Blog Post
August 25, 2023 | Cybersecurity education
What is a phishing simulation exercise (and its benefits)?
By Field Effect
Last updated: January 19, 2024
Phishing scams—from imitation emails to "emergency" phone calls—are becoming increasingly prominent and sophisticated in 2023. Cybersecurity platforms have become increasingly sophisticated. To get through these barriers, cybercriminals are targeting an organization’s staff more and more often, relying on human error to accomplish their goals.
According to a 2023 report from Verizon, miscellaneous human errors are a factor in most breaches across many industries, including healthcare, education, and utilities. Additionally, the "human element" was present in 74% of all successful breaches, with cases ranging from privilege misuse to genuine mistakes. It’s clear that individual training is vital for cybersecurity readiness—every team member, even those not involved in information technology, must be aware of potential threats.
While attack strategies vary, phishing efforts are becoming more advanced by the day. To keep your organization secure, your cybersecurity and training must keep pace with attackers. Continue reading to learn how phishing has changed and how phishing simulation training can make your organization more informed, aware, and–ultimately–secure.
What is phishing?
Phishing and spear phishing are among the most common types of cybersecurity attacks, featuring an attacker that messages targeted victims often by impersonating someone else. Phishing scams are usually delivered via email, though they can also appear in other mediums such as texts, calls, and social media messages.
As a type of social engineering, phishing largely depends on the human element, with many modern spear phishing attacks more personalized than ever before. Examples of phishing include:
- "Nigerian Prince"-style emails, usually promising a sum of money or inheritance in exchange for financial assistance.
- Messages pretending to be reputable individuals from your company, such as the CEO or a supervisor.
- Fake invoices and money requests, often impersonating vendors or other businesses.
- Emails or messages informing you an online account needs resetting or changing.
- Phone calls that attempt to convince victims to send money or release information. These phone-based phishing attacks are commonly known as "vishing."
- Emails sent from addresses nearly identical to the addresses in your contacts, also known as "spoofing."
- Redirects to malicious or fraudulent websites, also known as "pharming."
- Social media messages promising services, such as promoting your profile.
- Emails that extort the recipient out of money using blackmail or threats.
- Fake alerts of unusual activity or security breaches.
Phishing scams can serve multiple purposes for attackers, though their motivations are almost always financial. According to Verizon's 2023 Data Breach Investigation Report (DBIR), 76% of the data breached by phishing and social engineering attacks was credentials, such as passwords and banking information. Another 28% was internal data, and 26% was personal data.
Once stolen, data can end up in several places. Credentials, the most-stolen type of data, can be used to access victims' personal accounts, such as their banking, or to infiltrate accounts associated with their organization. Sensitive information, such as an organization's intellectual property (IP) or an individual's Social Security number, can be sold on the dark web or leveraged against the victim through ransomware or extortion.
In 2023, phishing remains one of the most dominant attack patterns, present in 44% of social engineering incidents. Phishing was among the top three ways attackers successfully breached organizations' data in 2023, alongside stolen credentials and exploitation of vulnerabilities.
What is spear phishing?
Spear phishing is a very direct and deliberate social engineering strategy where threat actors impersonate specific individuals in scenarios unique to each victim. For example, an attacker may pose as a CEO, supervisor, or vendor to encourage someone from an organization's financial department to share financial information.
Spear phishing differs from traditional "phishing" because it's more personalized. "Phishing" is nicknamed similarly to "fishing" because, for many attack campaigns, it consists of identical bait emails and messages sent to countless recipients. On the other hand, the content of a spear phishing email will typically be unique to its recipient. Basically, phishing is a broad strategy relying on anyone taking the bait, whereas spear phishing requires attackers to target specific victims, much like fishing with a spear or stick.
Overall, spear phishing strategies take significantly more effort from attackers, often requiring thorough research and a clear target. And while a standard phishing campaign can be used and reused against multiple targets, a spear phishing campaign can only be used against the targets it was tailored for. Due to their level of personalization and the lack of typical phishing red flags, spear phishing scams tend to be significantly more challenging to identify.
Phishing vs. pretexting
Phishing and pretexting tend to go hand-in-hand; some of the most effective attack strategies utilize elements of both. Pretexting is a social engineering strategy similar to phishing that uses trust and false credibility to trick victims. Phishing, on the other hand, tends to rely more on urgency and consequences.
Pretexting uses the victim's personal relationships and propensity for trust against them. For example, supervisors making ordinary requests.
In many phishing and pretexting scenarios, actors only ask victims to complete seemingly routine tasks, such as fulfilling an invoice or transferring account information. Because the requests are ordinary and most actors maintain a casual yet rushed tone, it can be incredibly difficult for victims to recognize phishing and pretexting attacks until it's too late.
Why is phishing so effective?
