Here is a good article about some research that was done at Carnegie Mellon University. They basically explain that by sending users phishing type emails in a controlled environment, these same users that are tricked into clicking on links in these emails are more receptive to learn about online security.
“…phishing is often successful because many people ignore educational material that might otherwise help them recognize such frauds.”
This is so true, especially in the corporate world. How many of your users actually read the propaganda that your IT security department sends out?
“…initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating users to protect themselves.”
I am a strong advocate of testing your own employees using the same tactics as the phishers. One idea that you can use for your organization….send your employees an email that looks like a phish, when they click on the link it takes the user to an awareness page that explains phishing techniques to them. This can easily be setup with a internal web server and an internal SMTP gateway. I am starting to put together a more detailed article on some ideas to increase security awareness about phishing. If you have some ideas, lets talk about them in the security forums (click below).