Simulated phishing: Communications strategy
How do you prepare an organization for you to try and trick them? In the second part of this series on simulated phishing, we provide the outline for a communications plan.
If you haven't read it already, don't miss our first post about goals and methodology!
When your overall goal has been decided for your simulated phishing exercise, it is time to plan your internal communications strategy. This is useful for ensuring your chosen goal is achieved throughout the organization, and that everyone understands why your phishing simulation is necessary and useful.
Be aware that since people in your organization are all different individuals, their reaction to getting tricked by their own colleagues may vary. By getting your communications right, both ahead of and after the phishing simulation, you retain much greater “control” over their reactions.
Your communications strategy should align with your goal for the exercise. You should also make sure that all relevant target groups are considered.
Therefore, analyze your communications needs, and decide what each message should look like, depending on their timing and target group. Here is an example, defining the who (target group), when and what for each message:
|
Who |
When |
What |
|
Executive management |
Before |
Explain why email is a risk to the organization, what simulated phishing is, and what you are looking to achieve (your goal!). If needed to get approval, describe the planned theme of your simulated email, and steps taken to ensure the desired outcome – including your communications plan. |
|
Internal helpdesk |
Before |
Describe the simulated email sample which will be sent out, including sender email, subject and any links/attachments included. Ensure support personnel are provided with a specific response for every user who contacts support in relation to the simulation, and that they are all on board with your overall objective. |
|
Employees |
Before (possibly) |
Unless you have performed such simulations internally before, you should publish a general notice with regards to the upcoming simulation. This is important since nobody is going to be expecting their own colleagues to be trying to trick them without being warned. Include a description of your objective, and focus on the desired/expected behavior, e.g. reporting the phishing email to your helpdesk. |
|
Employees |
After |
Inform your colleagues about the results of the simulation. This could be done a couple of days afterwards, and should summarize the main results. Keep in mind, however, that the number of people who have clicked or been tricked are not necessarily the results you are looking for. Instead, a positive statement about how many people reported the phishing simulation is more likely to promote desired behavior in the future. |
|
Internal helpdesk |
After |
Thank the helpdesk for helping out when they probably received a bit more noise. But also use the opportunity to gather any feedback they have collected from end-users, to include when evaluating the rehearsal afterwards. |
|
Executive management |
After |
If this was the first time a phishing simulation was performed in your organization, there will possibly be interest in an analysis of what the results mean in terms of the organization’s risk exposure. Therefore, prepare your message for any follow-up, including any further steps needed to achieve your overall objective for the rehearsal. |
It may be useful to involve your organization’s communications team when you plan ahead. This is both because they usually excel at making a message understandable for everyone, and because they can simply relieve you of some work related to the exercise.
In some organizations, getting executive management support for the exercise could be crucial to succeed. However, a single management sponsor may be everything you need, and you may not want to give management all the details of what and when to that they are entirely “off the hook”. If management is completely exempted from the exercise, others in the organization may more easily perceive a degree of internal hostility when the results arrive.
See below for examples of what to communicate to both management, employees and internal helpdesk.
Should people know in advance?
To the question on whether you should let your colleagues know about the exercise up front, this may also depend on your goal for the exercise. In general, do not be afraid of “broken” statistics due to giving people a heads up – in the end, these statistics do not really matter.
You should instead take extensive action to avoid people feeling tricked by their own security team, which could lead to a negative experience. On the other hand, you may skip the advance notice when people get used to the idea of receiving simulated phishing, since you do not want people to only be alert when you told them up front.
Finally, internal helpdesk personnel are key to securing a good experience for everyone. These people are the ones most likely to be contacted by users who are not sure what the email is about, wants to report it, or have already been tricked. In all cases, it is good to ensure the quality of how they are followed up on, by preparing a standard response for them, or in collaboration.
Also, this final step ensures that helpdesk personnel do not waste any time analyzing the simulated phishing email and responding to it like any other phishing campaign. Therefore, you should include your contact person here on the exact appearance of the phishing email, so the proper response can be identified efficiently.
And this task brings us to the next step in your simulation, designing the scam itself, which is the topic for our next post in this series.
Examples of information to stakeholders
For your convenience, we provide below some templates you can use to prepare your phishing simulation, as described above.
Info to Executive Management
Cyber threats represent a high risk to our company, and one which needs to be continuously monitored and mitigated on multiple levels.
Phishing is usually the most common way for hackers to get unauthorized access to a company. The big challenge here is that any employee can be a target, either due to their specific role or simply because they have an email address in the company.
A phishing email will typically trick the recipient into open a harmful attachment (e.g. ransomware), click a link where sensitive information (e.g. their password) is entered, or simply respond to be subsequently tricked into other harmful actions (e.g. wrongful payment).
We already use a range of technologies to reduce the risk of any employee – and ultimately our company – becoming a victim to phishing. However, we must also ensure that our employees are aware of email risks, and learn how hackers try to trick them in practice.
Therefore, we have planned a simulated phishing attack on our company. Supposedly harmful emails will be sent to all employees during _________ (time period), including to management.
A summary of results from the phishing simulation will be presented to management and employees after completion.
Info to Employees
Dear colleagues,
As you may know, not all emails are safe to engage with. Clicking a link, opening an attachment, or sharing sensitive information via such emails, may cause harm to your computer, phone, bank account or online identity. Similar harm may also be caused to our company, with negative consequences for all of us, including our customers.
To increase the general awareness on how cyber criminals are trying to trick us, we are therefore going to do a phishing exercise. This involves sending all of you a supposedly harmful email, at some point during the near future.
If you receive such an email, we hope you will not be tricked. Instead, we encourage all of you to report suspicious emails, by ________ (method, e.g. using the MailRisk button).
Results will be reviewed and shared internally afterwards, on a strictly statistical level. Should you be tricked, we still urge you to report the email as soon as possible. Quick reporting leads to professional handling, as you will nonetheless contribute to stopping the cyber criminals.
Should you have any questions or concerns with this exercise, please contact __________. Good luck!
Info to IT Helpdesk
During _______ (time), our team will run a phishing simulation exercise for employees, to increase awareness about phishing among our colleagues.
For any employees contacting our helpdesk regarding this simulated email, we kindly ask you to always provide a friendly and helpful response, e.g. as follows:
Thank you very much for reporting this email as suspicious!
In this case, you have correctly identified a simulated phishing email, which was sent to you as part of an internal exercise.
We appreciate your effort, and hope that you will report any other suspicious emails in the future, by ________ (method, e.g. using the MailRisk button).
To correctly identify the phishing simulation email we have, please see ________ (attachment). We appreciate that you will not share any of these details before the exercise has actually started.
Last updated:
30 September 2022
Share this:
Contact the author:
Continue reading
Simulated phishing: How to design a suitable scam
How do you prepare the most effective phishing email to serve the goal of your exercise? In the third part of this series on simulated phishing, we describe various approaches to designing phishing content.
How to succeed with security behavior change
To stay safe online, people need to care more about the security decisions they face every day. But unless the obvious gains obviously exceed the required effort, change is often avoided. Luckily, behavior change in general has been subject to a lot of research, and here are some takeaways for information security professionals.
Simulated phishing: Goals and methodology
Is it okay to trick your own colleagues? With simulated phishing, this is precisely what we do, when sending employees fake emails to increase their cyber awareness.
Ready to get started?
We have written a guide for you to get started with human-centered security. Access our free resource now, and learn:
- How to nurture drivers for employee engagement
- How to avoid common obstacles for reporting
- Practical examples and steps to get started