Phishing

More than 90% of successful hacks and data breaches start with phishing scams. Phishing is a threat to every organization across the globe. Get the information you need to prevent attacks.

Phishing

Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.

Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.

 

History of Phishing

Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Here is a brief history of how the practice of phishing has evolved from the 1980s until now:
 

 1980s

A phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.

Did you know that 91% of successful data breaches started with a spear phishing attack?

Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks!

PST Results

Here's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page 
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now.
Fill out the form, and get started immediately!

Top Phishing Techniques

There are a number of different techniques used to obtain personal information from users. As technology becomes more advanced, the cybercriminals' techniques being used are also more advanced.

To prevent Internet phishing, users should have knowledge of how cybercriminals do this and they should also be aware of anti-phishing techniques to protect themselves from becoming victims.

exclamation-1
Spear Phishing
Think of spear phishing as professional phishing. Classic phishing campaigns send mass emails to as many people as possible, but spear phishing is much more targeted. The hacker has either a certain individual(s) or organization they want to compromise and are after more valuable info than credit card data. They do research on the target in order to make the attack more personalized and increase their chances of success. 
exclamation-1
Session Hijacking
In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.
exclamation-1
Email/Spam
Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.
exclamation-1
Content Injection
Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information.
exclamation-1
Web Based Delivery
Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.
exclamation-1
Phishing through Search Engines
Some phishing scams involve search engines where the user is directed to product sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.
exclamation-1
Link Manipulation
Link manipulation is the technique in which the phisher sends a link to a fake website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.
exclamation-1
Vishing (Voice Phishing)
In voice phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Vishing is mostly done with a fake caller ID.
exclamation-1
Keyloggers
Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard.
exclamation-1
Smishing (SMS Phishing)
Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.
exclamation-1
Trojan
A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals.
exclamation-1
Malware
Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.
exclamation-1
Malvertising
Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements.
exclamation-1
Ransomware
Ransomware denies access to a device or files until a ransom has been paid. Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
exclamation-1
Website Forgery
Forged websites are built by hackers made to look exactly like legitimate websites. The goal of website forgery is to get users to enter information that could be used to defraud or launch further attacks against the victim.
exclamation-1
Domain Spoofing
One example is CEO fraud and similar attacks. The victim gets an email that looks like it's coming from the boss or a colleague, with the attacker asking for things like W-2 information or funds transfers. We have a free domain spoof test to see if your organization is vulnerable to this technique.
exclamation-1
Evil Twin Wi-Fi
Hackers use devices like a pineapple - a tool used by hackers containing two radios to set up their own wi-fi network. They will use a popular name like AT&T Wi-Fi, which is pretty common in a lot of public places. If you're not paying attention and access the network controlled by hackers, they can intercept any info you may enter in your session like banking data. 
exclamation-1
Social Engineering
Users can be manipulated into clicking questionable content for many different technical and social reasons. For example, a malicious attachment might at first glance look like an invoice related to your job. Hackers count on victims not thinking twice before infecting the network. 

Top-Clicked Phishing Email Subjects

Curious about what users are actually clicking on? Every quarter we release which subjects users click on the most!

Every quarter, KnowBe4 reports on the top-clicked phishing emails by subject lines. we take a look at the top categories as well as subjects in the U.S. and Europe, the Middle East and Africa (EMEA). That data comes from millions of phishing tests our customers run per year. 'In The Wild' attacks are the most common email subjects we receive from our customers by employees clicking the Phish Alert Button on real phishing emails and allowing our team to analyze the results. We also track the top phishing attack vectors quarter to quarter. See the latest infographic below. Sharing this info with your users is a great way to keep them updated on the types of attacks their peers are currently falling for.

Real World Phishing Examples

Classic Phishing Email

Over the past few years online service providers have been stepping up their security game by messaging customers when they detect unusual or worrisome activity on their users' accounts. Not surprisingly, threat actors are using this to their advantage. Many are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention:

Consider this fake Paypal security notice warning potential marks of "unusual log in activity" on their accounts. Hovering over the links would be enough to stop you from ending up on a credentials stealing website. The first example is a fake Microsoft notice, almost identical in appearance to an actual notice from Microsoft concerning "Unusual sign-in activity". The second example email points users to a phony 1-800 number instead of kicking users to a credentials phish.

Paypal Phishing Security NoticeMalicious Windows Warning Email

Infected Attachments

Malicious .HTML attachments aren't seen as often as .JS or .DOC file attachments, but they are desirable for a couple of reasons. First, there is a low chance of antivirus detection since .HTML files are not commonly associated with email-borne attacks. Second, .HTML attachments are commonly used by banks and other financial institutions so people are used to seeing them in their inboxes. Here are a few examples of credential phishes we've seen using this attack vector.

Google Credentials PhishFake Adobe Login

Malicious macros in phishing emails have become an increasingly common way of delivering ransomware in the past year. These documents too often get past antivirus programs with no problem. The phishing emails contain a sense of urgency for the recipient and as you can see in the below screenshot, the documents step users through the process. If users fail to enable the macros, the attack is unsuccessful.

Macro Warning Screenshot

Social Media Exploits

Several Facebook users received messages in their Messenger accounts from other users already familiar to them. The message consisted of a single .SVG (Scaleable Vector Graphic) image file which, notably, bypassed Facebook's file extensions filter. Users who clicked the file to open it were redirected to a spoofed Youtube page that prompted users to install two Chrome extensions allegedly needed to view the (non-existent) video on the page.

Malicious Phishing Facebook AVG Message

For most users, the two Chrome extensions were used to allow the malware a limited degree of self-propagation by exploiting the "browser's access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file."

On some users' PCs the embedded Javascript also downloaded and launched Nemucod [PDF], a trojan downloader with a long history of pulling down a wide variety of malicious payloads on compromised PCs. Users unlucky enough to encounter this version of the malicious script saw their PCs being taken hostage by Locky ransomware.


Spoofed YouTube Site

LinkedIn has been the focus of online scams and phishing attacks for a number of years now, primarily because of the wealth of data it offers on employees at corporations. Malicious actors mine that data to identify potential marks for business email compromise attacks, including wire transfer and W-2 social engineering scams, as well as a number of other creative ruses. Here are some examples we've seen through KnowBe4's Phish Alert Button:


In one case a user reported receiving a standard Wells Fargo credentials phish through LinkedIn's InMail:

LinkedIn InMail Phish

Note that this particular InMail appears to have originated from a fake Wells Fargo account. The supplied link leads to a fairly typical credentials phish (hosted on a malicious domain since taken down):

Wells Fargo LinkedIn Phishing Scam
It looks like the cybercriminals set up a fake Wells Fargo profile in an attempt to appear more authentic.

Another similar phish was delivered to an email account outside of LinkedIn:

LinkedIn Email Phish Screenshot

This email was delivered through LinkedIn, as did the URLs used for the several links included in the footer of this email ("Reply," "Not interested," "View Wells's LinkedIn profile"):

Wells Fargo LinkedIn Phishing Email Screenshot
Those URLs were obviously auto-generated by LinkedIn itself when the malicious actors used LinkedIn's messaging features to generate this phish, which hit the external email account of the mark (as opposed to his InMail box, as was the case in the first phish discussed above).

CEO Fraud Scams

Here's an example of a KnowBe4 customer being a target for CEO fraud. The employee initially responded, then remembered her training and instead reported the email using the Phish Alert Button, alerting her IT department to the fraud attempt.

When the employee failed to proceed with the wire transfer, she got another email from the cybercriminals, who probably thought it was payday:

CEO Fraud Phishing

Mobile Phishing

Mobile phishing attacks have increased by 475% from 2019 to 2020, according to a recent report by Lookout. Attacks on mobile devices are nothing new, however they are gaining momentum as a corporate attack vector. Attackers now take advantage of SMS, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing. Security professionals who overlook these new routes of attack put their organizations at risk.

Here are just a few phishing related risks posed by mobile device use:

  • Apps - lack built-in security. Free apps usually ask for a lot of access they shouldn’t need.
  • WiFi - your device typically picks up the strongest signal, which may be a rogue WiFi that seems legitimate but is actually an attacker just waiting to monitor, intercept or even alter communications from your device.
  • Bluetooth - can be used to spread viruses, and hackers can use it to hack into phones to access and exploit your organization’s data.
  • Human error - thieves sell lost and stolen devices to buyers who are more interested in the data than the device itself.
  • Smishing - aka phishing conducted via SMS. Similar to phishing emails, an example of a smishing text might attempt to entice a victim into revealing personal information. asking the recipient to take action on any number of seemingly mundane activities, i.e., the user’s bank claiming it has detected unusual activity or a congratulatory notice saying the person has won a prize from their favorite store.

At a minimum, use this checklist to help mitigate the threat:

  • Always use strong passwords
  • Encrypt or lock sensitive data
  • Don’t bypass built-in security, use multi-factor authentication options like fingerprint or facial recognition
  • Enable remote tracking
  • Enable your device to erase remotely
  • Never leave your device in a public place or anywhere it can be easily stolen
  • Only use apps available in your device’s app store - NEVER download them from a browser
  • Watch out for new apps from unknown developers or with limited/bad reviews
  • Keep your apps updated, this will ensure they have the latest security. If they’re no longer supported by the app store, just delete them!
  • Think before you click any links in text messages or emails on your mobile device
  • Never jailbreak your iOS or root your Android - that leads to unrestricted access, making it way too easy for hackers
  • Always turn off WiFi when you aren’t using it or don’t need it
  • Don’t allow your device to auto-join unfamiliar WiFi networks
  • Don’t send sensitive information over WiFi unless you’re absolutely certain it’s a secure network
  • If you’re able to, disable automatic Bluetooth pairing and always turn off Bluetooth when it isn’t needed
  • NEVER save your login information when you’re using a web browser

Preventing Phishing Attacks

These are what we have found to be best practices in the prevention of phishing attacks. Note there is no single 'silver bullet' that will protect you, you must take a layered approach to stay secure:
Understand the risks you face
While it may seem trite to offer a recommendation simply to understand the risks that your organization faces, we cannot overstate the importance of doing just that. Decision makers must understand that they face threats not only from phishing attacks, but also a growing variety of threats across all of their communication and collaboration systems, the personal devices that their users employ, and even users themselves. Cybercrime is an industry with significant technical expertise, extensive funding, and a rich target environment.
Develop adequate policies
Many organizations have not yet developed and published detailed and thorough policies for the various types of email, Web, collaboration, social media and other tools that their IT departments have deployed or that they allow to be used as part of “shadow IT”.

As a result, we recommend that an early step for any organization should be the development of detailed and thorough policies that are focused on all of the tools that are or probably will be used in the foreseeable future.

These policies should focus on legal, regulatory and other obligations to encrypt emails and other content if they contain sensitive or confidential data; monitor all communication for malware that is sent to blogs, social media, and other venues; and control the use of personal devices that access corporate systems.

Establishing robust policies will not provide security protection per se, but it can be useful in limiting the number of tools that employees use when accessing corporate resources. In turn, these limitations can be helpful in reducing the number of ingress points for ransomware, other forms of malware, phishing attempts, and other content that could pose a security risk.
Keep systems up-to-date
Application, OS and system vulnerabilities can allow cybercriminals to successfully infiltrate corporate defenses. Every application and system should be inspected for vulnerabilities and brought up-to-date using the latest patches from vendors.
Ensure you have good and recent backups
A useful method for recovering from a ransomware attack, as well as from other types of malware infections, is to restore from a known, good backup taken as close as possible to the point before the infection occurred.

Using a recent backup, an endpoint can be reimaged and its data restored to a known, good state with as little data loss as possible. While this strategy will likely result in some level of data loss because there will normally be a gap between the most recent backup and the time of reimaging, recent backups will minimize data loss if no other remedy can be found.
Deploy anti-phishing solutions
There are good solutions available that can be deployed on-premises or in the cloud that can detect phishing attempts and a variety of other threats. Every organization should implement solutions that are appropriate to its security infrastructure requirements, but with specific emphasis on the ability to detect, isolate and remediate phishing threats.

