May 18 2023

How to Measure Your Team’s Email Security Savviness

Phishing remains a high-volume, low-success endeavor, but it only takes one successful hook for attackers to gain entry.

Long the most widespread attack strategy, phishing continues to gain popularity with cybercriminals. These attacks underpin an uptick in business email compromise, which accounted for 33 percent of initial access vectors in 2022, up 20 percentage points from the year before.

For organizations, a bigger pool of potential attackers makes it critical to evaluate your team’s readiness to handle phishing attacks and to provide training that actively decreases risk. Here’s how.

Why Phishing is So Popular

The first step in better email security is understanding why attackers do what they do. Put simply, phishing works. In fact, a recent Mimecast survey reveals that 97 percent of companies say that they have been targeted by email-based attacks. A phishing attack is often the first step in delivering ransomware, so it’s no surprise that two out of three companies say they’ve been harmed by a ransomware attack.

Phishing is also easy to do. Would-be attackers can purchase low-cost phishing tools on the dark web and easily scale them to suit their specific purposes.

The result is an attack vector that’s easy to scale and virtually free to implement, and it only has to work once for hackers to succeed.

DIG DEEPER: Find out how to improve your email security and digital work collaborations.

Phishing Scams Hidden in Plain Sight

While current phishing efforts still bear fruit, hackers keep improving their tactics.

Cybersecurity experts note that three new attack types have been making the rounds as malicious actors attempt to circumvent security: calendar invitation, image-based attacks and special character attacks.

In calendar invite attacks, cybercriminals send meeting invitations to their targets, often containing attachments. The title and sender of the meeting may seem familiar, encouraging users to click through and compromise themselves. Image-based attacks, meanwhile, use emails that contain only images and links but no text. This allows them to circumvent many phishing detection tools and make their way into employee inboxes. Finally, special character attacks may use characters such as zero-width Unicode, which is not visible to recipients and makes it seem as if links or attachments are legitimate.

WATCH: Find out what's needed to create effective cybersecurity training for employees.

How to Detect a Phishing Attack 

The best way to defend against phishing attacks is to detect them before they reach inboxes. As noted above, however, this isn’t always possible, so it’s critical to evaluate staff response when phishing emails arrive.

According to the Mimecast survey, 80 percent of companies say that they are at risk due to inadvertent data leaks by careless or negligent employees. This speaks to the critical nature of employee training: If employees know what to look for, they can avoid common phishing hooks.

The benefits of training, however, aren’t guaranteed or permanent. According to one survey, 27 percent of companies reported no improvement in phishing success rates even after they’d implemented training programs. Employee training must be engaging for it to be effective, says Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

“Does it get and hold their attention? Does it make them curious for more?” said Plaggmier, speaking recently at the RSA Conference cybersecurity event. “Have you ever had anyone come to you after taking your security training and ask for more? It very rarely happens.”

Training must also be repeated so employees don’t forget what they’ve learned, and updated so they can be told about cybercriminals’ latest dark innovations. As attacks evolve and new employees come on board, companies should conduct regular security training to ensure staff are up to speed.

Solutions such as Mimecast’s security awareness training kit can help. With continuous, engaging, video-based microlessons, employees can both acquire and keep the security skills they need to keep attackers at bay.

Brought to you by:

Skynesher/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT