In this post, I compile some of the recommendations that, in my personal opinion, I find most important when simulating Phishing.
In this post, I assume that the executives of the organization already understand the importance of this practice and have demonstrated their commitment to managing social engineering.
Without further ado, let’s go with the best practices in creating Phishing simulation campaigns.
Do Your Homework First
Quick Tip
- Be clear about why you are simulating
- Carry out an orderly Whitelist process
- Launch test campaigns
Detailed Tip
The fundamental objective of a Phishing simulation is to measure user behavior to understand the organization’s risk level.
Therefore, this is likely one of the objectives of your simulations. From here, many others can derive. Generally, they will focus on managing social engineering risk and developing safe habits.
But focusing on the basics, if we want to know how our users would behave in the face of a real attack, we must ensure that the user universe we want to evaluate receives the Phishing email.
That’s what a Whitelist process is for. Basically, you need to configure the various security tools of our organization to let simulation emails through, ideally without even touching them.
Once the configurations are made, we must launch test campaigns. This type of campaign will allow us to know if our Whitelist process is working correctly and if we have considered all the corporate tools we have implemented.
This last point may seem a bit strange, but many organizations are surprised at this stage. When they launch the test, they find that there are more tools analyzing the emails than they had documented. For this reason, the Whitelist process is often more difficult than expected, but it leads organizations to improve their knowledge and documentation of the security tools they possess.
Recommended Reading: Stop Doing Phishing Simulations! Seriously?
Don’t Try to Catch All Users
Quick Tip
Make your simulations resemble real cases. Don’t force simulation scenarios to catch as many users as possible. That will only give you unrealistic metrics.
Detailed Tip
We are talking about simulating Phishing. Simulating means representing something, making it seem real, so our Phishing simulations must behave like real Phishing.
So, let’s start from the beginning.
A simulation replicates the behavior of a real cyberattack in the following aspects:
- Campaign Duration, usually a couple of hours
- Medium used to deliver the attack, generally via email
- Presence of social engineering techniques in the headers and body of the message
- Use of links or attachments
- Use of fake websites that replicate real ones
- Measuring user actions, that is, if they open the email, if they click on a link, etc.
But there is an important difference: a simulation does not capture sensitive information and is harmless to the end user or the organization.
Generally, real Phishing attacks end when the cybercriminal captures, for example, the user’s credentials. In contrast, a simulation can show an educational message after the user takes a risky action, such as submitting private information in a form.
However, many security leaders expect something different:
- That the simulation campaigns last for weeks
- That they are correctly received in everyone’s inbox
- That the selected scenario piques everyone’s interest
- That all possible users fall for it
For this, they spend weeks preparing the perfect Phishing scenario, abusing the internal information they have about the organization and users. At SMARTFENSE, we call this practice the golden Phishing simulation.
Of course, it is not recommended at all, as we will be skewing the results of the campaigns and obtaining results that will not be coherent with reality.
Recommended Reading: The Golden Phishing Simulation, or How We Incorrectly Interpret the Results of Our Tests
Send Many Simulations
Quick Tip
Send a set of simulations per month and then group them to see the summarized results.
Each campaign of the month should vary in terms of theme, day, time, target user group, type of deception, degree of personalization, etc.
Detailed Tip
The truth is that sending a few simulations per year won’t help much.
This is because each simulation we send is biased by numerous factors, including:
- The level of interest the user has in the email subject,
for example, invitations to events, notices, etc.
- The delivery time, for example, holidays, vacations, etc.
- The moment the user receives it, for example, early in the morning or late in the day.
So, if we don’t have a constant rhythm of simulation campaigns, the information we obtain will not be reliable.
That’s why we recommend sending a set of campaigns per month, ideally at least three, and from there, we can start measuring trends.
We can also aggregate these campaigns according to groups or different characteristics of our organization, such as department, position, seniority, etc. This will allow us to get a clearer picture of the real situation of our users.
Recommended Reading: How to Interpret Your Phishing Simulation Results
Educate Users
Quick Tip
Always accompany the simulations with educational material that explains the risks and teaches how to act.
Detailed Tip
Phishing simulations are not only intended to measure user behavior, but also to educate.
The moment we create a campaign, we should also be preparing educational content. This is where we can add the educational message discussed earlier.
Users should not only know what they did wrong, but also understand the risks and learn how to respond to Phishing emails.
It is essential that, at the end of each simulation, users receive relevant material that helps them learn more about how to protect themselves.
Educating users is a fundamental aspect of risk management, and thus we should dedicate time and resources to develop educational material and training.
Users will remember that they learned and will start to adopt safer habits in their daily work.
Recommended Reading: Awareness Training: How Do We Do It?
Measure, Measure, Measure!
Quick Tip
Establish KPIs and measure every campaign.
Detailed Tip
To properly evaluate the results of our simulation campaigns, we need to set clear KPIs and metrics that allow us to measure everything in detail.
This way, we will be able to know exactly what worked and what didn’t. Furthermore, it will allow us to adjust our future campaigns accordingly.
In conclusion, keep in mind that the more we measure, the better our understanding will be about how our users react.
Recommended Reading: 8 Steps to Improve Your Awareness Program
Keep Improving!
Quick Tip
Adjust and improve your campaigns based on the results obtained.
Detailed Tip
Finally, it is essential that you not only evaluate your campaigns, but also continuously improve them.
Based on the results, you will need to fine-tune and adjust your campaigns, improve the Whitelist process, include different social engineering techniques, and educate your users with more engaging content.
As in all security measures, the improvement cycle must be continuous.
Always keep in mind that the Phishing landscape is always evolving, so you must adapt your training accordingly.
The commitment to improving your Phishing simulation campaigns will be fundamental to obtaining solid and reliable results.
Recommended Reading: 4 Steps to Improve Your Phishing Simulation Program
Leave a Reply