Is it okay to run phishing simulations on employees?

Chloe Ireton

Chloe Ireton

My name is Chloe and I am in charge of all things marketing at Nebula. I started as an apprentice at the start of January 2024, and completed a degree in Graphic Design previously. Outside of work, I love everything to do with motorsports – I try and attend car shows and events as much as possible. Aside from this, I find that being out in nature and walking is very beneficial and allows me to have some time away from the screens.

Published on September 10th, 2024

For many businesses, the weak link in cybersecurity is your staff, and cyber criminals know this. With a 40% rise in scams since 2021, the phishing phenomenon shows no signs of halting. To combat this, one solution many business owners use is to run phishing simulations on their employees.

What is phishing?

Phishing is an attack on sensitive information by tricking users into responding to a fake communication, like an email, text or telephone call. As well as individuals, criminals frequently target charities and businesses.

Often disguised as a trusted person or institution, phishing can take all kinds of forms: from fake password reset links to downloadable email attachments.

There’s a common misconception that phishing is easy to spot and something only technophobes fall for. This belief is not only false, but dangerous – with 80% of all reported cyber incidents linked to phishing. Phishing is something that anyone could fall victim to, so it’s essential to raise your teams’ awareness and defences against it.

Phishing scams could have severe consequences for your company, from financial losses and reputational damage, to loss of business.

In one of the latest reports, one study found that cybercrime has cost German companies over €265 billion in the past year alone.

So what are phishing simulations?

With less than 20% of businesses providing phishing awareness training for staff that aren’t directly working in cyber security, employees are an easy target.

Therefore, many business owners have begun to use phishing simulations on employees to better prepare for real attacks. These fake phishing campaigns mirror real phishing attacks, and also provide you with data on how employees reacted to the scams. You are able to see how many people opened the email, clicked the link, gave away information, or alternatively reported it.

If employees do fall for the fake phishing attempt, they’re redirected to a landing page that breaks the news to them, explains which telltale signs of phishing they missed, and has a follow-up training session.

Is it okay to run phishing simulations on employees, then?

Yes, but getting caught out on an unexpected phishing simulation is certain to be a lesson employees won’t forget – for all the wrong reasons.

Phishing simulations can be an effective way to defend your business against cybercrime. But not warning employees in advance can have a serious impact on trust: potentially creating tension and impacting morale in your business.

But it is possible to protect employees against phishing in a way that’s ethical:

Communication

Letting staff know about prospective phishing simulations is crucial. Not only is it fair for your employees, it also creates a culture of open discussion about cybercrime – helping to prevent it.

Support

Create a supportive environment during cyber training. Encourage employees not to fear mistakes, but embrace them. Emphasise the value in learning from mistakes in order to better prepare for the real thing.

No exceptions

Staff throughout the entire business should be trained against cybercrime – including senior management! Take whaling, a phishing tactic that specifically targets senior management (the big fish) in an attempt to gain sensitive data or financial transfers.

As well as protecting your company at all levels, involving senior management will create a sense of collaboration and reinforce that protection against phishing is a company-wide responsibility.

Protect your business

At Nebula IT, we understand the importance of cyber security. We’re here to help you build your virtual defences to protect your business against all kinds of cybercrime, including phishing.

Our user awareness training service is here to support your staff in protecting your business. With a range of services from e-learning, in-person sessions, and training tailored to your preexisting technological defences.

Speak to our team today to see how we can provide you peace of mind, and protect your business.