While one-off or infrequent quarterly phishing tests do not necessarily work, they are still commonly used to measure the employees' resilience. Even today, despite email filtering, some phishing emails still get through because they look incredibly realistic. Phishing tests aim to fight that by showing employees what sort of emails could slip through the filters and that they should watch out for scams.Besides that, what are the other reasons that companies still run phishing tests? How do you do one? Is there a better way of evaluating your organization? We are going to answer these questions in this article.
What is a phishing test?
Security teams and IT professionals use phishing tests to simulate dangerous emails that attackers send to employees. The phishing email test aims to help create awareness around real-life attacks and different social engineering techniques among employees. This way, people can learn to identify phishing emails when those end up in their inboxes.Phishing tests raise awareness, but security teams also use them as a benchmark metric for where the company stands in terms of resilience. It can help them identify the company's risk profile more clearly.At the moment, no email security solution provides 100% protection against phishing, so security teams need to rely on people's ability to recognize email threats.
Why do companies run phishing tests?
There are a couple of reasons for running phishing tests. While you must have email security solutions that leverage reputation and machine learning to filter out phishing, malware, and social engineering, security operations still rely on skills, knowledge, and employees' help.When phishing tests are infrequent, the most common goal is to use it as a baseline test to evaluate where the organization stands in terms of resiliency and risk profile. Besides, it also helps to identify people who keep failing the tests. In a negative culture, people who fall for the bait could be singled out and forced to do more tests.Ideally, the tests would help make people more vigilant by teaching them to recognize scams and to understand their course of action when they come across one.
How to do a phishing test?
We assume that you want to create a baseline test. We will walk you through what you need to consider when making your test email.First of all, start with good planning. Make a list of things you will need for creating an outstanding test.It would help if you aimed to create a legitimate-looking simulation. A lot of phishing training vendors share recent emerging attacks. You could use those as a benchmark for your simulation. If you have data on what sort of attacks your organization and employees receive, you could take an example from those too.Create a checklist for yourself to help you execute an excellent phishing test.- What will be your message?- Will you impersonate a brand?- Do you need to set up a domain? If yes, should you do an SSL certificate so it would look legitimate?- What is the type of attack? Is it a general phishing email or something more specific like spear phishing?- Do you target all employees or just a certain group?- Will you use links or attachments as a lure?- Consider using a social engineering technique like playing on people's fear, curiosity, or greed.- What will happen when the employee falls for the bait?- What's the process that the employees should follow if they correctly recognize that the simulation email is a potential threat? Where can they send their reports? How will you give them feedback?- What will you measure and how will you share the results?
Do you need a phishing tool for a baseline test?
It can be useful to have a tool and speed up creating a test if you want to utilize templates. Many companies do the test in-house as done by GitLab in the example we analyzed earlier.
Do phishing tests work?
Infrequent phishing tests won't have a real impact. There are three main reasons for this.
1. They won't create awareness.
Without frequent, practical exercises, it's impossible to expect people to keep the possibility of phishing attacks in mind.
2. They won't create behavior change.
Without frequent practice, it's impossible to expect people to know what to do when they receive email-based threats. With periodic training, you can teach them to recognize and re-enforce the habit of reporting attacks.
3. They won't provide a realistic KPI on where your company stands in terms of resiliency.
When you send infrequent and one-size-fits-all phishing tests, you won't have real data on where your company stands in terms of resiliency and risk. We have written a guide on what’s wrong with traditional measurements of security awareness training and how measurement should happen.When you do frequent phishing, you will have a lot more data points, and when the phishing simulations are adjusted to the users' levels, it gives a more realistic picture of human risks.
Is it too easy to spot a phishing email test?
Talking with security officers that have been doing phishing email tests for some time (and they are looking for better alternatives), we often hear the same stories of how people often easily recognize that it's yet another test, and they spread information about it around the office.Often, phishing tests are standard and sometimes too easy to spot, like the DHL or Microsoft vectors. When the phishing tests always include the same easy simulations, they are not very motivating for those who want an actual challenge.Extremely difficult test vectors can also backfire–you should avoid creating the negativity around tests that comes from making sure that people fail.
Should you run phishing tests?
Occasional phishing tests are better than no training at all. However, we would suggest considering whether it would make sense to adopt a program that integrates frequent phishing training into people's work lives and workflows.
Taking phishing training to the next level: what's the best alternative?
Many companies recognize that phishing and email threats should be tackled better. To make an impact, partnering with your employees is key. To provide training that will make an impact on people's learning, habits, awareness, as well as the company's resiliency, you should adopt a training that includes the following:
1. Practical training
Frequent practice is necessary to keep people on their toes about threats. Using simulations to mimic real threats can help people to learn what to look out for.
2. Frequent training
Besides practical training, frequency is another important element. With a few phishing tests a year, people won't be engaged enough. With frequent simulation, they will remain suspicious about emails they receive.
3. Positive reinforcement
Training shouldn't be about punishing people for failing. Teach people that it's okay to fail the simulations and learn from their mistakes. People also should not feel the training is a burden. When it's integrated into their workflow, and they feel like they succeed, they will be more willing to continue participating.
4. Up-to-date simulations
Attackers move fast, and they keep coming up with new attack types. With up-to-date simulations, you can educate people on the emerging threats that could also end up in their inboxes.
5. Personalized threat vectors
To make training engaging for the users, it's essential to personalize the training experience for their unique situation. Training should consider their skills and knowledge, department, location, language, culture, role in the organization, co-workers they interact with, or the tools they use.
6. Simple reporting process
The goal of the training should be that employees learn to report real threats they see. For this, the reporting process should be simple and clear. With Hoxhunt, people can use the reporting plugin for reporting simulations and actual phishing emails. It's just a click of a button, only takes a few seconds, and it works on all devices.