If you want to run the best phishing simulation tests possible that actually make your people more risk-aware, do these three things.
1. Make Phishing Tests Real
Make your phishing tests as real as possible. As the military maxim goes, ‘train as you fight, fight as you train’. While training for the D-Day landings, soldiers were instructed to make pretend gunshot sounds instead of pulling the trigger to conserve ammo (blanks still need casings) for the real event. When the real event came, soldiers would occasionally revert back to their training and shout ‘Bang, Bang!’ instead of pulling the trigger.
Don’t send those awful phishing emails that so many vendors push on you. Forget the Microsift and Goggle emails and logos. Don’t be afraid to use all of the official logos, style guides, and trademarks. Criminals don’t care about trademark infringement. When organised crime comes after your colleagues it will be branded like the real thing.
The best phishing tests use either real emails from real companies and replace the original links with phishing links or real, high-quality phishing emails sent by actual criminals and run the same scenarios that criminals are running for real.
2. Provide Instant and Relevant Feedback When People Fail
When you make a mistake the greatest gift you can receive is instant feedback on exactly what you did wrong. Only with feedback can you perform better next time. When someone falls for your phishing test show them a simple web page with annotated screenshots of the exact email and website they clicked through to reach it.
Highlight all of the warning signs that were missed.
If you show me where I went wrong and what I should look for next time, there’s a pretty good chance I’ll be looking out for it in future.
Phishing awareness vendors don’t do this because it’s a lot of work. You need to send a test email to yourself and capture screenshots from your own company devices in order to make it look exactly like what the trainee just saw. Do it from a company mobile and company laptop with the standard mail clients. Leave all of the banners and buttons and other things that make up the normal experience. It should feel like you’ve just taken a screenshot of their own device and you’re displaying it back to them with added notes.
3. Give Repeat Victims Person-to-Person Phishing Awareness Training
Don’t send people mandatory video courses that they must watch before passing a quiz. Most people don’t watch them. They press play then go for coffee. They know that you track how long they spent watching it and they want you to leave them alone. When they return the click through the quiz and hope for the best, repeating until they get the correct multiple choice answers.
Instead, organise interactive, person-to-person training sessions to ask questions and listen instead of just lecturing. Either individually or within a small group of their peers. Sometimes people don’t understand why it’s such a big deal. Invest your time to show your commitment. Find out what motivates them and what concerns them in their own lives. And find a way to relate the risks they face online to their own reality as they perceive it.
If you found this useful, check out my article Inside a Real SMS Phishing Attack for an insight into how an identity theft phishing scam plays out.