Simulated phishing: Communications strategy

Erlend Andreas Gjære | 4 October 2021

How do you prepare an organization for you to try and trick them? In the second part of this series on simulated phishing, we provide the outline for a communications plan.

If you haven't read it already, don't miss our first post about goals and methodology!

When your overall goal has been decided for your simulated phishing exercise, it is time to plan your internal communications strategy. This is useful for ensuring your chosen goal is achieved throughout the organization, and that everyone understands why your phishing simulation is necessary and useful.

Be aware that since people in your organization are all different individuals, their reaction to getting tricked by their own colleagues may vary. By getting your communications right, both ahead of and after the phishing simulation, you retain much greater “control” over their reactions.

Your communications strategy should align with your goal for the exercise. You should also make sure that all relevant target groups are considered.

Therefore, analyze your communications needs, and decide what each message should look like, depending on their timing and target group. Here is an example, defining the who (target group), when and what for each message:

Who

When

What

Executive management

Before

Explain why email is a risk to the organization, what simulated phishing is, and what you are looking to achieve (your goal!). If needed to get approval, describe the planned theme of your simulated email, and steps taken to ensure the desired outcome – including your communications plan.

Internal helpdesk

Before

Describe the simulated email sample which will be sent out, including sender email, subject and any links/attachments included. Ensure support personnel are provided with a specific response for every user who contacts support in relation to the simulation, and that they are all on board with your overall objective.

Employees

Before (possibly)

Unless you have performed such simulations internally before, you should publish a general notice with regards to the upcoming simulation. This is important since nobody is going to be expecting their own colleagues to be trying to trick them without being warned. Include a description of your objective, and focus on the desired/expected behavior, e.g. reporting the phishing email to your helpdesk.

Employees

After

Inform your colleagues about the results of the simulation. This could be done a couple of days afterwards, and should summarize the main results. Keep in mind, however, that the results are not necessarily how many people have clicked. A positive statement about how many people reported the phishing simulation is more likely to promote desired behavior in the future.

Internal helpdesk

After

Thank the helpdesk for helping out when they probably received a bit more noise. But also use the opportunity to gather any feedback they have collected from end-users, to include when evaluating the rehearsal afterwards.

Executive management

After

If this was the first time a phishing simulation was performed in your organization, there will possibly be interest in an analysis of what the results mean in terms of the organization’s risk exposure. Therefore, prepare your message for any follow-up, including any further steps needed to achieve your overall objective for the rehearsal.

It may be useful to involve your organization’s communications team when you plan ahead. This is both because they usually excel at making a message understandable for everyone, and because they can simply relieve you of some work related to the exercise.

In some organizations, getting executive management support for the exercise could be crucial to succeed. However, a single management sponsor may be everything you need, and you may not want to give management all the details of what and when to that they are entirely “off the hook”. If management is completely exempted from the exercise, others in the organization may more easily perceive a degree of internal hostility when the results arrive. 

See below for  examples of what to communicate to both management, employees and internal helpdesk.

Should people know in advance?

To the question on whether you should let your colleagues know about the exercise up front, this may also depend on your goal for the exercise. In general, do not be afraid of “broken” statistics due to giving people a heads up – in the end, these statistics do not really matter.

You should instead take extensive action to avoid people feeling tricked by their own security team, which could lead to a negative experience. On the other hand, you may skip the advance notice when people get used to the idea of receiving simulated phishing, since you do not want people to only be alert when you told them up front.

Finally, internal helpdesk personnel are key to securing a good experience for everyone. These people are the ones most likely to be contacted by users who are not sure what the email is about, wants to report it, or have already been tricked. In all cases, it is good to ensure the quality of how they are followed up on, by preparing a standard response for them, or in collaboration.

Also, this final step ensures that helpdesk personnel do not waste any time analyzing the simulated phishing email and responding to it like any other phishing campaign. Therefore, you should include your contact person here on the exact appearance of the phishing email, so the proper response can be identified efficiently.

And this task brings us to the next step in your simulation, which is to design the scam itself. This will also be the the topic for our next post in this series, so thanks for reading, and stay tuned!

 

Examples of information to stakeholders

For your convenience, we provide below some templates you can use to prepare your phishing simulation, as described above.

Info to Executive Management

Cyber threats represent a high risk to our company, and one which needs to be continuously monitored and mitigated on multiple levels.

Phishing is usually the most common way for hackers to get unauthorized access to a company. The big challenge here is that any employee can be a target, either due to their specific role or simply because they have an email address in the company.

A phishing email will typically trick the recipient into open a harmful attachment (e.g. ransomware), click a link where sensitive information (e.g. their password) is entered, or simply respond to be subsequently tricked into other harmful actions (e.g. wrongful payment).

We already use a range of technologies to reduce the risk of any employee – and ultimately our company – becoming a victim to phishing. However, we must also ensure that our employees are aware of email risks, and learn how hackers try to trick them in practice.

Therefore, we have planned a simulated phishing attack on our company. Supposedly harmful emails will be sent to all employees during _________ (time period), including to management.

A summary of results from the phishing simulation will be presented to management and employees after completion.

 

Info to Employees

Dear colleagues,

As you may know, not all emails are safe to engage with. Clicking a link, opening an attachment, or sharing sensitive information via such emails, may cause harm to your computer, phone, bank account or online identity. Similar harm may also be caused to our company, with negative consequences for all of us, including our customers.

To increase the general awareness on how cyber criminals are trying to trick us, we are therefore going to do a phishing exercise. This involves sending all of you a supposedly harmful email, at some point during the near future.

If you receive such an email, we hope you will not be tricked. Instead, we encourage all of you to report suspicious emails, by ________ (method, e.g. using the MailRisk button).

Results will be reviewed and shared internally afterwards, on a strictly statistical level. Should you be tricked, we still urge you to report the email as soon as possible. Quick reporting leads to professional handling, and

Should you have any questions or concerns with this exercise, please contact __________. Good luck!

 

Info to IT Helpdesk

During _______ (time), our team will run a phishing simulation exercise for employees, to increase awareness about phishing among our colleagues.

For any employees contacting our helpdesk regarding this simulated email, we kindly ask you to always provide a friendly and helpful response, e.g. as follows:

Thank you very much for reporting this email as suspicious!

In this case, you have correctly identified a simulated phishing email, which was sent to you as part of an internal exercise.

We appreciate your effort, and hope that you will report any other suspicious emails in the future, by ________ (method, e.g. using the MailRisk button).

To correctly identify the phishing simulation email we have, please see ________ (attachment). We appreciate that you will not share any of these details before the exercise has actually started.

 


Discover how we help your colleagues with suspicious emails.

Book your demo today!

See all posts →

Human security sensors ebook cover

Ready to get started?

We have written a guide for you to get started with human-centered security. Access our free resource now, and learn:

  • How to nurture drivers for employee engagement
  • How to avoid common obstacles for reporting
  • Practical examples and steps to get started

Download free PDF →