Anti-Phishing Training 101: What It Is and How to Provide It to Employees

by | Sep 21, 2021 | What is

employee anti phishing training

Proofpoint’s 2021 survey data shows that only 52% of U.S. workers could correctly answer the question “What is Phishing?” Such results indicate the urgent need for organizations to provide anti-phishing training to their staff

anti phishing training

A screenshot of the U.S. Department of Defense’s DoD Cyber Awareness Challenge shows what an anti-phishing training can look like.

Unlike most attack types, phishing exploits human weaknesses, not machine or system vulnerabilities. It’s not so much an attack against technology as it is a scam that tricks people — using tactics that have been around for hundreds of years. That means the solution to phishing must focus on humans at least as much as technology.

In this article, we’ll cover what phishing means and how you can provide anti-phishing training to your employees. We’ll also explore the risks of not providing anti-phishing training, and where you can find free and paid resources to help train your people.

What Is Phishing? A Definition and Explanation

Phishing is a technique of defrauding people by posing as someone else. The goal is to trick victims into making financial transactions, disclosing login credentials, sharing confidential information, or downloading malware.

Although phishing techniques are always evolving, these are some of the most popular methods:

  • Phishing emails: Hackers send emails masquerading as a well-known company, government agency, or person that the recipient trusts. They hide malware in attachments, add links to fake sites, or coerce recipients into sharing confidential information. Here’s an example of what a phishing email looks like:
paypal email attachments phishing

A screenshot of an email showing a phishing message impersonating PayPal.

As you can see, the email comes from an unusual email address instead of an official PayPal account, which should end with “@paypal.com.” The sender is trying to generate panic in the recipient to make them click on the fraudulent link that will take them to a fake PayPal site. As soon as the victim tries to login with their credentials, the hackers steal them to get an unauthorized access to the victim’s account.

  • Vishing: Attackers make a direct phone call to the targets impersonating someone else. Some vishing attacks start with a phishing email that tricks the victim into calling the attacker on the phone. And some vishing attacks start with a phone call and then move to other attack methods, such as RDP attacks/tech support scams.
  • Smishing: Similar to phishing and vishing, using unsolicited SMS messages.
smishing example

An image showing a fake SMS scam where the attacker threatens to suspend the recipient’s mobile account if they don’t click on the link. Attackers can redirect victims to the fake sites, download malware into their mobile, or trick them to share credentials or login details.

  • Evil-Twin Wi-Fi: Hackers create open Wi-Fi ports resembling legitimate Wi-Fi networks in places like libraries and coffee shops. For example, if JFK airport’s official Wi-Fi network’s name is “JFK Internet,” hackers create a fake network called “JFK Airport Wi-Fi.” Once the victim connects to it, the hacker can intercept their data and communications while they’re in transit.
  • Phishing websites: Hackers make phishing websites that look similar or identical to popular sites, using the same logos, designs, color schemes, fonts, and content. They also buy similar-looking domain names to make the sites look more legitimate. Any information entered in these fake sites is collected, stolen, and used for various crimes. Examples of these scenarios include identity theft related scams, financial fraud, or getting unauthorized access to victims’ accounts.

Phishing involves psychological manipulation, so we must learn to recognize phishing scams so as not to fall for the tricks. Let’s look at how anti-phishing training can help.

What Is Anti-Phishing Training?

Anti-phishing training is a way for you to educate your employees about the risks and dangers associated with phishing scams. It’s a way to show every employee:

  • What real-world phishing messages look like,
  • Examples of the types of tactics that cybercriminals use so they know what to look out for,
  • Who and how they can report suspected phishing scams to, and
  • Why it’s important for them to know how to recognize these threats to protect your business and customers.

Organizations are common targets for phishing attacks so it’s essential that companies provide anti-phishing training to all their employees. Although there are automated tools available that can detect and block phishing messages, it’s a mind game played by humans. Therefore, it is vital to train people to identify the various phishing scams.

