- Find Out Which Employees Are Falling For Scams - Secret to Running a Successful Phishing Test! +
In today’s world, phishing scams are becoming more and more common. Scammers are becoming more sophisticated, and it’s becoming difficult to identify a phishing scam. Businesses are now at risk of losing valuable data, intellectual property, and even money. One of the problems businesses face is that their employees fall victim to these phishing scams. As the workforce becomes more distributed and mobile, so does the risk. Therefore, it’s essential to conduct a successful phishing test to know which employees are prone to fall for these scams.
A phishing test is a simulated phishing attack on an employee. It aims to test the employee’s reaction and whether the employee can spot the signs of a phishing scam. Running a phishing test is a great way to identify which employees need more training and how to improve your security measures. However, running a successful phishing test can be challenging. It needs to be done correctly for it to be an effective tool in improving your security.
The first thing you need to do when conducting a phishing test is to get buy-in from employees. Employees need to know what the test is about and why it’s essential. You can do this by sending out communication ahead of time, explaining the purpose of the test, and how it can benefit the company. Once you have the employees’ buy-in, you can then proceed to create the phishing email.
The next step is to make the phishing email as realistic as possible. The email should look like a legitimate email from a trusted source. You can create the email yourself, or you can hire a company to create it for you. The phishing email should have a call to action that entices the employee to click on a link or open an attachment. If the employee clicks on the link or opens the attachment, they are directed to a landing page that asks for their credentials.
After sending the phishing email, you need to track its success rate. You can do this by monitoring who clicked on the link or entered their credentials. Once you have this data, you can analyze the results to see which employees are more susceptible to falling for phishing scams. It’s important to note that you should use the results to improve your security measures and train vulnerable employees.
In conclusion, phishing scams are a significant threat to businesses. Employees are often the target for these scams, and it’s essential to train and educate them to identify these scams to mitigate risks adequately. Conducting a successful phishing test is a great way to identify which employees are more susceptible to falling for phishing scams. By getting employee buy-in, creating a realistic phishing email, tracking the success rate, and using the results to improve your security measures, you can create a safer workplace for everyone.
SecurityIQ/PhishSim
In order to find out how vigilant your employees are against various forms of phishing attacks, InfoSec Institute has created the SecurityIQ platform and its application PhishSim. PhishSim, as the name implies, is a simulator that sends out phony phishing emails. However, instead of containing a link to a malicious website or virus, PhishSim sends those that click it to a landing page that informs them of their error. This landing page can be customized and branded to your company.
Email Templates
PhishSim makes it very easy to run a test on your employees. We have an Email Template Library that cover a wide range of standard phishing messages. These include templates created by InfoSec Institute as well as those from our user base. They are grouped into subjects such as Banking, Corporate Communications, and even Highest Phish Rate. The templates all have information such as Difficulty, Open Rate and Phish Rate. You can select an email template that suits your company as-is, or you can duplicate it and modify as you see fit. You can also select New Template to create your own.
A few of the Banking Templates Additionally, there are Data Entry Templates, which simulate login pages to such things as bank or email accounts. These can be used with Email Templates for a more sophisticated phishing simulation.
Educations
Paired with the phishing emails are Educations – a landing page with a message to anyone that clicks on the link, informing them that they have made a mistake. As with other elements of SecurityIQ, there is a library of Educations, which can be customized for your workplace. Some Educations are a simple message; others include interactive videos. Regardless, whenever an employee clicks on a link and is sent to an Education, you will be alerted to the event.
Best Practices
When creating or choosing emails, it’s best to put on your “Criminal Minds” hat and think like a phisher or hacker. What departments are most vulnerable? Which type of communication is most likely to elicit a click? While our Template Library is a great place to get started, try creating or customizing one for your company. Create an email with your boss’ name asking for a W-2. Send a phony invoice from a company you actually do business with. Create a sense of urgency. Many phishing requests try and make the user act quickly without thinking, so emulate that in your email. Drop subtle clues. Put in typos or misspell the company name. These should be red flags to the recipient.
Batteries and Campaigns
After you’ve created or chosen a selection of Email Templates and Educations, you can create Batteries and Campaigns. A Battery is a group of phishing emails that are sent at once, and a Campaign is a series of Batteries over a period of time. With a Campaign, you control such things as which employees get which emails, as well as the simulation duration. Creating Batteries and Campaigns can be very easy; there is a Default Campaign that can be used as a good starting point.
The Start Campaign window
Running a Campaign
Once you’ve created or imported your employee address list and decided on the duration, you can start your Campaign. (It’s a good idea not to tell anyone that this is happening, so as to get a truer gauge of their vigilance.) During the Campaign, you can view a variety of different reports from your Dashboard; they can also be emailed to you weekly. This will show you how many of your emails were opened or clicked, as well as those avoided or marked as spam.
The Phish Campaign Run Status details specific actions taken by individuals. You can use this information to require them to take further training courses in the AwareEd section of SecurityIQ.
A PhishSIM report
Conclusion
This is a very general overview of PhishSim and how to run a phishing test on your employees. SecurityIQ is intuitive to use, but this platform also has highly-advanced features to ensure you are truly raising awareness about the dangers of phishing. The best way to get started is sign up for a free account. You can explore the different areas and even do a simulated Campaign with “learner bots” that can teach you more about how PhishSim works. Don’t wait another day – start phishing your employees today before someone else does!
