How to Run Simulated Phishing Campaigns

Next, you’ll want to let employees know that the company will be running a simulated phishing campaign, and it’s possible that key stakeholders aren’t as knowledgeable about phishing as they think they are. In its annual Gone Phishing simulation tournament in 2021 co-sponsored by Microsoft, Terranova Security found 19.8% of total participants clicked on the staged phishing email link and 14.4% unwittingly downloaded the document in the phishing simulation webpage. 

In spite of these alarming results, you want to reassure your employees that this exercise is not being implemented in a mean-spirited way, but is instead meant to teach them to better spot malicious emails. (You’ll also want to prep your engineering teams ahead of time, so they aren’t caught off guard!) 

Image

Phishing attacks often involve impersonating a high-level executive or other trusted individual within the company, whether that be a CEO, manager, or IT administrator. You’ll want to recruit an executive who is willing to be impersonated in the phishing campaign ahead of time, and prep them to be ready to respond to employees who may ask about the best way to report the simulated attack. 

Image

You’ll want the timing of your series of first phishing email to be a secret to your employees. This way, you can quickly establish a baseline after it goes out as to how many employees recognize and report it as a phishing email. This data can then inform your testing program. 

Image

In order for your employees to learn what phishing emails are and how to identify them, you’ll need to educate them. You can create graphics, give presentations, or create videos. This education should happen concurrently as you send the fake phishing emails. To be most effective, educational content should be a part of the company’s overall security training to better integrate the information to the employees. 

Image

You can now launch your campaign. You will want to figure out how many emails you plan to send before you begin. Then, if you have a good read on how many of your employees bit on the lure, you may find you need to release more educational content or adjust your strategy, like curbingihow many emails you send. 

Image

Once the phishing campaign has begun, you’ll want to start looking at the data. Generally speaking, it's a good idea to take note of whether there are specific departments, locations, or teams that need more training in order to raise their reporting rate. You may also want to dial up the difficulty level of campaigns as your workforce becomes better at recognizing phishing emails. 

Image

A common metric used in phishing campaigns is the clickthrough rate and how many people input their login credentials or other personal information. But this often has more to do with the degree of difficulty employed in a specific phishing email or campaign. 

Instead, a more important metric is the report rate: how many of your employees reported receiving a phishing email versus those who did not recognize the email. You should be able to see the reporting rate go up as your campaign progresses. If not, you may want to evaluate the education your employees are receiving about phishing emails. 

Image

If employees are having trouble identifying simulated phishing emails, modulate training accordingly. Providing more information or videos can be helpful. Most important of all, it’s critical that employees understand why they should care about security. What does a malicious email matter to them? What’s their motivation for being mindful to scrutinize email messages? By building elements into the simulations, reporting back to them can help them to understand: Did they save the company money, or something far more catastrophic, by stopping this potential attack?

You may also want to look into what is making your employees click the email in comparison to those who report it, in order to understand the dynamics in play and educate them on the specific emotional levers or identity deception techniques leveraged within phishing email. 

As your employees grow more adept at scrutinizing emails for signs of fraud, your company could potentially avoid significant costs from phishing scams and data breaches. As it stands, phishing is one of the four main entry points into an organization, among Credentials, Vulnerabilities, and Bots, with 41% of BEC attacks being a direct result of phishing, according to Verizon's 2022 Data Breach Investigations Report. 

Sometimes it’s through credentials harvesting. Other times, it’s through an attachment or link that downloads ransomware that can hold your data hostage until you pay up, crippling your business operations. In others, it’s malware that can infiltrate your supply chain or your entire customer base and become a national security threat.

Image