Skip to main content
European Commission logo
sv
European Digital Innovation Hubs Network

Phishing Awareness: Learning through realistic simulation

Phishing Awareness: Learning through realistic simulation banner
Phishing Awareness: Learning through realistic simulation
Published at 11 September 2024 | Germany

General details

EDIHs involved

Customer

EDIH logo
Customer type: SME
Customer size: Small (10-49)
Services provided
Test before invest
Training and skills development
Technologies
Cybersecurity
Sectors
Manufacturing and processing

Challenges

Treppenbau Bünning, headquartered in Osdorf in Schleswig-Holstein, is a medium-sized craft business with 28 employees that specialises in the construction of staircases.

We can't produce without our IT. We wouldn't survive for long without it’ summarises Managing Director Nicole Bünning. In the world of Treppenbau Bünning, where three CNC machines and a sophisticated chaotic warehouse for wooden panels ensure precision and efficiency on a daily basis, the digital infrastructure has long since become the centrepiece of the company and a decisive factor for the company's success. Due to this comprehensive digitalisation, cyber security is of crucial importance for the company.

Specifically, the topic was phishing emails. These days, they are often so well designed that they are difficult to recognise. Due to the quick click and sometimes fleeting reading behaviour in everyday working life, recipients are easily tempted to click on a link in the email. 

One year after the last training course, she wanted to check how well the employees were prepared for such cyberattacks. She therefore turned to Tim Gellersen from EDIH.SH to carry out a realistic test.

The challenge was to test and improve employees' awareness and responsiveness to phishing emails. 

  1. High dependency on digital infrastructure: The CNC machines and the chaotic panel warehouse are essential for production and require a stable and secure IT environment.

  2. Increasing risk of cyberattacks: As digitalisation increases, so does the risk of cyberattacks, particularly from phishing emails.

  3. Lack of awareness and insufficient employee training: One year after the last IT security training, there was uncertainty as to how well employees would react to phishing attacks.

Solutions

Treppenbau Bünning, with the help of EDIH.SH followed a well defined process:

  1.  Conducting a realistic phishing test:

    Tim Gellersen from EDIH.SH designed a phishing test. EDIH.SH developed a deceptively real-looking phishing email and sent it to all relevant employees - from the workshop to the office, field service and management - using the specified recipient list. The exact timing of the mailing was kept secret to ensure that the employees' reactions were spontaneous and unbiased.

    The email is crafted by ChatGPT and inquires about the feasibility of a design that is supposedly stored in a Google Drive, with the link provided in the email. However, instead of a Google Drive link, the email contains a hyperlink to a different site. The link in the email says "google.dive.com/adasb2," but in reality, it redirects to a different URL that is not a Google link and bears no resemblance to one.

    This situation is meant to raise suspicion in the reader and discourage them from clicking on the link.

    We have set up a minimalist server to which the link in the email redirects. This server hosts a simple webpage with tips on how to protect oneself from phishing. Additionally, the server tracks all requests made to the site.

    Each phishing email contains an anonymized identifier, a random string that is unique to each person, allowing us to see how many different people clicked on the link in the email, without revealing their identities to protect privacy.

  2. Analysis of the results:

    The test showed that 75% of employees clicked on the phishing email. This high click rate indicated a significant security gap and a lack of awareness of phishing threats.

  3. Immediate training measures:

    In response to the test results, EDIH.SH conceptualised and implemented a qualification measure. This training aimed to train employees in recognising and correctly handling phishing emails.

Results and Benefits

The phishing test showed that 75% of employees clicked on the link in the phishing e-mail. This click rate is too high and represents a significant security gap. This indicates that a large proportion of employees have difficulty distinguishing fake emails from legitimate ones.

This high susceptibility to phishing attacks is due to several factors:

  • Routine and habit: In the flow of daily tasks, employees often click on links reflexively, without considering potential security risks. This habitual behavior makes them prime targets for phishing schemes.

  • Lack of awareness & casual reading behaviour: Many employees have limited cybersecurity awareness and tend to skim emails without carefully evaluating their content, leaving them vulnerable to deception.

  • Deceptively genuine phishing emails: Phishing attempts have become increasingly sophisticated, mimicking legitimate communications so convincingly that even cautious employees may be misled.

These factors increase the risk of cyber-attacks and emphasise the need for urgent action to improve IT security.

Impact on the customer's work

  • Stronger safety culture: The test and subsequent training lead to a stronger security culture within the organisation. Employees are now more vigilant and cautious when dealing with emails and other digital communication tools.

  • Increased cyber security: Treppenbau Bünning can significantly improve IT security in the company. A conscious approach to phishing emails reduces the risk of data loss, production downtime and financial damage caused by cyber attacks.

  • Sustainability: Treppenbau Bünning has recognised that raising awareness is an ongoing issue. Cybersecurity needs to be regularly refreshed and constantly focussed on in order to be effective in the long term and to raise awareness of potential threats. This contributes to the security and stability of the company in the long term.

Implications for the work of the EDIH

  • Measuring success and best practices: The success at Treppenbau Bünning serves the EDIH.SH as a case study and best practice example for future training programmes at other companies.

  • Further development of the training programmes: The experience and feedback from this project will be incorporated into the further development and optimisation of EDIH.SH's training programmes.

Perceived social/economic impact

The implementation of IT security measures and the sensitisation of employees at Treppenbau Bünning has not only brought internal improvements, but has also had a broader social and economic impact.

Economic impact:

  • Protection against financial loss: increased security enables the company to avoid potential damage from cyber attacks, such as data loss, production interruptions and financial extortion. This contributes to the stability and profitability of the company.

  • Competitive advantage: Strong cyber security provides the company with a competitive advantage, as customers and partners increasingly value secure business relationships. This can lead to new business opportunities and long-term partnerships.

  • Promotion of digitalisation in the skilled trades: As a pioneer in digitalisation, Treppenbau Bünning shows other skilled trades companies that digital transformation is not only possible, but can also be implemented securely. This can contribute to the modernisation and competitiveness of the entire sector.

Social impact:

  • Strengthening security awareness: raising awareness of IT security also has an impact on employees' personal lives by teaching them how to use digital media more safely. This not only protects the company, but also employees' privacy and data.

  • Act as a role model for other companies: The example of Treppenbau Bünning can encourage other small and medium-sized enterprises (SMEs) to invest in cyber security and embrace digital transformation. This contributes to a safer and more modern economy overall.

These measures show that investing in IT security not only strengthens the company itself, but also has positive effects on society and the economy as a whole by promoting trust in digital technologies and increasing protection against cyber threats.

Measurable data

The test showed that 75% of employees clicked on the phishing email. This high click rate indicated a significant security gap and a lack of awareness of phishing threats. Therefore, EDIH.SH provided specialised training aimed to train employees in recognising and correctly handling phishing emails.

DMA score and results - Stage 0

The overall Digital Maturity Level obtained by Bünning Treppenbau was of 68%, demonstrating that the organisation has achieved an average level of digital maturity, but there is still room for improvement. Significant benefits could be gained from further investment in digital technologies and skills to enhance operations and products. While some core business functions already use digital technologies, the company could boost preparedness for more advanced solutions. Adopting more advanced and disruptive technologies (e.g., AI, ERP, e-commerce) could yield further advantages. Additionally, personnel training and IT specialists result essential to drive digital transformation. A comprehensive data strategy and adopting ICT for sustainability would improve decision-making and reduce environmental impact.

The scores obtained for the six dimensions analysed in the Digital Maturity Assessment are:

  • Digital Business Strategy: 60%

  • Digital Readiness: 85%

  • Human-Centric Digitalisation: 61%

  • Data Governance: 70%

  • Automation & Articial Intelligence: 64%

  • Green Digitalisation: 70%

Lessons learned

Do's:

‘Learning through experience’ is an extremely effective way to promote awareness of IT security. Through practical experience and realistic exercises, such as phishing tests, employees can immediately understand and internalise the consequences of cyber threats. This method makes abstract concepts tangible and helps to translate theoretical knowledge into practical skills. By allowing employees to experience for themselves how easily they can fall victim to cyber attacks, awareness of the importance of IT security is increased in the long term.

Realistic phishing test: The phishing test conducted by EDIH.SH was effective in measuring employees' actual awareness of cyber threats. The results provided valuable insights into the company's vulnerabilities.

Rapid response: The immediate implementation of training measures following the test was crucial in raising employee awareness.

Continuous awareness: Emphasising regular refresher training helps to develop a sustainable security culture.

Involve management: It is imperative to involve management in IT security measures. Managers set the tone for the corporate culture and shape the company's priorities. When management actively participates in and supports security initiatives, it signals to all employees that IT security is an important concern. This promotes a security culture in which all levels of the organisation are vigilant and engaged.

Don'ts when raising awareness of IT security:

  • No one-off training sessions 

  • Do not create pressure or fear among employees

  • Do not neglect the management level

  • Do not ignore the results

  • No unrealistic phishing simulations

  • No neglect of the follow-up

Conclusion: A phishing test is an effective means of evaluating cyber security awareness. However, it is important that such tests are carried out regularly and are supplemented by practical, interactive training measures.