Gone phishing: How I taught my users to stop clicking everything

phishing_hook-2Familiar with SpiceWorks? It's the world's largest IT Admin community. One user wrote the 392nd entry in their Spotlight on IT. This is the story. There is a link at the end to the comments which are a must-read too. 

"We have a problem in our company: people click on EVERYTHING. A file isn’t opening? Keep clicking on it. A web page isn’t loading? Click on it a few dozen times. An email comes in from a sender you don’t recognize? Better click on the links to see what’s in them.

During 2014, we started getting pounded with a ton of spam messages. Luckily our Barracuda Spam Firewall caught most of them, but we were getting upwards of 3,000–5,000 spam messages per day when previously we were getting 600–800 or less. This wave of spam was fairly constant throughout most of the year, and as a result more spam messages were making their way through the filter — which meant more malicious emails were making their way into users’ mailboxes.

By Q3, we’d had around 80 malicious emails get through our spam filter, some of which went to multiple users. A few CryptoLocker attachments got through, but luckily our AV caught them when users tried to open them.

At this point, I’d been begging my boss to let me do a phishing test. I first brought it up in late 2013 when I noticed our users’ habit of clicking everything, but I was shot down. He still wasn’t sold on the idea of doing a phishing test even after the spammy year 2014 was becoming.

Then it happened...

It was an overcast October morning when my phone rang. I picked it up and greeted the user on the other end of the line. Quietly she said, “I think I messed up...” 

My heart sank as I saw a fake ADP email come into MY inbox while I was on the phone with this user. It was a good one too — with a PDF attachment of a “pay statement.” When our AV had caught the malicious attachment in the email, this user then clicked on one of the links in the email and a download started. I started Googling the subject of the email to see what other IT pros had found about it… only to notice that the Internet wasn’t working.

I told the user to unplug her Ethernet cord for now, and that I’d have to call her back. I started fiddling with our Barracuda web filter, as the old one used to cripple the Internet every now and then. I didn’t notice any issues, but was unable to restart it through the appliance. My heart was pounding. I ran up to the server room and cringed while I gave it a hard reboot. While it was restarting, Internet traffic should have been unrestricted for about a couple minutes — but I still couldn’t access the web.

At this point, I stopped by my boss’s office and said, “Sooooo… I’m not sure if these are related issues, but someone just clicked on a malicious email — and also our data is down, so Internet is down for Corp and all of our sites are down.”

After about 10 minutes of scrambling, our data provider gave us a call: The Internet was down because of an issue on their end. We all breathed a collective sigh of relief. 

20 minutes later, our rep at the data provider texted my colleague a picture. A construction crew in Chicago had accidentally cut their main fiber line, which was why we lost Internet. Data was back up and running in a couple hours, and we were all set.

Along came our next IT meeting, and I got the green light to begin my phishing trip. I’d seen Stu (KnowBe4) around the Spiceworks Community. He gave me some info on their free phishing test as well  as some basic info on the product, so I signed up all of our email domains and began my test.

Only my boss and my colleagues in IT were aware of the test, so when the calls started pouring in from users we all gave our default response: “Forward the email to us as an attachment and we’ll investigate further.”

We have three main companies. The company I mainly support had a 25.5% click rate, our largest company had an almost a 40% click rate, and our smaller 10-person company only had 1 click at 10%. Our overall average was 30%, which we count as 40% — during the test one of the GMs at our largest location went around yelling to people to not click on my test (because he correctly identified it as a phishing email). We’re confident every user at that location would have clicked on it otherwise.

Shortly after I started the test, Sandra at KnowBe4 gave me a call. She did her sales pitch, and I pretty much told her that I was already sold — but I needed management buy-in and an OK from my boss. 

I put together a presentation after the test, and my boss made attendance mandatory for all management. I broke down what malware is, how it threatens our business, and how big of a problem it is. In addition to showing management the numbers from my test, I had added some statistics from Sandra’s presentation into mine. They were blown away that cybercrime nets $3 billion annually, and that over 800 million phishing emails are generated per day. These are the points that really made them start thinking of phishing as a threat. The other fact that really hit them was our phish-prone percentage compared to KnowBe4’s average — for a first test, their average was 16%; we were more than double that.

After my presentation, all of our managers were on board. The last hurdle was getting approval for the cost. I took Sandra’s quote and broke down the costs by company. I explained how $10/user was a good value, especially considering how much we would lose in down time if a really nasty piece of malware got through. My Christmas present that year was the signature on the quote, and a blessing from my boss to make the training mandatory for all users.

Fast forward to today (6 months after beginning the training course, 7 months from the first test) and we’ve gone from 40% phish prone to 4.86% phish prone. I couldn’t be prouder of my users.

Here is the link to the full post, which has a link to the slide deck referred above for download, and dozens of comments, many of which are from KnowBe4 customers who use our security awareness training. Warmly recommended!


If you are not a KnowBe4 customer yet, find out how affordable it is to train all employees and send them frequent simulated phishing attacks. 

Get A Quote Now

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews