PLS Phishing Tests and Training

In September 2023, PLS performed an email phishing risk assessment that revealed the need for additional employee training to avoid potential cyber security issues.  Of the 296 employees, 24% clicked on a link inside the email and 14% input credentials.  The initial assessment was fairly sophisticated and included Pioneer branding but there were multiple red flags that should have resulted in employees identifying the email as a phishing attempt.  Criminals are using AI and social engineering to create more sophisticated phishing and ransomware attacks which are becoming more frequent. 

We want to ensure we are able to identify these threats so we have partnered with KnowBe4 a leader in security awareness training. Our goal is to increase security awareness and decrease the likelihood that Pioneer becomes a victim of malicious actors.  Beginning in June 2024 , we will use their platform to perform regular phishing tests for all employees and utilize their training library to educate staff on identifying phishing attempts.

Employees will be placed into dynamic groups and required training modules based on their ability to identify phishing attempts.

All employees will receive a minimum of one test quarterly in varying difficulty from these categories:

• QR Code
• Current Events
• Attachments with Macros
• Simulated IT messages
• Education
• Holiday
• Sensitive Information Gathering
• Social Networking
  
  

The assessments are randomized and spaced out across the quarter so that every employee will receive a unique test email on a random schedule. Employee A may receive a QR code that is easy to identify as phishing on June 8th while Employee B receives a sophisticated holiday phishing email on July 2nd.  Employees who successfully recognize phishing attempts will remain at one phishing assessment quarterly and the next quarterly assessment will be more sophisticated.  A successful recognition of a phishing attempt is not clicking on any suspicious links, opening any suspicious or unexpected attachments, or scanning suspicious emails.  Staff do not have to report a phishing attempt to be successful, though utilizing the Phishing Alert Button to report suspected attempts is encouraged.

Staff that did not recognize the phishing test attempt and clicked on the link, downloaded the attachment, or scanned the QR code will be taken to a page similar to the example below.  This page will also show the red flags that should have identified the email as a phishing attempt.

Staff who do not recognize a phishing attempt will be enrolled in a required 5 minute training module to help them identify the red flags missed. They will be notified via email about their enrollment.  The enrollment email will look similar to the template below.  It is a legitimate message with PLS branding, but it does not originate from our email system.  Outlook will brand this item as "External" (Here is an article related to the this feature.)  Unfortunately, the email has a few of the red flags that indicate it might be a phishing attempt.  Please do not ignore this email, but if you have questions about this or any similar style emails, please contact us in Technology.  We will be happy to check.

Dear [STAFF NAME],

You are now enrolled in [TRAINING CAMPAIGN]. You must complete this training by [TRAINING CAMPAIGN TIME FRAME].

The assignments you've been enrolled in are displayed below:
[REQUIRED TRAINING(S)]

Please use this link to start your training: 
[LOGIN LINK]

It is important that you complete this training before the deadline. Thank you for helping to keep our organization safe from cyber crime.

Pioneer Library System

Staff that are enrolled in training will also shift into a dynamic group that receives more frequent phishing campaigns to see if training was successful. Required training modules become more extensive if additional phishing attempts are not recognized. Successful recognition of phishing tests migrates the employee back into a quarterly assessment group.

We encourage staff to use the assessment campaigns and related training as opportunities to their ability to recognize potential security threats so we continue successfully protecting our network and customer data.