While the overall spam problem has been on the decline for the past several years, spam is still an effective method to distribute malware, including ransomware.
Implement best practices for user behavior

Next, implement a variety of best practices to address whatever security gaps may exist in the organization. For example:

  • Employees should employ passwords that correspond to the sensitivity and risk associated with the corporate data assets they are accessing. These passwords should be changed on an enforced schedule under the direction of IT.
  • Implement a program of robust security awareness training that will help users to make better judgments about the content they receive through email, what they view or click on in social media, how they access the Web, and so forth. The goal of security awareness training is to help users to be more careful about what they view, what they open and the links on which they click. While security awareness training by itself will not completely solve an organization’s security-related problems, it will bolster the ability for users – the last line of defense in any security infrastructure – to be more aware of security issues and to be less likely to respond to phishing attempts. It is essential to invest sufficiently in employee training so that the “human “firewall” can provide an adequate last line of defense against increasingly sophisticated phishing and other social engineering attacks.
  • Establish communication “backchannels” for key staff members that might be called upon to deal with corporate finances or sensitive information. For example, if a traveling CEO sends a request to her CFO to transfer funds to a supplier, the CFO should have an independent means of verifying the authenticity of the request, such as texting or calling to the CEO’s smartphone.
  • Regularly send simulated phishing emails to employees to reinforce their security awareness training and to make sure they stay on their toes with security top of mind.
  • Employees should be reminded continually about the dangers of oversharing content on social media. Employees’ friends might be interested in the latest breakfast, vacation or restaurant visit that gets posted on social media – but this information could give cybercriminals the information they need to craft a spear phishing email.
  • Ensure that every employee maintains robust anti-malware defenses on their personally managed platforms if there is any chance that these employee-owned devices will access corporate resources.
  • Employees should be reminded and required to keep software and operating systems up-to-date to minimize the potential for a known exploit to infect a system with malware.
Use robust threat intelligence

Every organization should use historical and real-time threat intelligence to minimize the potential for infection. Real-time threat intelligence can provide a strong defense to protect against access to domains that have a poor reputation and, therefore, are likely to be used by cybercriminals for spearphishing, ransomware and other forms of attack. Threat intelligence can also be used proactively by security analysts and others to investigate recent attacks and discover previously unknown threat sources. Moreover, historical threat intelligence – such as a record of Whois data that includes information on who has owned domains in the past – can be useful in conducting cybercrime investigations.

Using both real-time and historical domain and IP-based threat intelligence is an important adjunct for any security infrastructure because it offers protection in several ways: There are good solutions available that can be deployed on-premises or in the cloud that can detect phishing attempts, ransomware and a variety of other threats.

  • Organizations can remain compliant with the variety of regulatory obligations they face to protect employee data, customer data and other information they own or manage.
  • Good threat intelligence helps to monitor both intentional and inadvertent use of corporate brands so that these brands can be protected.
  • Threat intelligence provides forensics researchers with deep insight into how attacks began, how cybercriminals carried out their attacks, and ways in which future attacks can be detected early on and thwarted before they can do damage.
Here are some additional tips to share with your users that can keep them safe at the office (and at home). As your last line of defense, they need to stay on their toes with security top of mind:
Keep informed about phishing techniques
New phishing scams are being developed all the time. The less you stay on top of them, the easier they are to fall for. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one.
Think before you click!
It’s ok to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, is never a good idea. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead?

A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website but it's actually a phishing site. It's better to go directly to a site than click on a questionable link
Install an anti-phishing toolbar
Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.
Verify a site’s security
It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well.

If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.
Check your online accounts regularly
If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too.

To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
Keep your browser up to date

Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

Use firewalls

High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.

Be wary of pop-ups
Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
Never give out personal information
As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams.

When in doubt, go visit the main website of the company in question, get their number and give them a call. Most phishing emails will direct you to pages where entries for financial or personal information are required.

Confidential entries should never be made through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.
Use antivirus software
There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time.

Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system.

What Industries Are Most At Risk Of Phishing Attacks?

Every company struggles to answer an essential question—“How do I compare with other organizations who look like me?” To provide a nuanced and accurate answer, the 2024 Phishing By Industry Benchmarking Study analyzed a data set of over 11.9 million users across 55,675 organizations with over 54.1 million simulated phishing security tests across 19 different industries. All organizations were categorized by industry type and size. To calculate each organization’s Phish-prone Percentage, we measured the number of employees that clicked a simulated phishing email link or opened an infected attachment during a testing campaign using the KnowBe4 platform. The top industries at risk in this year's study in the small, medium and large organization categories are Healthcare & Pharmaceuticals (in both the small and large categories) and Hospitality in the medium category:

Whos-At-Risk Phishing Industry Benchmarking Report 2024
 
2024 Top Three Industries at Risk By Size

 

Results show a radical drop of careless clicking to just 18.9% within 90 days of initial training and simulated phishing and a steeper drop to 4.6% after 12 months of combined phishing and security awareness training.

Researchers anonymously tracked users by company size and industry at three points:

  1. A baseline phishing security test
  2. Results within 90 days of combined security awareness training and simulated phishing
  3. The results after one year or more of ongoing security awareness training and phishing is encouraging:
Phishing victims percentage change thanks to security awareness training
 
Visible Proof the KnowBe4 System Works!

Download the Full 2024 Phishing Industry Benchmarking Report

The 2024 Phishing By Industry Benchmarking Report compiles results from a new study by KnowBe4 and reveals at-risk users that are susceptible to phishing or social engineering attacks. The research also reveals radical drops in careless clicking after 90 days and 12 months of security awareness training.

Blog-2024-Benchmarking-Report-Cover

A Master Class on IT Security: Roger Grimes Teaches You Phishing Mitigation

Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they’re more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more. In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, shares a comprehensive strategy for phishing mitigation.

How To Phish Your Users

Phishing and training your users as your last line of defense is one of the best ways to protect yourself from attacks. Here are the 4 basic steps to follow: 

  1. Baseline Testing to assess the Phish-prone percentage of your users before training them. You want to know the level of attack they will and won't fall for as well as have data to measure future success.
  2. Train Your Users with on-demand, interactive, and engaging training so they really get the message.
  3. Phish Your Users at least once a month to reinforce the training and continue the learning process.
  4. See The Results for both training and phishing, getting as close to 0% Phish-prone as you possibly can

An additional 5 points to consider:

  1. Awareness in and of itself is only one piece of defense-in-depthbut crucial
  2. You can't and shouldn't do this alone
  3. You can't and shouldn't train on everything
  4. People only care about things that they feel are relevant to them
  5. The ongoing process is to help employees make smarter security decisions

...and what we've found to be the 5 best practices to embrace:

  1. Have explicit goals before starting
  2. Get the executive team involved
  3. Decide what behaviors you want to shape - choose 2 or 3 and work on those for 12-18 months
  4. Treat your program like a marketing effort
  5. Phish frequently, once a month minimum

Phishing your users is actually FUN! You can accomplish all of the above with our security awareness training program. If you need help getting started, whether you're a customer or not you can build your own customized Automated Security Awareness Program by answering 15-25 questions about your organization

How To Report Phishing

With over 100 billion spam emails being sent daily, it's only a matter of time before you get hit. There are several ways you can and should report these:

  1. KnowBe4’s Phish Alert button gives your users a safe way to forward email threats to your internal security team for analysis and deletes the email from the user's inbox to prevent future exposure, all with a single click!
  2. The United States Computer Emergency Readiness Team website provides information on where to send a copy of the email or the URL to the website so that they may be examined by experts. 
  3. The Anti-Phishing Working Group (APWG) website features a text box in which to copy and paste the entire suspicious email you have received, including the header as well as the body of the message. 
  4. If you come across a website you believe is spoofed, or just looks like a phishing page attempting to steal user information, you can report the URL and submit comments to Google here.
  5. The Federal Trade Commission has an entire section of their website where complaints on phishing, identity theft and other scams can be filed. 
  6. The FBI's Internet Crime Complaint Center (IC3) accepts complaints on their website. Make sure you have all the information needed before filing a complaint, they will ask for information about the victim, whether there was a financial transaction, and of course any info you may have about the sender.
 

See What Our Customers Are Saying On TrustRadius

Phishing-Kit-Resources-Image

Free Phishing Security Resource Kit

Phishing emails increase in volume every month and every year, so we created this free resource kit to help you defend against attacks. Request your kit now!