If it seems like every day brings news of another cyberattack, it’s not just your imagination.

The frequency of malware, ransomware, and phishing attacks continues to rise. In fact, between 2019 and 2020, the number of phishing attacks nearly doubled.

And because 91% of cyberattacks start with a spear phishing email, it’s well worth the effort to train your employees to recognize phishing emails and other threats.

To protect your company from hackers, you should know how to phish like a hacker. That’s why so many businesses are using simulated phishing tests—to train their users to recognize and report suspicious emails, nipping cyberthreats in the bud.

But if your company doesn’t have the personnel or budget for large-scale phishing tests, what can you do? No stress; just check out these phishing test how-tos, designed specifically for small businesses, to strengthen your org against cyberthreats.


1. Pick a phishing tool


The good news is that picking a phishing tool isn’t as intimidating as it may sound—it all comes down to your budget and IT knowledge.

If you have Microsoft 365, you already have access to Attack Simulator, which allows you to run several different types of simulated social engineering attacks. A quick Google search will tell you everything you need to know to get started.

Not a Microsoft user? Again, a quick Google search will lead you to dozens of different security companies that will help you phish and train your employees. For starters, Threat Defense will empower users to work securely and put them on their guard—without the guilt-tripping and shaming that often accompanies traditional training.

But if a third-party solution just isn’t in your budget, try an opensource phishing tool like Gophish—with a proviso that (1) you’ll have to do a little more footwork, and (2) you’ll sacrifice some features like campaign scheduling and employee education.

Or take advantage of freemium services. KnowBe4, for instance, offers a range of free tools. The caveat here is that piecemealing your security training isn’t a sustainable long-term solution—but it’s a whole lot better than doing nothing.


A man phishing


2. Prepare your employees


If you’re starting from square one, now’s the time to set the stage before launching your new cybersecurity initiative.

Most people—including employees at your organization—respond well to data. To help your users understand where you’re coming from, cite recent news stories about cyberattacks. Let users know that the average cost of a data breach is $3.86 million. With that kind of money on the line, is it any wonder that 60% of small businesses who experience a cyberattack close their doors within 6 months?

Another best practice is to give your employees an overview of what phishing emails look like and how to recognize them. Yes, simulated phishing is designed to test users’ knowledge, but you’re not trying to get them to fail.

3 things your team should know about phishing awareness training.

Transparency is also a good thing—so let team members know you’ll be sending phishing emails in the next few weeks. Avoid the nitty-gritty details since users only need basic information at this stage.


3. Go phishing


Ready to break out your new phishing tools? Here are a few things to keep in mind when you design your simulated attack.

  • Phish at all levels of the company. Scammers and hackers can target anyone at the company—from the people at the front desk to the C-suite—so everyone needs to be prepared. Make sure everyone gets an email, but . . .
  • Don’t phish everyone at the same time. In any company, people are going to talk to each other. If someone notices a phishing email in their inbox and lets everyone else know, the game is up—especially if you’re in a small office. If your phishing tool has a campaign scheduling feature, make the most of it to space out the emails.
  • Vary your phishing approach. Phishing emails can take many different forms, from phony social media notifications to urgent messages, allegedly from your boss. So, take a leaf out of the scammers’ book and mix up your fake-phishing emails. This is another good way to make sure employees don’t tip each other off.


4. Keep up the momentum


Your phishing strategy is important, but equally critical is how you respond to your users after they’ve been phished.

Here’s the biggest thing: don’t punish employees who fall for the bait. No one likes making mistakes, and no one likes being shamed for their mistakes—so don’t do it. If a user clicks the link/responds to the phony email/gives away sensitive info, assign them another round of phishing awareness training and give them another chance.

Another good way to encourage secure behaviors is by rewarding employees who successfully report the phishing email.

For example, you could let people know that a phishing email will be arriving in their inbox in the next few weeks and instruct them to forward it to the IT manager when they see it. Any employee who successfully reports the email will have their name put in a drawing for something cool (a gift card, an extra day of PTO, a treat of their choice, etc.).

Gamification is a great way to get users invested in the training and motivate them to take it seriously—without coming across as patronizing or overly intense.


A carrot on a string


5. Repeat


Annual trainings may work well for some content, but that’s not the case for cybersecurity. Scammers and hackers are always upping their game, often using current events as part of their scams (like COVID vaccination appointments or IRS-related emergencies). Your training should update regularly to keep users apprised of these threats.

Plus, it usually takes more than one training to help users develop cyber-safe habits. You can decide how often your users should be trained—but try to be conscious of employees’ time. You don’t want them to get burned out on security!

What does a successful simulated phishing training program look like?


Beyond phishing how-tos


These phishing tips are more than just a checklist you can mark off to feel like you’ve “done” your security training. They’re all about teaching employees how to combat human error so hackers can’t take advantage of them—which keeps your data and their jobs safe.

This may sound like a lot of work—especially if you have limited personnel and already need all hands on deck.

If this situation sounds a little too familiar, partner with BrainStorm to protect your company from cyberthreats. Instead of spending more on firewalls—which hackers can breach—use Threat Defense to strengthen your company’s defenses from the inside out.