Alec Auer, a penetration tester who has conducted dozens of phishing attacks, takes a look at how employees respond to phishing attacks and where it could be improved.

In my previous article I wrote about some of the tactics used by attackers to phish users; in this one I’m going to take a look at the user response following a phishing attack. In most cases, the response rate is lacking to the point where it is negligible.

In the vast majority of phishing exercises we carry out for clients, the click-rate to falling victim far outweighs the number of reports of the phishing email itself to the helpdesk or IT department. A recent phishing attack I conducted was received by just over 1,100 users and while 250 fell victim, just 50 across the board reported the attack. This illustrates a simple and worrying precedent: users are not reporting phishing attacks, even after falling victim.

There are multiple potential reasons for this: the user realised it was a phishing email and simply deleted it; the user fell victim and decided that, after being redirected to the training page, realised it was only a training exercise and not worth reporting; or the user clicked the link and did not want to admit that they had fallen victim for fear of repercussions.

It is a simple process to change this way of thinking and employees should be encouraged to take phishing attacks seriously, even if it is just a training exercise, and report the email to both the IT department and colleagues.

The most effective way of changing the mindset of employees is to combine phishing exercises with face-to-face user awareness training. This provides an engaging method of illustrating the dangers of phishing and the impact it can have on the business in terms of financial and reputational damage. Where companies have used this approach, the reporting rate of phishing attacks has increased in subsequent phishing exercises and the response rate to the email has also dropped.

An additional step is to promote a culture where employees are rewarded for reporting a phishing campaign, even after falling victim, rather than punishing them. This will invite employees to take more responsibility for their actions and ultimately result in a more rapid response to the attack.

While falling victim to an attack is obviously a problem, not reporting the attack only compounds the issue. If a user immediately reports an attack, without fear of repercussions, the extent and number of employees or computers that are compromised can be minimised (and this is especially true for ransomware attacks).

The key to improving employee confidence is through regular training and providing a clear procedure to follow to quickly report a phishing attack. Most importantly, instead of punishing employees, encourage and reward them for taking the security and reputation of the company seriously.

About the author

Alec Auer, BA (Hons) OSCP CRT has been a penetration tester with First Base Technologies for several years and conducts various types of penetration and compliance testing, including infrastructure, web application, email phishing and cyber essentials. He has also achieved the Offensive Security Certified Professional (OSCP) qualification and is a CREST registered tester.