Eight tips for an effective phishing test at your organization

You have provided security training to your employees. You have told them that phishing is a big issue when it comes to introducing malware into your network. You have trained them to not click, but instead to report suspicious emails. According to a dictionary definition, phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Phishing has become more and more sophisticated these days.  Phishing emails are looking more and more like the real thing every day. Emails with phishing links are still getting clicked on, and phishing is still a big door by which hackers install malware or ransomware or are able to steal valuable information.

How do you ascertain if your employees really grasped the phishing issue? How do you know whether they will click on that phishing link or not? How do you estimate your level of vulnerability?

One good way is by running a phishing test, also known as a phishing simulation, at your organization. 

Here are eight tips for running an effective phishing test at your organization:

1. Train your employees. Phishing is a key component of all employee security awareness programs. You have trained them in how to identify a suspicious email, and what to do and what not to do when they receive one.
2. Involve your IT or security department in planning the phishing test. Your IT or security department can help plan the test, execute it and review results. They are the best to determine if they have the right tools to execute a phishing test in-house, or if they need to engage an outside consultant for this project.
3. Plan the details of the phishing test. This involves detailed planning on who the emails will be sent from, whether it will be an internal email or external email, ensure that the offer or question sounds real, on what dates will different emails be sent out, who will receive the emails.  Design the landing page that employees will see if they click on the link within the emails.  Do you want employees to immediately be told that they have failed a phishing test, or at least that they have been phished?    If you are planning to simulate the test with an internal email, be sure to inform the “sender” of the email that you will be spoofing an email from them. 
4. Timing is key. Do phish and re-phish your employees, but do not send phishing campaigns too frequently. Make sure that tests are spaced out enough to avoid being too predictable.
5. Make the email believable. For instance, an email from the HR manager is likely to be opened more often than not.  An email with an emergency action may also be opened more especially if it comes from an internal source. For example, if the email design looks exactly like a valid internal email but has a strong warning message like “You changed your home address, is this correct. Click here to verify the change”.  This is likely to be opened more than an offer of a free gift card from your neighborhood coffee store.
6. Include employees at all levels in the phishing test. While planning the test, ensure that you include employees at all levels, including senior management and executives as well as staff at lower levels.
7. Review reports and statistics immediately. Check at least the following statistics:
   1. number of people who clicked
   2. if they provided any confidential information
   3. the number of people who reported the email
   4. the number of people who did nothing.
8. Communicate results carefully. It is important to educate employees who clicked on the phishing email and/ or compromised some valuable information.  Do commend employees who reported the suspicious email.  Inform employees that phishing tests will be conducted periodically. 

After running a phishing test, it's a good practice to send periodic security reminders to employees with tips on what to do and what not to do.  These reminders should be general security reminders, not just about phishing, as there are so many different types of vulnerabilities out there.  

Review the results of phishing simulations or tests as part of your annual security risk assessment or risk analysis. This can help you look at the bigger picture and adjust your strategy based on your overall level of vulnerabilities and security posture.