In 34 Schritten zur perfekten Phishing Simulation

Alles, was Sie für eine erfolgreiche Durchführung einer Phishing-Angriffssimulation und eines Awareness-Trainings benötigen.

Unserer Erfahrung nach bieten Phishing-Simulationen einen höheren ROI im Vergleich zu herkömmlichen Cybersecurity-Schulungsmethoden. Mitarbeiter sind nach wie vor der am häufigsten angegriffene Vektor für Cyber-Kriminelle. Und Ihre Benutzer können nicht von heute auf morgen geschult werden, daher erfordert dieses Unterfangen eine sorgfältige Planung und langfristige Umsetzung. Natürlich ist es viel einfacher, diesen Prozess zu durchlaufen, wenn Sie eine Liste von Aktivitäten haben, die Sie durch den Prozess führen. Hier ist sie:

1. Genehmigung einholen
2. Ziele setzen
3. Verstehen der bisherigen Ausbildung
4. Analyse und Verständnis der aktuellen Exposition der Mitarbeiter im Internet
5. Verstehen Sie die Infrastruktur
6. Entscheiden Sie, wo Sie die Simulation(en) hosten wollen
7. Verstehen der technischen Aspekte aus der Sicht der Nutzer
8. Anfängliche Kommunikation
9. Ermöglichen Sie es den Benutzern, verdächtige E-Mails zu identifizieren und zu melden
10. Führen Sie das Training zuerst durch?
11. Auswahl des richtigen Volumens und der passenden Häufigkeit
12. Wahl des richtigen Personenkreises
13. Denken Sie an den Datenschutz
14. Erarbeiten Sie die technischen Anforderungen für den Webinhalt
15. Die Grenzen der verwendeten Angriffs- oder Trainingsszenarios kennen
16. Auswahl des richtigen Szenariotyps und böse sein
17. Soll es echt aussehen oder nicht?
18. Fügen Sie dem Szenario Ihren eigenen Kontext hinzu
19. Wählen Sie die richtige E-Mail-Absenderdomäne
20. Entscheiden Sie, was passieren soll, wenn die Benutzer auf die Angriffssimulationen reagieren
21. Entscheiden Sie, was passieren soll, wenn der Benutzer direkt auf die Phishing-Domäne zugreift
22. Wählen Sie den richtigen Angriffstyp
23. Entscheiden Sie über die Verwendung von Drittanbieter-Marken in einem Angriff
24. Ob und wann im Falle eines erfolgreichen Angriffs zu einem E-Learning eingeladen wird
25. Anschließende Follow-up-Schulungen
26. Definiere die disziplinarischen Massnahmen für den wiederholten Fall
27. Testlauf(e)
28. Entscheiden Sie, wann Sie eine Sensibilisierungskampagne einplanen
29. Starten und überwachen Sie die Kampagne
30. Berichtswesen
31. Folgekommunikation
32. Belohnungen und Incentivierungen definieren
33. Definieren Sie die nächsten Schritte
34. Neu beginnen

 

Die Schritte ein wenig mehr im Details (engl.)

1. Get approval

Similar to approaching any important project, the first step in running a successful internal phishing training campaign is to make sure all concerned parties are notified and ready to comply. This includes executives, board of directors, IT and HR team, and your legal department. Don’t forget to consult your HR department to ensure your simulations comply with current company policies. It’s also wise to reach out to your IT and Helpdesk Departments and discuss the planned activities with them. Ask yourself:

• Did I get approval from the relevant departments (legal, risk, HR, support etc.)?
• Has anyone voiced concerns I didn’t consider?

 

2. Set Goals

Always make sure to state the goals of each activity, including information on what you want to be tested. Usually, phishing engagements are concerned with testing people and their reactions to phishing emails. The points of concern are: Will a user click on a suspicious link, fill in their credentials in a web form, install unknown software, or otherwise interact with the email contents?
In many cases, however, phishing simulations test non-human defenses as well. These typically come in the form of spam and phishing filters that protect the company’s mail server. Knowing that your network defenses work is great, but it’s imperative that the phishing simulation reaches your employees. Additionally, make sure you warn your testers about any flooding protections set up on your mail server.
Remember, running a phishing test has one main purpose: Safe(r) behaviour. That means to educate your employees so they are aware of the hackers’ tactics and of the ways to avoid becoming their victim. The security of your company is your main goal, and your employees should be aware of that so communicate this appropriately.

Measure the behaviors: A common issue with many training programs and phishing simulations is that their behavior remains unchanged throughout the course of the test. Identify the goals that your phishing simulation should meet, then design a path that evaluates if, and to what extent, each goal is accomplished. Ask yourself:

• KPIs – Did we already perform phishing simulations in the past and if yes: what were the average click/data submit rates?
• What is the expected click/data submit rate for the planed phishing simulation?
• What is the desired click and data submit rate after the simulation / training; after 1 year of simulation/training?

 

3. Understand past education
Don’t forget to consider prior simulations and trainings that you’ve conducted on the topic of phishing and scam detection. If your employees have already been trained to spot scams, you should probably consider more sophisticated attack simulations that will be more difficult to recognize.

• Have I already trained all users on phishing & social engineering?
• Did my organization keep the results from past trainings to compare with future attack simulations?
• How do trainings currently look like (length, interactivity, video, exam, design etc.)?

 

4. Analyse and understand current exposure of employees in the Internet

One main tactic attackers use is ‘spoofing’, that is, creating emails that closely resemble those of trusted organizations. They can then use those spoofed emails to attack your customers or employees. Any publicly available information about your company can be used by attackers to create convincing and realistic phishing simulation messages aimed at your employees. Your website and social media pages often offer all the data scammers need to run an attack, so keep an eye on any information that your partners share online about your organization.

Once you have a better idea of your data exposure on public channels, you’ll be ready to help your staff understand how sharing their personal information can affect them and your organization. You can use this to develop a clear digital footprint policy for all users. Of course, you should not expect your employees to remove all traces of themselves from the Internet. What you can do instead is help them to better manage their digital footprint, so they share information in a way that protects them and the organization.

• Does my organisation specify that the business email address may not be used for private purposes?
• Do I want to perform an employee footprint analysis (the results can be used at a later point for specific eLearning)?

 

5. Understand the infrastructure

It’s common for organizations to keep a sophisticated multi-tier system of defenses on their servers so phishing attacks would not reach their employees. Therefore, in order to successfully run a phishing simulation, you will need to whitelist the addresses from which the ‘threats’ will be sent. This whitelisting will need to take effect at email gateways, anti-virus software and web proxies. Ask yourself:

• Is it possible to whitelist the IP and sender domain from the campaign scenario on the SPAM filter?
• Is it possible to whitelist the IP and sender domain from the campaign scenario on the web proxy?
• Are there any limitations set on sending emails (for example a maximum number of emails in a specific time range)?
• Can I make sure that I set a scheduler to limit amount of emails in a given time frame?
• How to I make sure that my campaign mails do not get filtered?

6. Decide upon where you want to host the simulation(s)

Should I run the attack simulation from a cloud server or on-premise? Reasons for an on-premise installation are:

Legal: Some laws might not allow you to store sensitive data on an external server outside your network or outside your country. Especially with the new data protection law in Europe (GDPR) you need to make sure any personalized or sensitive data is secured.

Integration: There are various integration options such as reporting the results to your own Learning Managements System or synchronizing the recipients with your active directory. Integrating the attack simulation software with your own applications might require an on-premise installation.

Security: You might store sensitive data like windows login, usernames, emails etc. within the database. Transmitting or storing such sensitive data on a cloud server might be a violation of your security policies. Ask yourself:

• Ask yourself: Do I plan to integrate the Awareness Solution with other internal systems (LDAP, LMS etc.)?

 

7. Understand the technical parts from the user perspective

Do you know which types of malware can get past your defenses? What kind of security do you use against spoofing, malware, etc.? You can not plan a successful phishing simulation without knowing and understanding all the technical information involved.

An example: Employees who are allowed to run executable files should be tested for awareness toward downloads with executable content. Ask yourself:

• Do I know what file types can be attached to an email or downloaded and executed from the internet from a standard Windows client?

 

8. Initial communication

The purpose of your phishing simulation is not to set a trap up for your employees to fall into. On the contrary, it is to provide a safe environment where they can learn what phishing attempts look like in reality. Therefore, it’s a good strategy to inform the employees prior to the upcoming campaign so they feel included.

You can also use this notification as a reminder about the importance of recognizing suspicious emails which can cause security breaches and loss of data. For instance, the ransomware attacks that keep developing have the potential to damage your company’s reputation, lose customer trust and revenue, and even result in fines. Thus, it’s even better if the C-Level is involved, so your employees can understand that cybersecurity awareness is everyone’s responsibility.

• Do we plan to communicate to your employees that we will perform phishing simulations?

 

9. Allow users to identify and report suspective emails

If your employees notice suspicious emails, but notify no one, the threat remains. Make sure your users feel encouraged to seek help in situations that raise their awareness. A good and simple (incident) reporting system provides clues about the types of phishing attacks targeting your company, and thus help improve the defenses of the company. A well-working incident report system where users can freely share their suspicions about potential attacks can also provide information about emails mistaken for phishing, and how that impacts your organization. Ask yourself:

• Do we plan to give users the option to report emails via a Phish-Button?
• What type of email clients do we use in our company and which ones should be supported?
• Where should emails get reported?
• Do we have any specifications in terms of icon design (report button) and text that is displayed, when a user reports a suspicious email?
• Do we have already a general report email such as: phishreporting@yourcompany.com which employees can use when an email they receive looks suspicious?
• Did we educate our users about the steps they need to take in case of a perceived threat and provide them with the tools to report it in an easy way? (Like report button embedded in their inbox)

 

10. Run the training first?

Before you initialize a phishing simulation assessment in your organization, your current employees should go through an introductory training scheme. This same training will later be provided for new employees upon hiring. However, there are exceptions where initial training is not applicable. For example, if you want to conduct an initial baseline campaign to assess the basic sensitivity level of your organization, then prelminary training can be dropped. Ask yourself:

• Do I have a list of all the desired training topics to be covered?
• Through which medium (flyer, newsletter, on-site teaching, screensaver, poster, web-based teaching, etc.) should the security content be delivered to the employees?
• Are all or some parts of the training mandatory?
• Is there an optimal structure for training courses (e.g., start with theoretical part, then run a video, followed by a game, with the test at the end)?
• Do all employees in the organization get the same training or does my organization require department-specific training content?
• Is the training “success” going to be monitored? And if yes: Do I need it monitored on a personalized level?
• Shall I introduce any penalties and or other disicplinary actions for users who refuse to participate in trainings?
• What is the desired training frequency for the different training methods? How often do we plan to update the training content?
• Are there already existing trainings, which should be incorporated into our training courses?
• Do I also want to test the training effectiveness (e.g., via exams)?
• Shall I also include training gamification elements?
• Should users get a diploma or an course certificate when they pass the training exams?
• In which languages does the training need to be delivered?
• Shall I deliver training videos with close captions?
• Do I want the training videos to have our own logo at the start and end?
• Do I need to consider any requirements in terms of corporate design towards the training (font type, size, logo, etc.)?
• Does all training content need to work also on mobile devices? If yes: What’s the minimal screen resolution?
• What is our default browser and screen resolution for standard users?
• Are there any technological restrictions for the training courses (e.g., Java Script blocked)?
• Can we include links and sources (e.g., videos) from external servers or does all the training content need to run locally?
• Covering the secrity policies of my organization: Which security guidelines are to be incorporated into the training (e.g., training password security: minimum number of characters; internet usage guidelines, etc.)?
• Training length: what is the desired length for the different courses (note: the same course could be presented as a 3-minute micro training module and an extended version)?
• Providing a training library: Shall I provide all training modules accessible through a central training library?
• Shall I be able to edit all training content myself?
• Should the training be run in the awareness platform or shall I rather create an export (e.g., SCORM) of all trainings in order to feed it into an LMS?

 

11. Selecting the right quantity and frequency

Before you runnin simulated phishing attack, you need to think about the frequency of such an action. If you send the phishing simulation emails not enough often you will not have enough statistics to analyze. And if you want to do it often, then there’s an impact on your efforts. The best approach is to create each phishing test as a series of simulations. This means that you set up a campaign containing multiple scenarios that runs for roughly 3 to 4 months. This strategy will give you a clear-cut way to understand the level of your employee-based security. It’s important to set up your campaign with scenarios who represent different levels of difficulty. In other words, the first simulation emails should be easy to recognize, then you can build the following ones up by exploring different angles and tiers of subtlety.

• How many phishing simulation campaigns shall I run per year?
• How many phishing emails in total should a user get per year (minimum/maximum)?

Best practice and scientific studies show that you should run MORE than four (4) attack emails per user/per year. And two (2) attack simulations per user/year are not enough.

 

12. Choose the right people

Sending out a phishing simulation to the whole work force is reasonable in most cases. On top of that, choose a group of employees you’d like to test, and only target them with a specific simulation. That makes especially sense when you have user groups with a high(er) risk exposure. Not all employees should be targeted in the same way. For instance, customer support may be at higher risk of receiving unsolicited emails, while your IT, financial, and data administration departments may be the target of more sophisticated types of phishing.

As a rule of thumb you should keep in mind that high risk functions / departments / individuals should be served more frequently with simulated phishing emails / SMS / etc.

 

13. Have data privacy in mind

All data you gather via phishing simulations have to be treated as personal data. Don’t overlook the potential implications if this data is made accessible to your company’s public space. We suggest that you treat your employees with respect and don’t cause reputational or career stress.

If your phishing simulation is gathering user data, you could use encryption. Another alternative is to purposefully use a site without encryption to create additional learning experience, teaching the user to never input sensitive data on an unencrypted site. Ask yourself:

• How long do I need to keep the data collected?
• What is done with the data?
• At what level of security I need to store the data?
• Do I want to submit and store the users’ input data (f.e. passwords on input forms)?
• Encryption: Should the landing page for the attack simulation be accessed over an encrypted channel and does it require a trusted certificate?
• Should I make the campaign anonymous
• Should I avoid to send/submit passwords?

 

14. Elaborate technical requirements for the web content

Shall you go for mobile-friendly modules for your training modulues? Being able to look at the modules via a mobile device will give more access options to your employees. Ask yourself:

• Do my attack & training templates need to be responsive and displayed correctly on certain minimal resolutions?

 

15. Know the limits of a given attack or training scenario

Think carefully about possible limitations of a given phishing attack simulation . There may be none, but sometimes you don’t want specific institutions or people to be impersonated.

Another good idea is to keep in mind planned company activities and not jeopardize project trust unreasonably. For instance, if you’re planning to migrate from one security software to another (say, McAfee to Norton), you wouldn’t want to use a Norton phishing template. Or if you are planning to run Microsoft migration or update, avoid to use such simulation attack templates. Ask yourself:

• Are there any limitations in terms of scenarios/themes that cannot be used in attack simulations?

 

16. Selecting the right scenario type and becoming a little bit evil

Put yourself in the shoes of an attacker. Watch out for up current phishing strategies in the wild and refer to scam emails you have received. Think like a hacker or even like a scammer and use the knowledge you have of your employees to create a campaign that is likely to get them curious. This may not come natural to you, but it’s important to get shrewd and tricky. Use email templates typically sent out for company events, such as a course/seminar/team building sign-up form, or with an attached downloadable file containing information about a policy change.

Devise your scenario by job specification and target that group of employees to whom it will be relevant. Use email templates they usually receive, then tweak them to make them sound believable. For instance, you could impersonate the Head of Finance and ask targeted employees for their invoice/ERP software credentials.

Phishing emails that contain offers for “free” stuff are bound to get most clicks, so make sure you test them too. Your employees should have enough common sense to know that nothing comes for free and should be suspicious upon seeing such offers.

They can be taught to check the underlying links by hovering over them, but make sure you instruct them to never click any suspicious links because they often are malicious.

Remember, every phishing campaign must be thoroughly planned as scammers are getting more sophisticated and creative, sending out very convincing emails. Therefore, you should make sure your templates target the right group of people in a way that is subtle and intriguing for them. That’s the only way you can test and increase your employees’ awareness and vigilance, so you get realistic results of your cybersecurity and safer behaviour!

 

17. Make it look real or not?

Baseline phishing simulations do matter – It’s best to begin your phishing simulations and your trainings with the basics. This way you can discover the initial level of knowledge and maturity across your work force. To do this, use typos, poor language, bad formatting, etc. in the phishing emails you send. Easy examples include fake package shipments and incredible lottery wins, so start your campaign there. With training progression, you will notice higher report rates and lower click rates as your employees learn to spot the scams. Then you can up the level of complexity, and so on. It’s good to know that emails which look as if sent from internal servers are more difficult to spot. Inherently, employees are likely to trust their colleagues or higher tier personnel.

Spear phishing attacks, which use fully customized templates, are usually very effective. However, you shouldn’t go all out with the first simulation round. Find the golden middle between spoofing the company logo or a manager’s email and use a predefined template. Once this scenario runs its course and your employees are better prepared, you can get more creative. More about adding context in the next paragraph.

 

18. Add your own context to the scenario

Always strive to create believable content. If your campaign includes a spoofed email from your financial department, make sure to use appropriate language, terminology, names, etc. Also, don’t forget to keep the spoofed party in the loop before you begin the campaign.

Adapt the same strategies when sending spoofed external emails, and make sure you use your common sense. If you want to send out fake emails concerning income taxes, do it in tax season, and the holidays are best for using package delivery notification templates. And make sure you spoof real companies (FedEx, UPS, Amazon, etc.); this is a great way to measure employee awareness for actual phishing attacks. Whatever strategy you decide to use, make the phishing attempts look as realistic as possible. This is the only way you can raise your employees’ awareness for real-world scams. But: think also about if it’s worth to use all the copyrighted and trademarked logos of a 3rd party, private company or government agency. Those institutions will most certainly not welcome the usage of their logos even if it’s for fake phishing emails. Ask yourself:

• Which level of attack simulations you want to start with (low level: easy to spot; high level: more sophisticated attacks)?
• What 3rd party brands are I going to use in phishing simulations and how do I inform the 3rd party about it?

 

19. Choose the right email sender domain

An important part of your phishing simulation is choosing an appropriate mail sender domain from which the emails will be sent out. Best way is to whitelist this domains in your spam filters or choose a domain that will normally pass through them. Use spoofing check websites ti evaluate such mail sender domains. If you ask yourself if it makes sense using domains that would normally get filtered out via SPF protection – these mails never would make it to your employees’ inbox – then the answer is ‚it depends‘: For initial educational purposes it may make sense to use simulated phishing attack domains that would normally be filtered at the beginning of awareness activities. Ask yourself:

Do the processes exist for me to whitelist the sender domains used for awareness campaigns?

Do I also want to spoof your own company mail domain or spoof a domain from an external third-party vendor?

 

20. Decide what should happen if the users respond to attack simulations

For better statistics, catch all possible reply types, including “out-of-office” messages and “no-delivery reports.” Get feedback about the actual attack simulations to better analyze the results.

• Do I want to catch email replies?
• Do I want to “hide” the link in the message template?

 

21. Decide what should happen if the user is accessing the phishing domain directly

Every phishing simulation you run will have a couple employees who choose to type in the domain in the browser (because they become suspicious and they want to assess the URL themselves) instead of clicking the spoofed link. Depending of the used software platform, this may bring them to the admin interface of the awareness tool or show a random 404 error page. Make sure you know where they get redirected and adjust the page accordingly. You may also create a custom homepage or landingpage for such an action. Ask yourself:

• What should happen if the recipient is checking the domain in the browser behind the random URL?

 

22. Select the right attack type

It’s not only about Phishing: attacks don’t come in email form only. Many scams come through social media and even phone calls, so you will do good to train your employees to recognize possible threats. Your training should encompass different phishing methods, so your employees will be well equipped for various attack types. It’s advisable that your first phishing template is more basic and easier to recognize, but make sure each iteration of your simulation campaign becomes more and more sophisticated. Utilize tactics such as smishing, file-based attacks, social engineering, etc. that your employees will encounter in the real world. Ask yourself:

• What attack types do I want to use in my phishing simulation?
• Do I want to use email as the only delivery option or shall I incorporate alternative methods as well (SMS, USB etc.)?

 

23. Decide on the usage of 3rd-party brands in a attack

Most phishing emails come from spoofed institutions that are otherwise trustworthy. Attackers use well-known brands, companies, websites, etc. because they know users are very likely to click on them. Therefore, you should choose which people to target with your phishing campaign and tailor your social engineering tactics accordingly to learn how likely your employees are to give in to a malicious email. Whether the use of brands is advisable depends, as so often, on the context of the attack simulation. It may make sense to use a third-party brand for the phishing simulation for immediate testing and immediate disclosure of the awareness activity in the case of a phishing success. But often we don’t recommend using third-party brands but nearly always a good decision is to spoof your own company as hackers will most certainly use the same method to attack your employees. Ask yourself:

• Does it make sense to use third party brands for phishing simulation? And if so, in which case?
• Does it make sense to use my own brand for phishing simulations and if so, do I also build a spoofed homepage of my brand for this purpose?

 

24. If and when invite to an elearning in the case of a attack success

You can decid to send your phishing training immediately after a user fails the attack simulation (‚phishing success‘). The employee can be instantly redirected to the training if they clicked a spoofed link, submitted some credentials, or attempted to download a file. This approach will gain the employee’s full attention, though they might warn their colleagues about the simulation.
Another option is to delay the training, but make sure you send it from a TRUSTWORTHY EMAIL DOMAIN THAT IS DIFFERENT from the one used in the phishing simulation.

• Do I want to include a training for users who fall for the attack simulation?
• Should the eLearning sent immediately or should it be delayed?
• What is the content/length/type of the desired follow up training?

 

25. Subsequent follow up trainings

In every phishing test you plan and run, there will be low performers, that is, people who fail to recognize the phishing emails. Part of your post-simulation job is to help those employees learn to recognize the threats and respond accordingly. A good way to continue with those employees is to follow up with additional elearnings in real-time (immediately after ‚phishing success‘) where you can track their results. For the low performing people onsite trainings are a useful measure also. Make sure you treat each employee with respect when discussing their low performance on a phishing test. If you patronize them, that will jeopardize your mutual communication, and the employee should trust you because you want them to report suspicious messages in their inbox back to you also in the future. Ask yourself:

• Should I provide additional training for low performers outside of my awareness platform?
• Shall I provide on-site tranings for my employees, especially for the low performers?

 

26. Define the disciplinary measures for the repeated occurrence

People make mistakes. This fact should be taken into account when considering whether and which disciplinary measures should be introduced in the organization. On the other hand, employees also bear responsibility for their work, and this should also be taken into account.

If this is the employee’s first test fail, then we suggest that you simply send them an e-mail noting their poor phishing test result. Make sure you mention how important cybersecurity is for the entire organization and offer additional materials to help them improve their awareness. Gently let them know that more phishing tests will follow, so they will have many more opportunities to show they are not a weak link in the system. Mention the “report phishing” button, if you have implemented it, or the report-phishing@yourcompany.com email that you set up for the purposes of scam reporting. Sometimes there may be people, even a handful of them or more, who continuously fail to recognize a phishing threat. Don’t leave the matter unaddressed, but instead discuss it proactively. Give those users a tutorial explaining what phishing threats are and why they are dangerous for your company. Run some widely known examples from real life situations that have caused organizations tons of trouble and losses. It’s imperative that each of your employees recognizes the legitimacy of cyber threats and that they are very likely to be attacked at some point. Ask yourself:

• What disciplinary action do I take for repeat offenders?
• With whom in the organization do I discuss such possible measures?
• Where do I document repeated occurences

 

27. Test run(s)

For the time being of the test run, make sure all email addresses and page domains that you use in the simulated phishing email templates are whitelisted. Otherwise it may happen that only the first part of the full campaign is delivered to the recipients and a large part of the mails is subsequently blocked by the web filters. Don’t forget to also adjust any internal company settings so that all all users receive the simulated phishing emails. It is an important step that you the test the campaign on a few select email recipients, before sending it out to all your employees.

If you’re not using a cloud-based spam filter, you would do best to simply whitelist the LUCY IP addresses and hostnames in your mail server. If this isn’t the case, whitelisting should be done by email header in your mail server and by IP address or hostname in your spam filter. Products and services, you use in your mail or web environment should also be adjusted to prevent issues with deliverability.

Most company mail servers and filters have rate limiting set up. This means that emails sent in bulk may be delivered slowly or get blocked altogether, as already mentioned above. Ensure your mail server and filter are set up so that the rate limiting rules are adjusted for the time you send out the phishing test emails. As an alternate scenario that isn’t recommended, you can turn off the limiting rate of your server and filter to ensure all users receive the phishing test email. But you have to turn it right back on.

• Do I have an email account or a list of pilot email recipients that can be used for testing purposes?

 

28. Define scheduling rules.

A great option to consider when sending out phishing simulation emails is scheduling. A scheduler allows you to plan test email delivery in a time frame of your choosing. Best practices include scheduling around weekends and vacations, not at night-time or Friday afternoon. Many tools handle scheduling in an automated way and you don’t have to worry about it.

• Do I want to use a scheduler and if yes: what are the required rules?

 

29. Launch and monitor the campaign

When you run your simulation, make sure you can and do monitor it in real time in case something goes awry. Having this kind of understanding of your campaign will allow you to catch replies, out-of-office messages and non-delivery-replies, and to track any issues that may arise. There are awareness platforms and tools that take over this activity for you (‚Full service providers‘). Some tools also allow you to create read-only access users (view only) for this purpose. Ask yourself:

• Do I need to monitor a campaign when it is launched?
• Do I want to have view access for dedicated users?

 

30. Report the results

Make sure your report system works and consider how you want it set up in terms of format, length, and content of the reports. It is especially important that you consider the attributes according to which you would like the reports to be structured.

• Do I want the reports in word, pdf, or raw format (CSV)?
• What are the grouping characteristics in reporting (department, language, country, function, scenario, etc.)?
• Should the reporting be integrated in the monitoring (SIEM, CSIRT, SOC..) may be even via API (depending on the tool used)?
• What type of reports does my organization expect (example: short management summary vs long report)?
• What is the desired report language?
• How should reports be delivered to me and my peers and in what frequency?

 

31. Follow up Communication

After you run your awareness campaign, make sure you send out explanatory communication (emails) a few days to a week later. The emails can contain information about the importance of the used scenario as well as the clues you expected your employees to notice. Remember that testimonials and positive feedback are the best ways to trigger good behavior. Also, you may set up a reward system for those employees who are able to spot the phishing clues and follow up by reporting the scams. Encouraging your staff – and especially the most engaged ones – will create trust in case of future threats – fake and real.

For those who fail the test, and there will always be such individuals, follow up with training, additional courses and even onsite or one-to-one trainings until the employees in question learn to recognize the threats and report them. Your company needs to be immune to cyber threats, and this involves all of your users.

Do I plan to do a follow up communication?

 

32. Gamify – Create rewards

If any of your employees achieve outstanding results, think about rewarding them. Congratulate their success in an email, noting everything they did right (no click-throughs or data leaks, timely reporting, etc.) to keep the company safe from cyber threats. You can stimulate an entire department if their cumulative results rated best in the organization. To bring things further, you can create contests among departments to determine which one was the safest in a given period of time. As stimulation you could sponsor a lunch or dinner for the team with highest test and report results.

 

33. Define the next steps

Running a phishing simulation campaign has one main purpose: safer behaviour through raising employee awareness to cyber threats. So, the first test is just the beginning. Build a baseline, reward high-performers, educate low-performers, and start planning your next campaign. Or better: Set up an ongoing awareness program. Ask yourself:

• What is my next campaign?
• Shall I set up and maintain an ongoing Cybersecurity Awareness Programme?

 

34. Start over

One simulation is no simulation: Don’t forget to re-phish your employees. No matter the employee’s score on the test, make sure you run more tests after you send out any training content. Follow up with low performers from previous campaigns and see if their scores have improved. And launch campaigns dedicated to employees with a high(er) risk exposure.

Again: A single phishing test will not teach your employees the safe(r) behavior you want them to adapt. Therefore, regular campaigns should be maintained to both measure your employees’ awareness, and to keep their defenses high.

 

So, das wars! Viel Erfolg beim Trainieren und beim Simulieren! – Palo Stacho