Skip to content

Why you should put your staff to the test with phishing drills

When Sophos Phish Threat was released in January, we pointed out that:

  1. Email remains one of the most problematic sources of infection; and
  2. It’s the ordinary, well-meaning people who often let poisonous emails into their organizations.


Phishing is an old problem, but news stories continue to show that people remain easy prey.

New attacks, old tactics

A recent Naked Security article outlined the bad guys’ efforts to infect their prey using scams centered around tax season, with the Internal Revenue Service (IRS) warning of fresh email schemes targeting tax professionals, payroll staff, human resources personnel, schools and average taxpayers. In another scam, attackers polluted Amazon listings with links that redirected victims to a very convincing Amazon-looking payment site.

Now come fresh reports that attackers are using malicious PDF attachments and messages that appear to be from their company’s HR departments, as well as bogus Facebook friend requests. [For the full story, read Latest phishing tactics: infected PDFs, bogus friend requests, fake HR emails.]

Microsoft Malware Protection Center team member Alden Pornasdoro warned of the malicious PDF files. Unlike in other spam campaigns, he wrote, the PDF attachments in question don’t contain malware or exploit code. Instead, they rely on social engineering to lead people to phishing pages where they are asked to divulge sensitive information.

In another case, ZDNet reported that sending a bogus friend request was the best way to get someone to click on a link – even when the email was being sent to a work email address.

In one simulation conducted by MWR Infosecurity, a quarter of users who were tested clicked the link to be taken through to a fake login screen, with more than half going on to provide a username and password. Four out of five then downloaded the sinister file. Meanwhile, a spoof email claiming to be from the HR department referring to an appraisal system also proved effective.

Successful attacks through social engineering

Recent developments show that the ancient technique of social engineering is alive and well. Understanding it is the first step in mounting a better defense. We previously wrote:

Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit. You might think it sounds like the work of a con artist – and you’d be right. Since social engineering preys on the weaknesses inherent in all of us, it can be quite effective. And without proper training it’s tricky to prevent. If you’ve ever received a phishy email, you’ve seen social engineering at work. The social engineering aspect of a phishing attack is the crucial first step – getting the victim to open a dodgy attachment or visit a malicious website.

As the blog post noted, phishing can’t work unless the first step – the social engineering – convinces you to take an action.

To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering.

For Sophos customers, that product is Phish Threat.

How it works

With Phish Threat, users choose a campaign type, select one or more training modules, pick a simulated phishing message, and decide which users to test. Reporting tells you how many messages have been sent out, who’s clicked, and, of those, who’s gone through the required modules.


Security awareness programs are not new, and some security experts have questioned their effectiveness, since users continue to make the same mistakes.

In our opinion, simulations give awareness programs more teeth. The more employees get caught on the phishing hook during a simulation, the less likely they are to forget the lesson.

That may sound like a self-serving statement. But the proof is in the never-ending avalanche of news headlines.


It does little for security but harms productivity (because employees spend ages pondering emails, and not answering legitimate ones), upsets staff and destroys trust within an organisation.


Mike, if you teach your employees to trust, but verify, then there shouldn’t be a problem with upset staff and trust. All you need is one legit threat to come through, say ransomware, and then you’ll start seeing those issues if people haven’t had any training.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!