We Do What We Are Trained To Do

Evangelists-Roger GrimesWhen I was young, I was an oceanfront lifeguard, firefighter and EMT paramedic. All disciplines involved frequent education and training. 

It wasn’t enough to get trained once and be expected to practice a skill with efficiency. We also did a lot of practice drills. There was a saying, “You will do what you practiced!” Meaning that when the proverbial stuff hit the fan and the adrenaline was on high and you had to act quickly, your mind and body would inherently do what it was trained to do. And for the most part, it’s very correct. 

Practice, Practice, Practice

Education, training, and drilling are essential if you want a large group of people to do the right thing. This concept needs to be applied to fighting social engineering and phishing.

Educate, train, and drill your employees to do what you want them to do.

We want our end users to be initially skeptical of any unexpected email/message asking them to perform an action that, if malicious, could result in harm (to themselves or their organization). When they get an email/message with those two traits, we want them to Stop. Think. Before They Click. We want them to hover over any involved URL to review to see if it seems legitimate or not. We want them to evaluate the URL of any site they land on after they have clicked on a URL. We want them to learn to confirm using other methods than those presented in the email/message. We want them to mitigate and appropriately report any suspected phishing event. 

And if we want these desired behaviors, we should educate, train and drill. You can’t expect an outcome that you didn’t educate, train and drill on. 

Simulated phishing tests are great. Periodically, at least once a month, if not more frequently, send a fake phishing email/message, and see how employees perform. People who fail simulated phishing tests should get more training and more testing. 

But it’s also a great idea to drill.

Drill Exercise

Make all employees take a 5- to 10-minute drill exercise designed to reinforce good anti-social engineering behaviors. It shouldn’t be a surprise, like simulated phishing, and it should involve more than one test. The goal is to reinforce desired behaviors by repetitively drilling them into an inherent behavior that they naturally practice without thinking about it.

Perhaps send them 10-15 simulated phishing emails/messages, where they are expected to evaluate if the email/message is likely to be a phishing attack or not. They should be directed to evaluate the email/message in a prescribed manner:

  • Did the email arrive unexpectedly (i.e., “You were not expecting it”)?
  • Is the email asking you to perform an action that, if malicious, could be harmful?
  • Did the email arrive during normal expected hours for that sender?
  • Is the sender known to you? Does it use a familiar email address that this person normally sends from?
  • Do the names and email addresses of the sender agree?
  • Evaluate the text of the message. Does it seem normal?
  • Does the text agree with the subject of the message?
  • If there is a URL, evaluate it, and see if it seems legitimate for the sender claiming to be involved.
  • If you click on the provided URL link, what does the resulting URL tell you? Are you landing at a legitimate vendor site or is the resulting URL landing page location suspicious?
  • And so on
Teach and drill what you want users to learn and do. Have users practice the skills you want them to incorporate into their natural response. Do follow up drills in a month, and then maybe three months later. No one ever learned to do anything innately by doing it just once.

I was young when I was an EMT-paramedic, firefighter and lifeguard (15-20 years old). I was so thankful for all the education and drilling I received, especially when I was hopping out of the unit to go fight a house fire or a multi-victim automobile collision where there were people thrown out of the cars onto the road. The adrenaline would get pumping. I was often scared even if others couldn’t see it. Luckily, my mind and body did what we practiced and drilled. I’ve never lost the importance of doing both.  

Drill baby, drill!

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews