How to Run a Phishing Test on Your Employees
Is your company safe from phishing attacks? There are two ways to find out: either through a pre-planned simulation or an actual event. In this article, we’ll show you how to run a phishing test on your employees that will let you know how vulnerable you are before it’s too late.
SecurityIQ/PhishSim
In order to find out how vigilant your employees are against various forms of phishing attacks, InfoSec Institute has created the SecurityIQ platform and its application PhishSim. PhishSim, as the name implies, is a simulator that sends out phony phishing emails. However, instead of containing a link to a malicious website or virus, PhishSim sends those that click it to a landing page that informs them of their error. This landing page can be customized and branded to your company.
Strengthen security awareness with human risk management
Infosec HRM, powered by Right-Hand Cybersecurity, provides alert-based training nudges to minimize human risk at your organization.
Email Templates
PhishSim makes it very easy to run a test on your employees. We have an Email Template Library that cover a wide range of standard phishing messages. These include templates created by InfoSec Institute as well as those from our user base. They are grouped into subjects such as Banking, Corporate Communications, and even Highest Phish Rate.
The templates all have information such as Difficulty, Open Rate and Phish Rate. You can select an email template that suits your company as-is, or you can duplicate it and modify as you see fit. You can also select New Template to create your own.
A few of the Banking Templates
Additionally, there are Data Entry Templates, which simulate login pages to such things as bank or email accounts. These can be used with Email Templates for a more sophisticated phishing simulation.
Educations
Paired with the phishing emails are Educations – a landing page with a message to anyone that clicks on the link, informing them that they have made a mistake. As with other elements of SecurityIQ, there is a library of Educations, which can be customized for your workplace.
Some Educations are a simple message; others include interactive videos. Regardless, whenever an employee clicks on a link and is sent to an Education, you will be alerted to the event.
Best Practices
When creating or choosing emails, it’s best to put on your “Criminal Minds” hat and think like a phisher or hacker. What departments are most vulnerable? Which type of communication is most likely to elicit a click?
While our Template Library is a great place to get started, try creating or customizing one for your company. Create an email with your boss’ name asking for a W-2. Send a phony invoice from a company you actually do business with.
Create a sense of urgency. Many phishing requests try and make the user act quickly without thinking, so emulate that in your email.
Drop subtle clues. Put in typos or misspell the company name. These should be red flags to the recipient.
Batteries and Campaigns
After you’ve created or chosen a selection of Email Templates and Educations, you can create Batteries and Campaigns. A Battery is a group of phishing emails that are sent at once, and a Campaign is a series of Batteries over a period of time. With a Campaign, you control such things as which employees get which emails, as well as the simulation duration.
Creating Batteries and Campaigns can be very easy; there is a Default Campaign that can be used as a good starting point.
The Start Campaign window
Running a Campaign
Once you’ve created or imported your employee address list and decided on the duration, you can start your Campaign. (It’s a good idea not to tell anyone that this is happening, so as to get a truer gauge of their vigilance.)
During the Campaign, you can view a variety of different reports from your Dashboard; they can also be emailed to you weekly. This will show you how many of your emails were opened or clicked, as well as those avoided or marked as spam.
The Phish Campaign Run Status details specific actions taken by individuals. You can use this information to require them to take further training courses in the AwareEd section of SecurityIQ.
A PhishSIM report
Conclusion
This is a very general overview of PhishSim and how to run a phishing test on your employees. SecurityIQ is intuitive to use, but this platform also has highly-advanced features to ensure you are truly raising awareness about the dangers of phishing.
The best way to get started is sign up for a free account. You can explore the different areas and even do a simulated Campaign with “learner bots” that can teach you more about how PhishSim works.
See Infosec IQ in action
Don’t wait another day – start phishing your employees today before someone else does!