There are three main approaches for offering anti-phishing training.

1. Use an internal team. Some companies have internal IT teams that provide anti-phishing training to their employees. Big companies might even hire a specialized security team to provide all kinds of cyber awareness training. Internal teams often develop the training program from scratch, which can be expensive.

2. Hire third-party professionals. Many companies hire visiting security professionals periodically to conduct phishing training seminars and boot camps for their employees. In addition, some managed IT service providers also offer anti-phishing training to their clients’ staff. 

3. Rely on online training: This is a convenient and often cost-efficient anti-phishing training option. Third-party companies offer online simulation programs and other resources, which include:

Companies subscribe or buy these courses and ask employees to complete the training online.

Why Is Anti-Phishing Training Necessary?

Not sure whether anti-phishing training is worth spending money on? Then you should know that a single wrong click by an employee can put your entire organization’s security in jeopardy.

Check out some quick facts about phishing:

  • Proofpoint data (from the 2021 survey we mentioned earlier) shows that 75% of organizations around the globe faced one or more phishing attacks in 2020.
  • Verizon reports that hackers primarily use email as the attack vector (more than 95%) for 96% of phishing scams targeting public administration organizations.
  • The FBI’s Internet Crime Compliance Center (IC3) 2020 Internet Crime Report shows that individuals reported more than $54 million in adjusted losses due to phishing scams.
  • The FBI’s IC3 also reports receiving 241,342 phishing complaints in 2020.
  • KnowBe4 reports that 91% of successful data breaches stemmed from spear-phishing attacks.

Many data breaches and cyber-attacks occur because employees are not able to recognize phishing attacks.

An example: Three cities in Florida became victims of serious cyber attacks in 2019. Hackers used malware to encrypt data and deactivate important systems before asking for a ransom to unlock the data. In the Riviera Beach attack, the government paid $460,000 in Bitcoin as ransom to restart the email, phone, and 911 dispatch services.

After investigation, it was discovered that Riviera Beach’s cyber-attack occurred because an employee of the local police department opened a malicious email. This move enabled the hackers to install the malware in the department’s IT systems.

Resources for Anti-Phishing Awareness

If you don’t have a budget for hiring specialists or building a training program from scratch, don’t worry. There are some great resources you can use to implement a basic phishing awareness program for your organization.

Here are some well-known cyber-awareness programs that cover anti-phishing training: 

Resource What Each Training Includes Cost
DoD Cyber Exchange Phishing Awareness Training This interactive training provides examples of phishing attacks and guidelines for users on recognizing phishing attempts. Free
Cofense Online Email Security Awareness Training Paid anti-phishing training programs and simulators for corporate employees. The online training modules are free, although the company offers additional training options for various prices.
FEMA IS:0906: Workplace Security Awareness Training It includes anti-phishing and other important security lessons. Free
ESET Cybersecurity Awareness Training It provides the advanced training, which includes a phishing simulator the latest AI. A basic training is free, and paid version and the paid training costs $250 for ten employees.
ProofPoint Anti-Phishing Training This includes a complimentary PDF and video module. Proofpoint also has paid phishing simulators for enterprise. Free
KnowBe4’s Anti-Phishing Tests KnowBe4 deploys various harmless phishing scams on your employees and sends you the results. These free anti-phishing tests are designed to check your team’s phishing awareness. Free

Final Words on Anti-Phishing Training

Phishing attacks prey on an employee’s desire to do their job well. Phishers love to present an issue or problem while masquerading as an unhappy customer, eager buyer, or even the employee’s boss. A good employee’s first reaction is to quickly fix the issue — but unfortunately, the hacker is sabotaging employees’ good intentions.

With a little anti-phishing training, though, you can ensure that each employee can do what they want to do: help the organization through a job well done.

Stop hackers from hacking your business!

Get DigiCert Secure Site Pro OV SSL that includes a vulnerability scanner, malware detector, PCI scanners, website backup, multi-domain security, and many more advanced security tools.
Shop Now