Simulated Phishing Email Campaign Best Practices

Want to get the most out of a simulated phishing email campaign targeting your employees? Check out our list of phishing best practices.

How to Get More From Your Phishing Campaigns

Someday, maybe on a day just like today, your employees will get a phishing email.

The sheer number of such emails zipping around cyberspace guarantees this. Verizon Enterprises’ 2018 Data Breach Investigations Report (DBIR) found that phishing and pretexting represent 98% of social incidents and 93% of breaches, with email still the most common vector, at a staggering 96% (up from 88% last year).

Unfortunately, public awareness of phishing emails doesn’t seem to be keeping up. MediaPRO’s 2018 State of Privacy and Security Awareness Report found that 14% of employees lacked the ability to correctly identify phishing emails, up from 8% of employee who struggled in this area the year before.

Clearly, phishing attempts as a way into organizations’ sensitive data show no signs of slowing down. Enter the phishing simulation campaign, an increasingly popular way for employers to see how vulnerable their people are to this social engineering attack.

But what makes a good simulated phishing campaign? Though MediaPRO offers its own phishing tool and associated training, we’ve developed some tips and tricks that can apply to any phishing initiative you may launch. An important point to remember, though, is this: in our experience, phishing does not equal training.

Simulated phishing campaigns are not a panacea and will not by themselves fix your employees’ risky behaviors. Industry analysts at Gartner say as much, in their report Innovative Insight for Anti-Phishing Behavior Management:

“Anti-phishing behavior management solutions are not a tool for initiating cultural change. Assess your organizational culture first, and deploy anti-phishing as part of a comprehensive program of security behavior management and education.”

The best results come from using simulated phishing campaigns as ways to find members of your organization who need training the most. Then, follow up with these employees with real remediation, like trackable training modules tied to a learning management system (LMS) and reinforcement content, such as videos and games.

With that said, phishing your own employees has benefits. Here are some best practices for getting the most out of your phishing campaigns.

Before You Phish

Before you begin your campaign, there are a few things you should consider. First, we recommend telling your employees to expect simulated phishing emails. Why tip them off to what is essentially a pop quiz? To make them feel like part of the team.

The goal of your phishing campaign is to provide employees with a safe, simulated environment where they can learn about what real phishing attempts look like in the wild. It shouldn’t feel like a “gotcha” moment, or an attempt to make your employees feel stupid. Alerting your employees beforehand is a good way to make them feel like you’re all working together toward keeping your organization’s digital infrastructure and sensitive data safe.

This announcement is also a good time to remind your employees why it’s so important to recognize suspicious emails. Real malicious emails can come with a wide and terrifying variety of malware, including the infamous ransomware. These attacks can lead to data loss and breaches, which result in damaged reputation, loss of customer trust, loss of revenue, and even fines. It’s up to everyone to keep your organization safe! Try getting your CEO involved and position the announcement as a letter from him or her to drive home the top-down importance your organization gives to cybersecurity awareness.

Second, (that was a long “first,” wasn’t it?) make sure you inform other departments within your organization if you’re planning to spoof emails from them (we’ll talk more about using a variety of spoofed emails later).

Hackers are going to send your employees emails that appear to come from individuals, like a CEO looking for an urgent wire transfer, or departments, like HR, asking for a quick turnaround on personal information. Get the participation of those individuals before the campaign, so you can make sure that you’re not interrupting their normal work with a flood of worried emails from your employee population.

Check out our white paper for insight why a security awareness program should not depend solely on simulated phishing attacks

Ready, Set, Phish!

Now let’s turn to the phishing campaign strategy itself. What sort of emails should you send, and how often? What should the emails say? Hackers show no lack of creativity when it comes to phishing, so your campaigns should reflect that.

Variety in the email content itself is key. First, consider varying the type of attacks you spoof. Bad actors will send malicious emails asking your employees to open attachments, or simply click on a link. Try campaigns using one, or both, of these attack vectors. Also, consider mixing up the source of your spoofed emails. Is that an actual package notification from a major shipping company? Is that request for tax information actually from your own HR department? Both are common real phishing attempts, which means both are fodder for your campaign.

Make Them Believe It

Variety in email content blends into another point: believability. If you’re spoofing an email that’s meant to look like it’s coming from your HR department, use appropriate company language, terms, and names. A request for personal employee information makes no sense coming from your IT staff, but a password reset notification does. We should reiterate here: tell your internal departments you’re going to be spoofing emails from them before you send any emails!

You should follow the same strategy for spoofed external emails. Fake shipping notifications are best used around the holidays when your employees are more likely to expect packages. Fake emails concerning income taxes are best sent around tax season for, well, we hope pretty obvious reasons.

Fake emails like this that look like they're coming from real companies are great ways to determine how eager your employees are to click on actual phishing attacks.
Fake emails like this that look like they’re coming from real companies are great ways to determine how eager your employees are to click on actual phishing attacks.

No matter the strategy, making your phishing attempts look real is important to finding out your employees’ true knowledge of the real phishing threats out there in the wild. A very important caveat to keep in mind here: be sure not to infringe upon the copyrights of any private companies or government agencies. Logos are trademarked for a reason, and most organizations would not respond kindly to their logos being included in any phishing emails, even if they’re fake.

Timing is Everything

When we speak of variety, we also mean how often you send out emails. It’s vital to phish employees more than once with different types of emails over the life of your campaign. This way, you’ll get a truer gauge of what attack vectors your people are most susceptible to.

Depending on the results of your very first send, you’ll want to space phishing campaigns out over several weeks to once per quarter to hone in on what types of emails trip your employees up the most. This will help inform what sort of training content to deploy later.

Turning the Dial

Another place for variety is in the complexity of your phishing campaigns. Fake shipping notifications, too-good-to-be-true sweepstakes announcements—these are great ways to get started with your phishing campaign. But as you progress, you’ll likely start to notice click rates go down and reporting rates go up as your employees begin to expect getting phished. This is where measured increases in campaign complexity come in. Spoofed internal emails, for example, often prove harder to spot because there’s a certain level of trust inherent in an email that appears to be from a colleague.

You can also achieve increasing complexity through department-specific campaigns. For example, clients often tell us that HR staff members are particularly susceptible to spoofed emails with attachments. This is likely because HR personnel are the first point of contact for job applications, which often come with attached resumes, work samples, etc.  Whatever the method, you’ll want to gradually “turn the dial” on your campaigns’ complexity to make sure your employees are continually challenged.

After the Phish

So your campaign, or set of campaigns, has run its course. Now what? It’s time to look at the data. First of all, congratulate the people who passed! Use the results to send those individuals an email and thank them for being diligent and protecting the company from threats. Also consider providing rewards for those who consistently avoid phishing attempts, such as gift cards, or a lunch on the company. Everyone loves free food!

For the people who consistently fell for your spoofed emails, follow up with training courses in a real LMS, so their progress can be tracked. In MediaPRO’s own Phishing Simulator, targets who click on phishing lures see a teachable moment on the landing page that’s displayed to them. But you can also configure the campaign to automatically enroll them in real training inside of MediaPRO’s LMS. In the LMS, administrators can track each employees progress to make sure they complete their training. Admins can also set due dates for training and automate the sending of reminder emails that are sent to employees until the training is finished.

In addition to separating the easily phished from the rest, note what departments are most susceptible and measure whether they’re getting better or worse. Seeing total clicks go down is the most common indicator of improvement, but user reporting is another very powerful tool. Seeing your click rate steadily drop is always the primary goal, but a steady rise in the in people reporting phishing messages is another key way to measure improvement.

Phish, and Phish Again!

Most importantly, re-phish your employees! We see re-phishing following deployed training content as mandatory for a truly successful awareness initiative. Determine who has already fallen prey to previous phishing attacks, follow-up with them, and see if they’ve improved.

One-off phishing campaigns don’t teach. Phishing simulation is testing, and you need regular testing to measure your employee population and make sure that their defenses remain strong.

Put simply: Practice makes perfect. Your employees, like a professional football team, need to practice regularly to stay sharp. It takes a regular stream of varied approaches to ensure employees keep their skills honed and perform their best when it really counts.

More than Phishing

At MediaPRO, we believe a simulated phishing campaign is a great way to stress-test employee awareness about phishing … but it should not stand on its own.

Since any phishing weakness among your employees is likely a symptom of a larger lack of understanding about cybersecurity best practices, anti-phishing training alone won’t provide the cure. It’s likely that the same employees who click on phishing emails also have a poor grasp on things like password security, safe mobile computing practices, and more.

A comprehensive security awareness program identifies all of your behavioral risks and includes regular training and reinforcement that seeks to change employee behavior and build a risk-aware culture.

Such a culture will help inoculate an organization against myriad cybersecurity threats for years to come.

MediaPRO’s Phishing Simulator is an optional component of all our TrainingPacks, which included comprehensive security and privacy awareness training coverage, employee assessments, and customer support. Speak to an expert to learn more or request a demo.

Share this Post

Watch Our Free Webinar on Phishing Best Practices

Watch Webinar