• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
Craig Hays

Craig Hays

  • Cybersecurity
  • Principles
  • Newsletter
  • Learn Cyber Security
    • Hacking and Defending User Accounts
    • Learning Guides
  • Contact
  • Show Search
Hide Search
You are here: Home / Cybersecurity / 3 Tips To Run The Best Phishing Tests In The World

3 Tips To Run The Best Phishing Tests In The World

July 3, 2020 By Craig Hays Leave a Comment

Reading Time: 3 minutes

If you want to run the best phishing simulation tests possible that actually make your people more risk-aware, do these three things.

best phishing test tips
Photo by Jonathan delange on Unsplash

Table of Contents

  • 1. Make Phishing Tests Real
  • 2. Provide Instant and Relevant Feedback When People Fail
  • 3. Give Repeat Victims Person-to-Person Phishing Awareness Training

1. Make Phishing Tests Real

Make your phishing tests as real as possible. As the military maxim goes, ‘train as you fight, fight as you train’. While training for the D-Day landings, soldiers were instructed to make pretend gunshot sounds instead of pulling the trigger to conserve ammo (blanks still need casings) for the real event. When the real event came, soldiers would occasionally revert back to their training and shout ‘Bang, Bang!’ instead of pulling the trigger.

Don’t send those awful phishing emails that so many vendors push on you. Forget the Microsift and Goggle emails and logos. Don’t be afraid to use all of the official logos, style guides, and trademarks. Criminals don’t care about trademark infringement. When organised crime comes after your colleagues it will be branded like the real thing.

The best phishing tests use either real emails from real companies and replace the original links with phishing links or real, high-quality phishing emails sent by actual criminals and run the same scenarios that criminals are running for real.

2. Provide Instant and Relevant Feedback When People Fail

When you make a mistake the greatest gift you can receive is instant feedback on exactly what you did wrong. Only with feedback can you perform better next time. When someone falls for your phishing test show them a simple web page with annotated screenshots of the exact email and website they clicked through to reach it.

Highlight all of the warning signs that were missed.

If you show me where I went wrong and what I should look for next time, there’s a pretty good chance I’ll be looking out for it in future.

Phishing awareness vendors don’t do this because it’s a lot of work. You need to send a test email to yourself and capture screenshots from your own company devices in order to make it look exactly like what the trainee just saw. Do it from a company mobile and company laptop with the standard mail clients. Leave all of the banners and buttons and other things that make up the normal experience. It should feel like you’ve just taken a screenshot of their own device and you’re displaying it back to them with added notes.

3. Give Repeat Victims Person-to-Person Phishing Awareness Training

Don’t send people mandatory video courses that they must watch before passing a quiz. Most people don’t watch them. They press play then go for coffee. They know that you track how long they spent watching it and they want you to leave them alone. When they return the click through the quiz and hope for the best, repeating until they get the correct multiple choice answers.

Instead, organise interactive, person-to-person training sessions to ask questions and listen instead of just lecturing. Either individually or within a small group of their peers. Sometimes people don’t understand why it’s such a big deal. Invest your time to show your commitment. Find out what motivates them and what concerns them in their own lives. And find a way to relate the risks they face online to their own reality as they perceive it.


If you found this useful, check out my article Inside a Real SMS Phishing Attack for an insight into how an identity theft phishing scam plays out.

Filed Under: Cybersecurity Tagged With: Phishing, phishing awareness, phishing campaign, phishing simulation

Newsletter

Want to get smarter about cyber security? Join my growing list of newsletter readers for exclusive news, reviews, how-tos, and more.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Newsletter

Want to get smarter about cyber security? Join my growing list of newsletter readers for exclusive news, reviews, how-tos, and more.

· © Craig Hays, 2006–2023 ·

  • Phishing