Phishing simulation best practices: how to communicate the value of phishing simulations to your employees

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
August 28, 2024
Written by
Maxime Cartier
Fact checked by

We are not going to explain why you need phishing training, as you know the ins and outs of it already. Instead, we will unfold how to communicate the values and benefits of phishing training to your employees.That’s probably the hardest part of the job. You’ve most likely sold the need of phishing training to your leadership (we’ve also written about how to get buy-in from them). But the biggest question is – and you’ve probably heard it from others: how will you make sure that people care and engage with the training?After all, if employees don’t use it, how will they learn how to act responsibly online in a more secure way?

What should you communicate to people about phishing training?

People want to do good and act the right way. Yet, sometimes it can be challenging to understand why they need to spend precious working hours on security awareness training. It just sounds so simple, at least on paper.That’s one big pitfall of information security training. People are overconfident about their knowledge and skills, and they wonder why they need practical training.To overcome this obstacle, you must show them that they can fall victim easier than they think. You can show this to them with practical, interactive, and positive training. However, before kicking off the training, people must know why you want them to participate.

What do people need to understand about the training?

The social engineering landscape has become really sophisticated, and well-executed attacks can be surprisingly confusing – and easy to fall victim to. You need to go beyond policies and make more effort to truly educate people.As attackers adapt their strategies, personalize their attacks, and keep creating new attack types, you also need to adjust your education to keep people up-to-date and safe.

Threats are not so simple anymore

All of us have seen the typical phishing emails. Something like a DHL impersonation about picking up your parcel or updating your O365 password. Most of these phishing emails are poorly crafted and executed. You would think no one would fall for them. Yet, errors can always happen. It could be enough that an employee is tired and clicks on the wrong link without thinking twice.The real problem is that attackers have recently been investing a lot of time and energy into delivering exceptional attacks that could fool even those with great success in the training. Spoofing coworkers’ email addresses, impersonating brands over email, or creating real-looking websites can make it difficult not to fall for the hooks.Without awareness and continuous practice, it’s difficult to stay on top of your game, and not fall for phishing attacks.

Anyone can be manipulated

Hackers use psychology to manipulate people into taking action. They execute on basic human psychology trying to make us act faster without thinking. They use our emotions against us.

Fear

Fear is an unpleasant emotion, and it is probably the most commonly used tool by social engineers.How would you feel if someone told you that your bank account was compromised, and you need to act immediately to sort things out? Or if someone threatened you with the police because of a tax violation?

If you are not aware that those messages and threats could be a scam, you may accidentally take action take action.

Obedience

We usually trust authority. If a company you interact with or an executive at your company asks you to do something, you may not question it. You might simply take action.For example, it’s very typical that attackers pose as the CEO and try to manipulate people in the Finance department to transfer money to their account.

Greed

We’ve probably all seen phishing emails that try to exploit our desire for something – like a prize or money.For example, we earlier showed how hackers could send you an advanced attack about a Google PlayStore Giftcard using a Google subdomain that could steal your password.

Helpfulness

Generally, people want to be helpful to their peers, and cybercriminals take advantage of this. Emails that want to exploit you by asking for help typically also use urgency to make you act as fast as possible.

Safety should be on everybody’s agenda

Just recently, we wrote a full article on how employees think that at work. They think they are safe from hackers because IT will take care of the safety measures anyways.With all the training and communication, you want to focus on building a culture where employees understand that they are also responsible for security. By taking the right actions, you can immensely support your defenses and lower your risk profile.

Helping people learn what they are supposed to do and how they can support your work will help them understand why they should participate in the training.

How do they benefit from the training?

Your employees could benefit from cybersecurity training both on the professional and personal level.No one wants to be the guy at work that did something silly – like downloaded a malware by accident – that costs the company a lot of loss in terms of productivity, money, and reputation.Attackers don’t only target organizations or work emails. They also target individuals with motives like cheating money out of people or stealing their credentials, for example, to access their bank accounts.

How do you motivate your employees?

Communicating the benefits of training will help people understand why they must participate. This is one big part of motivation.It also depends on your company’s culture, and what other tools you are going to use to educate employees.In some companies, gamifying the training can work really well – while in other companies, it may not be aligned with the company culture.Gamification may also motivate some employees to compete with others or get prizes based on their participation or success.

Generally, it’s good to ask qualitative feedback from employees on what you could do better. You could put together a workshop with people from various backgrounds and get their valuable insights on how to engage and motivate them better.

Read more about implementing a phishing training program

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this