Blog & Tools

Catholic Pastoral Center fights phishing threat in good humor

Phishing & Sharks

Cybersecurity is serious business. The consequences of a successful attack on an organization’s network can be enormous. Sensitive information about clients, employees or finances can be accessed and misused.

That doesn’t mean training staff members to reduce cyber risks has to be grim or boring.

As the administrative arm of the Catholic Diocese of Sioux Falls, the Catholic Pastoral Center takes a positive, entertaining approach to educating about 65 employees about cyber risks.

Leadership of the Diocese said from the start that training should not take a punishing approach, said Dawn Wolf, director of information systems for the Diocese.

“It has to be a learning experience. People have to feel free to ask questions,” she said.

Rather than penalize employees for missteps, the center tries to reinforce responsible behavior. Employees can earn rewards such as gift cards, entertaining certificates of achievement and get recognition for positive actions.

It’s a teaching approach that a lot of businesses and organizations can and probably do use to combat ever-rising cybersecurity threats.

The Catholic Pastoral Center uses a national training-services vendor, Florida-based KnowBe4, to occasionally send simulated phishing emails to employees. Phishing is a malicious attempt to get an employee to disclose sensitive information. Infected links in phishing emails also can be used to get into targeted networks.

Related Blog: Be cautious to avoid getting hooked in a phishing scheme

The Catholic Pastoral Center began its training program about four years ago. About once a month, employees receive a short training video (about five minutes long) and are expected to watch it. They also randomly receive emails that test their training.

Employees who open a test email that shouldn’t have been opened receive an “oops” message that advises them of their mistake. They also are required to watch a training video. An employee who consistently fails tests might be required to take extra training.

Employees who report questionable emails – either test emails or real messages - without opening them are awarded five points. Bonus points can be awarded to those who do not open real emails that present risks.

The physical security of buildings is also a focal point of security training. So, employees who, for example, report that a door that should be locked is open, receive 10 points.

Phishing Shark Trophy?Employees are awarded $5 gift cards for accumulating 50 points and $25 gift cards for earning 500 points. The gift cards are awarded at quarterly meetings so that employees can be recognized in a group setting for their good work.

Employees who go a year without falling for a phishing email receive a certificate that recognizes them for outstanding cybersecurity awareness and as “a shark in an ocean of guppies.”

The center employee who has gone the longest without falling for a phishing test is awarded possession of a traveling trophy – a shark bobblehead. The trophy has been in the possession of Janet Larson, an administrative assistant in Catholic Family Services, for about three years.

“It’s not a big, huge program that costs us a lot of money, but it’s a fun and enjoyable, and it’s worked well for us,” said Wolf, who is planning other forms of phishing tests in the future.

Email is a highly popular vehicle for phishing. However, voice phishing by phone – sometimes referred to as vishing – also is common hacker tactic. Phishing via text messaging is called smishing.

Related Blog: Phishing, smishing, vishing and other confusing security terms

Hackers use other tactics, too. For example, they might drop infected flash drives around a targeted organization and hope that a curious finder plugs one of the devices into a computer rather than turn it over to an IT staffer.

Top-clicked subject lines

KnowBe4 said in a news release in July that phishing messages designed to play into the human psyche continue to sail through organization’s defenses.

“By playing into a person’s psyche to either feel wanted or alarmed, hackers continue to use email as a successful entry point for an attack,” the company warned.

KnowBe4 also recently published a list of the top subject lines used in phishing emails. Here are the top five:

  1. Password Check Required Immediately
  2. Security Alert
  3. Change of Password Required Immediately
  4. A Delivery Attempt was made
  5. Urgent press release to all employees

Subject lines that advise recipients about changes in company policies are among other popular approaches used by hackers in fake emails.

Ongoing training of employees is a good way to reduce threats presented by phishing and other attack methods.

Like the Catholic Pastoral Center, SDN Communications occasionally uses services from KnowBe4 to help keep its staff trained to recognize and resist phishing attempts. SDN is a premier regional provider of broadband connectivity and cybersecurity services for businesses and other organizations.

Download SDN’s three cybersecurity posters, including one on phishing, to help raise cyber awareness at your business. Use the button below.

Free Cybersecurity Posters