Simulated phishing is a technique used to train, educate, and assess the security awareness of an organization’s employees so they can recognize and avoid social engineering attacks in the future. Simulated phishing attempts are not limited to e-mail but may include text messages or phone calls as well.
Simulated phishing provides organizations with another layer of protection because it helps ensure employees are recognizing signs of social engineering attacks regardless if their computer is infected with malware or an attacker has successfully compromised an account by guessing a password.
Simulated phishing typically works by distributing an email or text message which appears to come from a trustworthy source but actually contains malicious links or attachments designed to install malware onto the computer system of unsuspecting users. The primary objective is to create a sense of urgency so employees simply click on something without thinking twice about the potential risks associated with doing so without first verifying that this request comes from a valid source.
Recognizing the potential of simulated phishing to increase user response rates when exposed to real threats, many corporations are using these techniques as part of their broader security awareness training programs . Simulated phishing is becoming increasingly popular for its ability to generate quantifiable data on employees’ responses to known threats. These simulations can often reveal the following information about an organization’s workforce:
1) Employee compliance with basic IT policies
2) The effectiveness of existing computer security controls
3) Areas in which additional training may be required
4) Users’ ability to recognize social engineering attempts.
5) The likelihood that users will report social engineering attacks when they are exposed
Simulated phishing attacks are also known as “security awareness training” or “phishing assessments”.
It is also good practice to make sure that you are constantly re-evaluating your training methods to ensure that they are still effective. Simulated phishing attacks are usually the best way to achieve this goal.