How to carry out a baseline email phishing test
watch video here
A baseline email phishing test is a great start to measure the security awareness levels of your employees. It can also be used as a business case to invest in Security Awareness Training. So how do you properly carry out a baseline phishing test?
Phishing tests are not about catching people out. It’s about measuring the awareness levels and growing a security culture in your company.
We often to speak to IT teams who say ‘we have done a phishing test in the past and results were quite good. Low click rates’. Then we ask ‘what’s the email open rate? Did you use the same phishing template for everyone? Have you delivered the test at the same time?’ I guess you now know where I am coming from? The answers to those questions have never been positive. Here are the steps we recommend doing to perform a baseline phishing test for your company.
YOU CANNOT ANNOUNCE TO YOUR EMPLOYEES ABOUT THIS EXERCISE. NOT EVEN YOUR FAVOURITE USERS OR THE EXECUTIVES.
- Import users to the platform you are using for phishing tests and group them accordingly. Grouping them by location and by their department is a good starting point.
- Have enough info on users so that you can produce granular reports later. For example, a comparison report against two locations or departments for example.
- Whitelist the phishing platform servers in Office 365 and spam filtering platform if you are using one.
- Make sure phishing test emails don’t end up in the junk.
Who is the audience? How are they spread? What locations and languages? Age groups? Let’s assume all of them are in one single location and speak English. Brilliant. Your task is a little easier now.
Are you using Office 365? Is your finance team using Sage? Sales team using Hubspot? What technology are you using?
Please bear with me while I am asking these questions. You'll see why they are important in a min.
This is the most important part to get the proper results.
There is some housekeeping work you need to do before you set up the templates. Think about the customization of the templates. Think about some trending news internally or externally. You may have announced a new Pension scheme, there may be a new viral show on Netflix, you get the idea. What types of emails are YOUR audience most likely to open and click on?
Now look at the Audience & Technology section above and pick the templates that are relevant to the location, language, age groups. As an example to help get you started, I would pick UK phishing template for UK users, resetting passwords on Office 365, Sage update, Hubspot tips n tricks, Company policy update to Spanish colleagues in Spanish, Pizza coupons, Netflix update, Amazon delivery update, Paypal payment authorization, etc… Make sure you pick a handful of templates and randomize them. You don't want employees sitting near each other or people who talk to each other regularly, to get the same phishing email. It should be different email. The idea being, the employee to identify it as a test [hard to do so] shouldn’t be able to warn other users of it, as this would distort your results.
What landing page should you use when a user clicks on the link? I would say a simple 404 error page. Why? More often than not user will just ignore the error and get on with their job and they don’t realize it’s a test. Remember this is a baseline test and it’s not the time for instant training yet!
This is another critical part of running an effective phishing test. You definitely DO NOT want to deliver all your phishing test emails on the same day. Ideally, I would stage them across a few time slots across a few days depending on how the users are spread.
Now tracking part. The platform we use allows us to track the emails from up to several days to several months. The reason for this is, users maybe busy, away on short/long holiday, etc… Ideally, we recommend leaving the tracking for at least 2 weeks.
Now, it’s time for business. Time to create the reports and analyze. Who is most vulnerable? What templates are more difficult to recognize? How do different departments fare against each other? Is it worth your time? Do you need to invest in a security awareness training programme?
I hope that helps. If you would like to find out more click here. If you need further assistance or would like us to carry out the exercise for you then we would love to hear from you.
- Congratulations to the Techforce Sponsorship winners
- Case study: British Airways Fined £183.4million for Data Breach
- The Silver Bullet in Cyber Security
- Is it a good idea to build your own Security Awareness Training platform?
- Fake invoice email scams and Office 365
- How to apply for the Cyber Essentials Voucher Scheme
- 5 things to consider when selecting a Security Awareness Training (SAT) platform
- 2 Years, Marmite and £600,000
- What is Business Email Compromise (BEC) and how to stop it
- Everything you need to know about Cyber Essentials
- How to choose a Security Awareness Platform
- How to pick the best Antivirus software for your business
- 6 Quick and Easy Email Security Tips for Dummies
- How to share passwords safely in your Small Business
- 10 Steps to Cyber Security
- 5 Reasons why you should consider having two monitors
- What is Email phishing & why you need security awareness training in your business
- 6 Top Tips to Prevent Cyber Attacks
- How to choose the best IT Service Provider for your business
- How to choose the best Antivirus software for your business
For more useful tips subscribe to our newsletter
Congratulations to the Techforce Sponsorship winners
Congratulations to the Techforce Sponsorhip winners who will be studying towards the Comptia + Security examsMore
Case study: British Airways Fined £183.4million for Data Breach
The UK's Information Commissioner's Office has declared that it intends to fine British Airways a record total of £183.4m because of a data breach it suffered during the summer of 2018.More
The Silver Bullet in Cyber Security
Even large companies with all the best security in place become victims of malware attacks because they don't do their updates. Find out why patch management is so important for your company.More
Is it a good idea to build your own Security Awareness Training platform?
Should you build your own Security Awareness Training platform? Nope! And here are the reasons why.More
FOR LATEST UPDATES SUBSCRIBE HERE: