Give a man a FISH, feed him for a day.  Teach a man to recognize a PHISH, improve your security posture.

General understanding of how to recognize phishing techniques has improved in corporate settings over the last several years.  This is primarily due to the efforts of security awareness training and companies that take the time to run phishing campaigns in their environment.  Phishing prevention is vitally important due to the history of successful breaches using this technique.  According to the Techopedia website, 

Phishing Statistics Highlights

• Phishing attacks accounted for 36% of all US data breaches in 2023.
• 1339 brands were targeted by phishing attacks in the fourth quarter of 2023.
• The number of unique phishing sites (attacks) reached 5 million in 2023.
• In 2023, phishing attacks were the second costliest source of compromised credentials.
• Healthcare has remained the number one most costly industry for data breaches for 13 years, while other sectors are experiencing a switch in momentum.

To safeguard against such threats, it’s crucial for organizations to conduct their own phishing simulation campaigns. These simulations not only help in identifying vulnerabilities but also in educating employees about recognizing and responding to phishing attempts. When conducting phishing campaigns, here are some helpful tips for a successful program:

Define Clear Objectives for the Campaign

This is the who, what, when, and how of the effort.  

• Who – Everyone with company email should be included, but some high-risk departments or functions may need more frequent education.
• What – Most phishing tools will allow for different phishing options, such as malicious links, attachments, or credential collection.  Educate and test for all options, but only pick one method for each campaign.  This will make tracking metrics and results more effective.  
• When – Decide how long the campaign will run and how long you will collect the data from the result of user actions.  If your tools allow and depending on the size of the company, it is recommended to gradually send emails over several days or a few weeks.  Sending thousands of phishing emails at the same time in a corporate environment can negatively impact Service Desk and security analysts, especially if they are not aware of the exercise.   
• How – Phishing tools usually have well thought–out templates included in the products.  To avoid employees tipping off coworkers on phishing tests, pick 10-12 templates to randomly send spread over the timeframe of the campaign.    

Metrics

Track users who fall for phishing emails.  If the employee is often a repeat offender, offer additional training in prevention.  If possible, provide reports on failures by department, rates of clicks based on the template choices, and overall percentage of users who fell for the phish.  Showing a reduction in the number of clicks will demonstrate the effectiveness of the phishing program over time.

Involve Others 

Department leaders in areas outside of IT should be made aware of high-level results of their areas of responsibility.  Input on how to handle long-term offenders is valuable and this buy-in will be needed from the business.  This is also an opportunity to educate leaders on the risks of phishing and its impact on your company. 

Limit Who Knows about the Campaigns

As far as the actual campaign is concerned, keep details to a limited group.  Notify the Service Desk manager due to potential impact to call volume.  Security management should be informed due to the fact some of the emails may be reported.  However, the templates being utilized and timeframe should be kept to as few people as possible.

Education after the Campaign

After each campaign, provide education tailored to the results.  Post articles, create newsletters, or send reminders on how to identify a phish.  It is important to define a process on how suspected phishing emails are reported and handled.  Some phishing tools include plugins to report the email directly from the email client.  In these cases, when the email is reported, it is factored into the metrics of the campaign.  Security personnel can then report not only on how many clicked, but also who recognized the email and reported it for further investigation.

Phishing testing is a valuable procedure to improve overall security standing.  Access IT Group can assist with tool selection, general advice, or even managing campaigns.  If you would like to learn more, please contact us for additional information.

By: Matt Hileman – Lead Consultant – CISSP | CISA | QSA