Updated on April 11, 2023.
Phishing is an issue that needs to be taken seriously by businesses of all shapes and sizes. The best way to protect your company against an inevitable phishing attack is to prepare ahead of time. Educating employees and running phishing tests ensures that employees will be able to spot phishing attempts.
To run a successful phishing campaign test, you’ll want to first look for a phishing tool to help you administer the test, design the test and then analyze the results. In this guide, we’ll cover how to run a phishing test in the work environment so that your employees are prepared to spot these attacks before they fall for a real phishing scam.
What is Phishing?
Phishing is a type of cyber attack in which the attacker attempts to obtain sensitive information by pretending to be a trusted party that the victim knows. Phishing attacks most commonly take place through email or text messages and oftentimes contain urgent language so the targeted victim acts quickly.
As an example, let’s say you open your inbox and notice an email from the bank Chase concerning an update to your bank account. The email seems important, and the template looks just like the emails you normally receive from Chase, so you click on the link. However, that link is malicious and sends you to a spoofed site. A spoofed site is a site that is created to look legitimate but actually isn’t. Once you enter your login information into this site, you’re essentially giving out your credentials to the attacker without even knowing. Now the attacker has all the information they need to log into you’re legitimate Chase account.
In the workplace, a phishing email might come in the form of an email from your boss, with one slight misspelling, or from a coworker from a slightly different domain than usual. Typically, the email will ask you to provide sensitive information that the attacker will then use to steal from or hurt your company in some way.
What is a Phishing Test?
A phishing test is a program that lets companies send realistic, simulated phishing emails to employees to see how they would respond to them. These phishing tests allow companies to see how well their employees are trained to spot phishing attacks and provides them with phishing training if they interact with them. By sending employees simulated phishing attacks, they’ll learn how to better spot them if they were to receive a real one – protecting your company in the long-run.
How to Prepare Your Employees For a Phishing Test
Before you can begin administering a phishing test, you’ll need to find a phishing tool that you can use to run the test. There are many available, including free open-source ones like Gophish. Alternatively, you can look into commercial products like KnowBe4 and Infosec IQ.
Once you’ve decided on a tool, it’s time to notify and train your employees – after all, the goal is to educate them on the dangers of phishing and then test their performance.
If you run your test before alerting your employees, you risk losing their trust and making them feel like they’re being looked down on by the IT department. However, if you alert and train your employees beforehand, you increase the odds that they’ll view it as a valuable learning experience as opposed to an embarrassing and surprising failure on their end.
You’ll also need to rally your managers and department leaders to set parameters for the test. Many phishers use social engineering tactics, such as pretending to be a coworker or manager, to increase their chances of tricking their targets. So, it’s generally a good idea to work with department leaders to figure out how to target specific employees just like a real attacker would.
It’s important to make it clear how employees can report phishing attempts. For example, should they forward the email to IT? Report it to their manager? Employees are more likely to report emails when it’s not disruptive to their workflow, so your reporting process should be as painless as possible. The reporting process varies from tool to tool, so make sure you keep that in mind before choosing a phishing tool for your company.
How to Design a Phishing Test
When all the groundwork is laid, you can begin to sort out some of the specifics of your test, like how long it will last, what types of phishing schemes will be tested, the metrics you’ll be looking at and who will be tested.
The most insightful phishing tests keep on going forever since companies constantly have new employees joining that need to be trained and tested. Each new person that joins will start off with one phony phishing email per month with a clear phishing template that later escalates to a socially engineered email that looks like it’s from a coworker. Building up slowly helps your employees slowly gain confidence instead of becoming discouraged after failing too quickly.
Before you begin the test, it’s important to decide with your team what types of phishing attacks you’ll use. For example, will you use spear phishing to target specific individuals? Whale phishing to go after the CEO and other executives? Will you include clone phishing as well? Typically, you’ll want to use several different phishing attacks to test your team members’ ability to recognize each of them.
To accurately measure and interpret what happens during the test, you’ll also need to select which metrics you’ll be monitoring. Generally, you’ll want to keep track of these three metrics:
- The number of employees who fall victim to a phishing attempt and leak data
- The number of employees who successfully recognize and report a phishing attempt
- Link click rates
When you run your test, don’t forget to include senior managers, executives and even board members. These high-level team members are often some of the biggest phishing targets, so they need to be prepared as well.
When all the details of your test’s design are settled, it’s time to launch it. The most important thing to keep in mind here is that the exact deployment schedule should stay under wraps. If employees know the schedule too well, they’ll be expecting phishing emails, which will throw off your results.
What to do After Receiving Phishing Test Results
Even though the test may be over, the work isn’t. After you’ve run the test, it’s time to look through the data and see how your company performed.
To start, you’ll want to see whether you hit the objectives that you were hoping to: did fewer employees fall for the phishing emails over time? Did link click rates decrease? Did the number of employees who reported suspicious emails increase?
When you’ve looked through all the data, it’s time to make a decision regarding how to move forward. Generally, it’s a good idea to present the results to your company so that everyone can see where improvement is needed. However, it’s important not to single out specific departments or employees publicly.
It’s inevitable that some employees will turn out to be low-performers, so it’s important to approach them with tact and understanding. The test is meant to be a learning experience, so there’s no reason to be rude or condescending to low performers. That said, you will want to provide additional training to them so that they can improve. Most phishing tools have the option to administer further phishing training to individuals who may need it.
Boosting Your Cybersecurity Starts With Employees
Running a phishing test is only one piece of a larger cybersecurity puzzle. To keep your company secure over the long haul, it’s vital to keep cybersecurity in the front of everyone’s mind with periodic training and continual testing initiatives.
Additionally, it can be useful to upgrade other areas of your company’s security by implementing privileged access management and requiring employees to use password managers. Password managers help employees maintain safe and secure passwords with ease – guarding your company against common password attacks. Plus, they can directly protect against phishing attempts because they will only autofill passwords on direct URL matches, not phony URLs from a phishing site.