Anti-phishing Employee Training Program
Posted by Erin Bard on 06 March 2017 03:32 PM
This article provides information about Houghton College's anti-phishing employee training program. This training program consists of sending simulated phishing emails to employees in order to provide employees with practical experience identifying phishing emails, as well as allowing us to identify those employees who may need additional training or guidance.
The following information is presented in question/answer format to allow employees to skip to the specific questions they may have about the system.
What are phishing emails?
Phishing is a form of social engineering, attempting to trick you into giving up your username and password. To do this the attacker directly impersonates someone you know (such as the Helpdesk, a vice-president, your supervisor, etc.) or uses a generic name hoping you will assume it is legitimate (such as "IT" or "Accounting"). Then the attacker asks you to do something for them. Often this request is in the form of a threat or a call to action; for instance an email appearing to be from the Helpdesk and telling you that your account will be disabled if you don't immediately log in to the provided link and change your password.
For more information about how to spot phishing emails, see this article: LINK
For more information about the danger and harm of phishing attacks, see this article: LINK
Why do attackers send out phishing emails?
Because tricking someone into giving up their username and password is MUCH easier than trying to hack into computers or systems. Phishing is easy, it is low-cost, it is low-risk, and most important: it is effective.
Who will receive our training phishing emails?
All college faculty, staff, and emeriti as well as Sodexo and Metz staff; everyone with a houghton.edu email account who isn't a student. We do have the ability to exclude individuals but there must be special circumstances to warrant exclusion. All new employees are automatically added to the training system.
If an employee has not fallen for any training phishing emails over the course of 6-12 months, we may remove them from the training program; either for a period of time (like a sabbatical) or indefinitely. We may re-add employees to the training program if a new type of threat appears that we want to provide training against.
How often are the training phishing emails sent out?
Emails are sent out at random times every day. Employees are eligible to receive a new phishing email every 7 to 30 days. This frequency is likely to change over time as we continually re-evaluate the need for training, going down when response rates are low and increasing as response rates or attacks increase.
How many different training phishing emails are there?
We currently have more than 15 email templates, each of which has multiple elements that can change based on the difficulty level. For instance the subject line or sender name may start out as something that everyone could identify as being fake (e.g. "dear humanoid"), but as the employee gets better at spotting the phishing emails the difficulty will increase and the email will start to look more and more legitimate - for instance by appearing to be sent from the Helpdesk or even referencing the employee by name.
How is the difficulty calculated?
The first five phishing emails are completely random, but after that we will begin to tailor the difficulty to the ability of the employee to spot the phishing emails. Clicking on the link inside the phishing email constitutes a failure to detect the phishing attack (we also track which employees give up their passwords, but that is not factored into the difficulty formula). Then for each future phishing email that is sent to that employee, we calculate the percentage of past failures and use that to craft the difficulty rating for the next phishing email. But we also add in a randomization factor so that there is a slight chance of an employee getting an easier or harder phishing email each time.
This sounds tough! What happens if I fall for these training phishing emails and get a bad score?
It is supposed to be tough! We are trying to trick you, just like a real attacker will try to do. But our intent is to build up your immunity to phishing by providing practical training so that you can learn to spot phishing emails. This training method adjusts for your skill level to meet you where you are and help you get better. We fully expect many employees will fail frequently at first, but we hope that over time scores will improve.
If we see patterns of certain employees not improving, or consistently falling for fairly easy phishing emails, then we may schedule additional training with that employee, or require them to change their password more frequently. If training and repetition do not seem to be effective, additional actions will be considered on a case-by-case basis.
What should I do if I see an email that I am suspicious about, but might be legitimate, and I'm really unsure of what to do with it?
Please forward it to "firstname.lastname@example.org" and it will go to a special mailbox at the Helpdesk that we will monitor and can respond to let you know if the email is legitimate or not.
I fell for a training phishing email and even typed in my password on the page… is my password still safe?
Yes, we are confident that your password is still safe. Our training system never transmits your password off of your computer. We do not record it or save it or do anything with it. That being said, you are welcome to change your password if it would give you peace of mind.
Still have a question? Please submit it to the Helpdesk at email@example.com