Simulated phishing: Goals and methodology
Is it okay to trick your own colleagues? With simulated phishing, this is precisely what we do, when sending employees fake emails to increase their cyber awareness.
Maybe you have tried something like this in your company already, or maybe you are still assessing whether this is a good idea to do.
Throughout this blog series, we will hopefully answer your questions, and ensure that your simulated phishing experience yields a positive – and lasting – cyber security outcome in your organization.
Extending your training toolbox
Managing human cyber risk is possibly the most challenging part of securing an organization. As opposed to technical vulnerabilities, there is no predictable way to completely safeguard against human error. There is no silver bullet.
Security training through e-learning is however commonly used by companies, which is quite understandable. As a cost-effective way of delivering a set of learning content to all of your employees, you can tick that box for regular training.
However, many people – including both IT professionals and end-users – are not entirely satisfied with the way traditional e-learning is normally done. Don’t we all know how clicking our way through e-learning slides can be done in nearly zero time, without actually learning anything?
So what should we do instead, you may ask. Well, since you are reading this, maybe you are already considering whether simulated phishing could bring user engagement to new levels.
Simulated phishing is usually carried out by sending a supposed-to-be malicious email to your colleagues, using the same tricks and lures as a cybercriminal would do. The email could for instance link to a fake login-page, which could steal your password upon submission. Instead, for the simulation, the fake login would return to the user a message that their password could now have been compromised.
There are however a few considerations to make in this area, including how to respond to users who are tricked at this point. We will definitely come back to that in a later post, but for now, let us focus on getting our goals of this activity right.
Align methodology with goals
First of all, decide on why you are going to simulate a cyber-attack on your own company. Determining a clear goal for your efforts is useful to ensure the right tools are used for the job. It will also help to clarify your communications, as we will discuss later.
«Show, don't tell»: With simulated phishing, you can demonstrate internally in your organization that there is evidence of risk related to email usage. Nobody will anymore be able to say «this never happens» – since some users were obviously tricked by the simulation (this always happens).
Test specific risk scenarios: A well planned exercise may for instance reveal whether employees may be tricked into entering their work password on an illegitimate website, or whether you are able to execute potentially malicious code on an employee device.
Get support for new security measures: If it turns out that you are vulnerable to specific scenarios, simulated phishing may contribute to getting internal support for targeted countermeasures which reduces related risk, e.g. two-factor authentication.
Create «teachable moments»: Employees who believe they would never be tricked by a fake email, may suddenly realize the opposite through simulated phishing. Provided that the overall experience is positive, the very concrete experience of being tricked could have a positive and lasting learning outcome for many.
Trigger security conversations: Simulated phishing is the shortcut which turns cyber security into a topic for talk among your colleagues. Unless you do these exercises on a routine basis, this attention could be used to attract interest and activity to other awareness and training measures.
Practice on suspicious email reporting: To increase insight into which threats are passing through the spam filter, it is useful to train people in reporting suspicious emails to IT or security staff. An «obvious» sample of phishing can be efficient in reminding people of the desired routine, and gather data on the company’s human security sensors.
Each of the goals above may affect your choices for simulation content, training interval and general focus. It may also affect how you organize your internal support team, and which kind of technical setup you are going to need.
Finally, your goal will also have an impact on your communications strategy, which is the topic for our next post in this series.
Last updated:
30 September 2022
Share this:
Contact the author:
Continue reading
Simulated phishing: How to design a suitable scam
How do you prepare the most effective phishing email to serve the goal of your exercise? In the third part of this series on simulated phishing, we describe various approaches to designing phishing content.
How to succeed with security behavior change
To stay safe online, people need to care more about the security decisions they face every day. But unless the obvious gains obviously exceed the required effort, change is often avoided. Luckily, behavior change in general has been subject to a lot of research, and here are some takeaways for information security professionals.
Simulated phishing: Communications strategy
How do you prepare an organization for you to try and trick them? In the second part of this series on simulated phishing, we provide the outline for a communications plan.
Ready to get started?
We have written a guide for you to get started with human-centered security. Access our free resource now, and learn:
- How to nurture drivers for employee engagement
- How to avoid common obstacles for reporting
- Practical examples and steps to get started