How to Train Users about Phishing Attacks

In 2021, Trend Micro reported that phishing attempts nearly doubled since the previous year. If employees could potentially be the weakest link in your security strategy, then the best way to avoid attacks is to train users about phishing – and that comes down to having the right tools in place.

KnowBe4 is a tool that helps users distinguish between legitimate and phishing emails by introducing them to simulated phishing content and monitoring their behavior. Based on the actions that users take, training can be provided when awareness is needed. Phishing training should be a part of your cybersecurity business plan. Let’s look at how KnowBe4 tests your employees’ awareness of possible security threats.

Phishing attack prevention

The most common threat to a company’s digital security is phishing. How do you know where your company is vulnerable? By creating campaigns in KnowBe4 you can send phishing emails to your employees to test how they react. Various settings to be configured per campaign and then scheduled either on a one-time or recurring basis. You can:

  • Create a new campaign and define the who, what, when and how settings.
  • Choose an existing template from the large collection KnowBe4 offers or create your own.
  • Choose which landing page the user sees should they click on any “infected” email links.

And, as we’ll see later, you have complete visibility into the results.

Vishing attack prevention

To train users about phishing is not enough. Vishing, or voice phishing, is defined as the criminal practice of using social engineering over the telephone system to gain access to private, personal, and financial information from the public for the purpose of financial reward. Its proven to be one of the most successful methods of gaining information needed to breach an organization.

Are you familiar with those calls from the IRS stating that you are about to be arrested because you owe them money? This is a real-world example of an automated type of call that is used in Vishing. Of course they are looking for a payment that requires personal information.

KnowBe4 lets you create vishing campaigns that test users by calling them via an automated system and asking for sensitive information. If the user hangs up without entering anything they pass the vishing test. If they speak or enter the requested digits in to the phone they fail.

USB dropped drive hack

Have you ever found a USB drive and wondered what was on it? For some people the urge to plug it in is irresistible! One study suggests that 48% – 98% of people will plug in a found drive. Whether it’s because they want to return it to the rightful owner or simple curiosity, plugging it into either their personal or work issued computer is a major security breach.

Called the “dropped drive hack” by WIRED magazine, placing infected files on a USB drive and leaving it somewhere for a user to find is a viable attack vector that targets companies that don’t block USB media or train users on safe USB practices.

To test employee’s awareness of appropriate USB use, KnowBe4 offers the creation of “infected” files that can be put on USB drives and left for users to pick up and plug into computers. If they interact with the files on the drive, it reports back and you’ll see the results on the dashboard.

Monitor user results

So… how are your people doing? How do you know if people are clicking what they are not supposed to? More importantly, how do you know if they are learning and getting better at avoiding risks? The main dashboard in KnowBe4 gives you instant insight into your company’s performance and compares it to the current industry standard, letting you know where you need to focus user training.

Training campaigns for phishing

Up to this point we’ve talked about testing users’ awareness of threats but haven’t covered how to ensure users become more resistant to these threats. At the heart of KnowBe4 is its user training and awareness content. Through the KnowBe4 ModStore, you can access a wide variety of training modules, covering content from security awareness fundamentals to social engineering tactics you can use to train users about phishing.

KnowBe4 does a great job of coupling their phishing campaigns with training campaigns. You have the option of auto-assigning training for users who fail testing, ensuring that the user gets the training they need. You can also create groups, such as a specific department or management team, and assign training directly to those groups.

Get started with freebies

KnowBe4 offers a completely free tool called Second Chance that allows a company to add a step between users clicking on links in emails and launching the associated web page. It takes the golden rule of “hover over a link prior to clicking on it” and brings it to the forefront by showing the user where the link is taking them before launching their default browser. Using an eye-catching orange box as a warning, it displays the link and asks the user if they want to proceed.

Paranoid yet?

If phishing and other illicit scams weren’t effective they would have faded away long ago. If you don’t train users about phishing you can be sure your users will fall victim to them at one point or another. Hopefully the facts we’ve shown will help instill a healthy level of paranoia when it comes to what your users are clicking on in their emails along with an understanding of how KnowBe4 can help your company strengthen its awareness.

Written by Logan McCoy, President, CCB Technology.

Go Back