charge of your email platform and security be involved, because it’s a little more involved than some of the other tests.

Each of their free test tools can be requested by filling out the form associated with each tool, so it won’t take long for you to start assessing your employees so you’ll know what you need to teach them.

Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up