Phishing has remained a consistent cybersecurity threat to organizations and individuals largely because of its human element. While the technical layers of cyberattacks can often be defended against using the latest cybersecurity technology, human error is tougher to account for. So long as the attacker's phishing scam is believable, there's a relatively good chance it will succeed.
According to the 2023 DBIR, phishing is prevalent in most industries, from retail to public administration. While the degree of impact and number of successful breaches vary by industry, social engineering scams in general affect businesses of every size and sector. This is because they all share the same universal vulnerability: humans.
Hackers have sought to exploit this shared vulnerability since the dawn of phishing attacks, but the widespread shift to remote and hybrid work has made internal errors a more significant threat to cybersecurity than ever. Many remote workers communicate with the other members of their organization exclusively through email and instant messages, so they may be easier targets for spear phishing tactics.
For example, social engineering patterns in the education industry have increased by 50% in the past year, with phishing now present in 18% of breaches. Due to these human factors, it's crucial that your staff is trained to identify phishing tactics.
What is a phishing simulation exercise?
Phishing and pretexting scams typically depend on two variables: a believable attack strategy and a victim who will believe it. Unfortunately, especially with spear phishing on the rise, phishing strategies can be significantly more difficult for users to identify without proper training.
Phishing simulation exercises are a valuable service that helps companies identify where additional cybersecurity training may be needed within their organization. During the simulation, a fabricated phishing email (or multiple emails) is sent to employees to test whether they can spot the signs of a malicious or fraudulent email.
For example, a business may have multiple tailored emails sent to staff posing as vendors, clients, and upper-level staff. The instructions and links in these emails aren't harmful but, instead, add to the simulation's analytics. The results of the phishing attempts then give businesses a better idea of where to improve, such as by training individual employees or adding a disclaimer to the subject line of any external emails.
Using phishing simulations to improve your cybersecurity bears some similarity to red and blue teaming. Both are intended to simulate the constant back-and-forth of cybersecurity. Phishing simulations essentially help organizations strengthen the human pillar of their security, ensuring errors, misjudgment, and lack of preparedness don't impair resilience.
As social engineering scams constantly change and vary by industry, company, and individual, most phishing simulations must be tailored for specific organizations. For example, simulated phishing emails in the healthcare industry may relate to patients' personal information and stress a sense of urgency. For financial departments, simulated emails may ask staff to transfer money to new accounts while mentioning precise account information only someone within the organization would already know, just to improve believability.
Because every industry, position, and email is different, very few organizations will have the time or resources to develop and conduct phishing simulations in-house. Instead, organizations can work with trusted cybersecurity experts that offer phishing simulation exercises, such as Field Effect, and who understand the current changes in social engineering and the different threats facing each sector.
Benefits of a phishing simulation service
Phishing simulation training and services can improve your organization’s cybersecurity by reinforcing the human layer of protection. When employees are aware of cybersecurity threats, they can more easily spot them and are less likely to fall for phishing and pretexting scams.
Outside of individual training, phishing simulations are a great way to gauge your organization's cyber resiliency. You can identify the most at-risk data, learn where overall training needs improvement, and prepare your organization for the most likely attack types. Plus, when you work with a cybersecurity expert, they can give you advice specific to your organization and industry to help you stay ahead of changing strategies.
Identify (and close) gaps in your security
There are three pillars to cybersecurity: process, technology, and people. Security gaps often exist because staff are unfamiliar or uncertain around policies and practices. A phishing simulation’s primary goal is to help you identify your vulnerabilities with regards to the people in your organization. The reports generated from phishing simulations are designed to help you pinpoint and close these gaps before they can be exploited by threat actors.
It’s much harder to test and educate employees than it is to install a new piece of software on the system they’re using. As such, while it’s critical to highlight and correct those instances of human error, it’s also challenging due to time and resource constraints.
Keep staff informed
Knowing is half the battle, especially when it comes to cybersecurity. Staying informed of cybersecurity trends is crucial for staying ahead. As the 2023 DBIR highlighted, phishing attack strategies are still drastically changing, with many attack types becoming more subtle, effective, and personalized.
In order for your cybersecurity efforts to be successful, your staff needs to understand what they're up against, especially when it comes to phishing attacks. Working with knowledgeable cybersecurity experts during your phishing simulation will give you access to relevant information for your industry, including the current attack and defense trends.
As you learn more about your company’s vulnerabilities, you can make more informed decisions on how to improve your cybersecurity posture. By raising awareness of the risks of attacks and educating your employees on how to spot them, you can establish a stronger baseline moving forward.
Get started with phishing simulation services
Even when they don't put employees to sleep, cybersecurity training videos and lectures rarely leave staff with everything they need to know—especially in the changing cyber environment. Realistic phishing simulation campaigns and training provide impactful analyses of your specific organization and employees, leading to stronger resilience and tangible results. Moving forward, you and your staff will be more aware of and prepared for critical scams.
Learn more about how phishing simulations can protect your business by exploring Field Effect's phishing simulation service.