6.6.1. Phishing Awareness

💡 First Principle: Phishing is the number one initial attack vector. Awareness training must go beyond "don't click suspicious links" to build pattern recognition that works against sophisticated, targeted attacks. Generic advice fails against attackers who research their targets and craft convincing messages.

Phishing campaigns/simulations — internal phishing tests that send realistic fake phishing emails to employees and measure click rates. Provide immediate feedback: employees who click see an educational message explaining the specific indicators they missed. Track improvement over time — organizations typically see click rates drop from 20-30% to under 5% with sustained programs. Simulations should vary in difficulty, from obvious mass-phishing to targeted spear-phishing that references real internal projects.

Recognizing phishing indicators:

• Urgency or threats ("Your account will be locked in 24 hours")
• Generic greetings ("Dear Customer" instead of your name)
• Mismatched URLs (hover to reveal the actual destination)
• Unusual sender addresses (subtle typos like "microso1t.com")
• Requests for sensitive information that should never be requested via email
• Unexpected attachments, especially executable files or macros
• Grammatical errors or unusual formatting in supposedly professional communication

Reporting mechanisms — easy-to-use phishing report buttons in email clients. Reported emails feed the SOC's threat intelligence pipeline, enabling rapid response to active campaigns. The goal: make reporting easier than clicking the link. Effective programs celebrate reporting rather than punishing clicks — an employee who reports a real phishing email may protect the entire organization.

Beyond email — phishing extends to SMS (smishing), voice calls (vishing), and social media. Training should cover all channels, especially as attackers pivot to platforms where employees are less suspicious.

⚠️ Exam Trap: Phishing simulations are a training tool, not a punishment mechanism. If a question asks about the purpose of phishing campaigns, the answer is awareness training and measuring organizational risk, not disciplining employees.