Here's how to run a simulated phishing campaign to test and train your employees before they receive an actual phishing email.
What is a Phishing Campaign?
To be clear, when we say “phishing campaign,” we’re not referring to malicious, black-hat phishing campaigns. A simulated phishing campaign is part of an internal training program to raise employee awareness about real-world phishing attacks and proper instruction on how to recognize them.
According to a study cited by TechRepublic, while 1 in 3 untrained employees were likely to fall for a phishing or social engineering scam in 2021, that number decreased significantly to an average just under 5% after one year of security awareness training.
Phishing awareness training can reduce security risks caused by social engineering attacks designed to manipulate recipients into forfeiting login credentials, making wire transfers, or installing malware under the misguided belief they're acting on requests from known individuals or brands.
And despite being two and a half years into the global pandemic, cybersecurity firms are still finding that the effectiveness of COVID-19 as a phishing pretext is STILL prevalent, as evidenced by a 521% spike in COVID test-related phishing attacks from late 2021 to early 2022, as cited in another study by TechRepublic. This again underscores the need for phishing simulations more than ever.
How to Run a Phishing Campaign
A phishing campaign is a great resource to teach your employees how to identify, respond, and report a phishing email.
To begin, you’ll want to create a schedule of when you’re going to send out each phishing email, how you’re going to educate your employees, when to let your employees know about the campaign and how to track overall progress. Phishing awareness training company Terranova Security by HelpSystems recommends enterprise organizations to complete 6-10 phishing simulations per user per year, with the ideal time frame being between 40-60 days each.
Next, you’ll want to let employees know that the company will be running a simulated phishing campaign, and it’s possible that key stakeholders aren’t as knowledgeable about phishing as they think they are. In its annual Gone Phishing simulation tournament in 2021 co-sponsored by Microsoft, Terranova Security found 19.8% of total participants clicked on the staged phishing email link and 14.4% unwittingly downloaded the document in the phishing simulation webpage.
In spite of these alarming results, you want to reassure your employees that this exercise is not being implemented in a mean-spirited way, but is instead meant to teach them to better spot malicious emails. (You’ll also want to prep your engineering teams ahead of time, so they aren’t caught off guard!)
Phishing attacks often involve impersonating a high-level executive or other trusted individual within the company, whether that be a CEO, manager, or IT administrator. You’ll want to recruit an executive who is willing to be impersonated in the phishing campaign ahead of time, and prep them to be ready to respond to employees who may ask about the best way to report the simulated attack.
You’ll want the timing of your series of first phishing email to be a secret to your employees. This way, you can quickly establish a baseline after it goes out as to how many employees recognize and report it as a phishing email. This data can then inform your testing program.
In order for your employees to learn what phishing emails are and how to identify them, you’ll need to educate them. You can create graphics, give presentations, or create videos. This education should happen concurrently as you send the fake phishing emails. To be most effective, educational content should be a part of the company’s overall security training to better integrate the information to the employees.
You can now launch your campaign. You will want to figure out how many emails you plan to send before you begin. Then, if you have a good read on how many of your employees bit on the lure, you may find you need to release more educational content or adjust your strategy, like curbingihow many emails you send.
Once the phishing campaign has begun, you’ll want to start looking at the data. Generally speaking, it's a good idea to take note of whether there are specific departments, locations, or teams that need more training in order to raise their reporting rate. You may also want to dial up the difficulty level of campaigns as your workforce becomes better at recognizing phishing emails.
A common metric used in phishing campaigns is the clickthrough rate and how many people input their login credentials or other personal information. But this often has more to do with the degree of difficulty employed in a specific phishing email or campaign.
Instead, a more important metric is the report rate: how many of your employees reported receiving a phishing email versus those who did not recognize the email. You should be able to see the reporting rate go up as your campaign progresses. If not, you may want to evaluate the education your employees are receiving about phishing emails.
If employees are having trouble identifying simulated phishing emails, modulate training accordingly. Providing more information or videos can be helpful. Most important of all, it’s critical that employees understand why they should care about security. What does a malicious email matter to them? What’s their motivation for being mindful to scrutinize email messages? By building elements into the simulations, reporting back to them can help them to understand: Did they save the company money, or something far more catastrophic, by stopping this potential attack?
You may also want to look into what is making your employees click the email in comparison to those who report it, in order to understand the dynamics in play and educate them on the specific emotional levers or identity deception techniques leveraged within phishing email.
As your employees grow more adept at scrutinizing emails for signs of fraud, your company could potentially avoid significant costs from phishing scams and data breaches. As it stands, phishing is one of the four main entry points into an organization, among Credentials, Vulnerabilities, and Bots, with 41% of BEC attacks being a direct result of phishing, according to Verizon's 2022 Data Breach Investigations Report.
Sometimes it’s through credentials harvesting. Other times, it’s through an attachment or link that downloads ransomware that can hold your data hostage until you pay up, crippling your business operations. In others, it’s malware that can infiltrate your supply chain or your entire customer base and become a national security threat.
Phishing Campaign Simulators
If you would rather a program set up your campaign for you, there are a number of options out there. While there are some free programs, the paid versions are more reliable. They may also include email templates, pre-made web pages for phishing links to go to, and specific data about your company’s phishing rates. Offerings range from basic tools for crafting and sending a mock phishing email to several recipients using a specified email server, all the way to SaaS-based phishing simulation platforms for managing multiple, enterprise-scale phishing campaigns.
Protect from Phishing at the Outset
Phishing awareness training for your employees is critically important, but it should be viewed as your last line of defense, not your first. The best strategy is to implement a layered approach to security that includes multiple solutions, such as antivirus defenses for ransomware/crimeware; secure email gateways for incoming malware attacks; network forensics capabilities for advanced persistent threats; and more. They should also include identity-based defenses that work to keep some of today’s most sophisticated, impersonation-based phishing attacks, such as business email compromise, from ever reaching employee inboxes in the first place.
For instance, our own solution, Agari Phishing Defense not only protects against highly-targeted BEC attacks–including those launched from hijacked email accounts belonging to senior executives or trusted outside vendors. Phishing simulation solutions that are integrated with systems like this provide the best of both worlds by enabling organizations to use actual, real-world phishing campaigns in their simulations—giving employees, and their companies, a leg up against threat actors.
Sign up to participate in Terranova Security's Gone Phishing simulation tournament this fall 2023.