Creating an Effective
Phishing Simulation Program

Determine your baseline – It is important to measure your initial level of risk. Your first phishing campaign will tell you a lot, and it also is the easiest number to improve upon. If you have never done a phishing campaign, you may be surprised to see 30%, 40% or even 50% of your staff clicking on links in email or taking the bait in other ways. But don’t be discouraged. The good news is that the number of people who take the bait often drops rapidly as staff become aware of the risks they face through your security awareness training and phishing simulation programs.

Vary & randomize campaigns - Successful phishing campaigns mix the groupings, timing and other factors so it is not obvious to staff that they are being phished by your organization. Consider altering the day(s) of the week, time of day, group that is receiving the phishing emails, and email subject.

Spear phish and whale – You should test your staffs’ resistance to more sophisticated social engineering tactics like spear phishing and whaling. Spear phishing uses targeted messages containing the name of the person, or other specific details about them, thus making the messages look realistic and almost always more convincing than generic phishing messages. Be sure to include campaigns that use the same techniques as phishers are successfully using such as Business Email Compromise (BEC) attacks which can target either your general staff or your executives. Finally, don’t neglect to do whaling, which is going after the biggest targets in your organization – your executives. To be successful, whaling must include very specific information – name, title, contact information, even a current project.

Phish often – To be effective, phishing simulation need to be ongoing. We recommend conducting phishing simulation campaigns at a minimum on a monthly basis and using different campaigns to target different audiences.

Provide real-time training to victims – If staff do “take the bait” and fall for phishing simulation, use that situation as a teachable moment. Explain what happened and how they can improve next time. Reinforce the right behaviors and explain clearly that you are trying to help them – not cause embarrassment. Nevertheless, make sure that everyone is engaged and understand what is at stake. Repeat offenders may need further action, including in person discussions about the risks of phishing to the organization and to the target, and why that individual keeps falling for phishing attacks.

Make Your Staff Your Best Defense. Encourage staff to report immediately report all suspected phishing attacks, enabling you to stop attacks in real-time, preventing potential security incidents. Review your internal processes and make sure that your track incidents in a way that reduces risk from real phishing attacks that make it into your enterprise.

Phishing simulation is can be used as a “stick” or punishment when staff fall for attacks. This approach is not effective. Instead your goal should be to help phishing simulation victims understand the risks, and learn how to keep your organization safe, as well as how they can be safe in their personal lives.

Phishing simulation is sometimes the only form of cyber security training that organization offer to their staff. This approach leads to a false sense of security. Phishing threats are just one of many cybersecurity risks, so make sure you have an effective, comprehensive security awareness training program in place. New cyberthreats are continually launched and existing threats continue to evolve, make sure you are ready for them all.