It’s been an interesting and crazy few months leading up to the launch of my new product, PhriendlyPhishing.
Way back in 2006 my Grandfather lost his house, car and pretty much his whole life after being caught out by a phishing scam. This had a profound effect on my family and still does to this day. So when I realised that I had a chance to change how people reacted to phishing attacks and could allow them to easily and confidently identify these scams, I had no choice but to jump in with both feet.
That brings me to today, almost 12 months after I first had the idea for PhriendlyPhishing. We now have a training product that IMHO kicks ass :). It’s uniquely positioned in the market due to its ability to break down technical barriers and get people to understand and identify phishing in a truly simple manner. To do this we use characters, colours and voices and make the training a jargon free zone. But we also take it one step further by linking the whole training to the acronym SCAM. By the end of the training you should be opening up every email and reciting to yourself; Think Email. Think SCAM!
It’s at that point where most training stops. The user forgets what they’ve learned by lunch time, and the whole educational experience is lost. It’s costly to the business both in time and money and frustrating for the staff.
So we took it a step further.
After the user has finished the initial training (because we are a training company, not a tricking company) PhriendlyPhishing sends out at periodic intervals real life phishing emails to the staff members. This allows them to reinforce and hone their newly acquired skills.
If they catch the phishing attack, they learn, feel great, and they alert the service desk.
If they get caught, they are automatically given a small refresher course specifically about the phishing techniques used in that attack. So they get to learn in a safe, friendly environment rather than the big, bad, ugly, world.
In both cases they have learned, and in both cases they are now more likely to see future phishing attacks.
As for the service desk. They are now getting forwarded real phishing emails rather than the bogus ones they normally get. So along with the weekly phishing schedule we send them in advance they can quickly weed out our attacks which leaves them free to work solely on the attacks that can cause real harm.
It’s been a blast and a privileged being able to get the product from between my ears, to paper, to product, and then eventually into the minds of others.
The trick now is getting people to realise that 1) Staff can be successfully trained, and it can be done in a respectful, caring, and positive manner, and 2) that phishing is actually a real issue, as it seems too many businesses don’t think it’s a problem, (even though most (90%) attacks are reportedly now starting with spear-phishing attacks).
If this tweaks your interest (even just a little bit) head over to http://phriendlyphishing.com/ and check it out. While you’re there have a look at the Phishing Line, it might help convince some people that phishing is a real threat and one that is here to stay.