It's no secret that phishing tests are a commonly used form of security awareness training. In fact, the 2022 Tandem State of Cybersecurity Report found that 92% of surveyed financial institutions are implementing phishing tests. This makes it the most common form of training right now.
Phishing tests are an effective tool for educating employees about the dangers of phishing. However, when not used appropriately, phishing tests can also result in unintended consequences or even decreased morale. To make sure your phishing tests are most effective at securing your business, preparing your teams, and keeping operations running smoothly, here are five things to consider before sending your next phishing test.
#1. Teach before testing.
Before throwing an employee into the deep end with a phishing test, it is a good practice to make sure they know 1) what phishing is, 2) how to recognize phishing emails, and 3) to expect phishing tests from you. This is especially important for employees who may be new to your business or who may function in a less technical role.
I heard a story recently of an individual who received a phishing test in his company email inbox on his first day. This happened to be a happy coincidence, as the regularly scheduled phishing test for all employees started that morning. Unfortunately, for the new employee, it was a far cry from a happy experience. The first day on any new job is filled with a lot of important information. To "fail" something right off the bat can leave a lasting impression, and not always a positive one.
If a person has not been taught the basics of phishing, they are not ready to be tested. Save yourself and your teammates some headache. Teach them about phishing before testing them.
#2. Be careful with frequency.
One question we regularly receive is, "How often should I send phishing tests?" While there is no one right answer to this question, there are some factors to consider. For example:
- You want to keep security awareness in the forefront of your employees' minds. However, sending phishing tests too frequently can cause testing fatigue and can result in increased skepticism of all email communication.
- Another factor is historical test results. Ask any teacher if they treat all their students the same and you'll (hopefully) get a resounding "NO." In many classrooms, the students who need more assistance receive additional or different kinds of attention. Phishing test frequency can be thought of in the same way. There is no need to send the same number of phishing tests to employees who are successful in recognizing and responding to phishing, as those who are not. Treating everyone the same can be a net drain, company-wide, as every phishing test requires attention and brain power from each recipient.
While there is no one-size-fits-all, most companies find conducting phishing tests for employees somewhere between monthly and quarterly to be a good fit. The goal is to send phishing test emails at a frequency that works for you and your team.
#3. Do not make tests look too legitimate.
I visited with another person recently who said his company sent a phishing test from the IT admin's legitimate email address about a legitimate ongoing technology initiative. For all intents and purposes, the "test" had every sign of a legitimate email. The company did not include any clues or tactics that could cause employees to suspect it was phishing.
When the employees expressed their frustration with the "test," the sender's reasoning was that in the event the IT admin's account was compromised, the employees needed to know what to do. While it would be important to recognize if the IT admin's account was compromised, someone with access to the IT admin's account is already inside the system. It's not likely they would send a phishing email to someone inside the same system.
There is a balance which must be struck between making a phishing test that is "clickable" and one that is impossibly "real." Using phishing tests to teach your employees to know the difference between what's real and what's phishing requires there to be a difference.
#4. Consider not sending from internal domains.
One of the most obvious clues to help people know if an email is phishing or not is the email address' domain. If I received a business email from Tandem leadership, but it came from a random Gmail, Outlook, or some other kind of account, I would immediately be suspicious. If, however, the email came from their official email address, that's a bit more advanced, as noted in the previous point.
While it is important to teach employees all the clues and tactics used in phishing messages, there is email filtering technology available which can automatically block emails which spoof your domain. This is a great technical control which can partner with your phishing training to reduce the likelihood of an employee falling victim to a phishing email. Additionally, it can help your employees feel more confident in their ability to manage emails if they know that any email sent from an internal domain to their work email address is legitimate.
This tip was provided by a Tandem partner, CoNetrix Technology. If you'd like assistance with implementing and configuring an email filtering system that works for you, learn more at CoNetrix.com/Technology.
#5. Get curious about failures.
It is one thing to respond to a phishing test failure. It is another thing to punish a phishing test failure (and know that punishment does not always mean "suspension" or "firing"). The difference between a response and a punishment comes down to a crucial conversation.
Think about the difference between these two messages:
- You failed a recent phishing test by clicking a link in a simulated phishing email. You will be enrolled in follow-up training, due by the end of the month.
- Hey Jim (assuming their name is Jim)! I want to visit about the recent phishing test we had. Let me know when you have a few minutes to chat about your experience with it. I'd like to hear your perspective on what made the email "clickable" and learn if there's something I can do to clear up any confusion for you and others before I send future phishing tests.
There is nothing inherently inaccurate with either of these messages. However, there is a difference in tone and engagement. Your team members likely already feel bad about the fact that they failed a phishing test. They probably feel worse knowing that this means they now have to go through additional follow-up training.
Not only that, but of the two options above, which option do you think would leave a longer-lasting impression? While the second option may take more of your time, I would be willing to wager that the employees who receive a personal connection and investment following a phishing test failure would not only improve, but could become champions for your future phishing initiatives.
Phishing tests are a tool. They exist to help you train your employees on how to recognize and respond to phishing emails, as well as validate employee preparedness. While the industry is getting pretty good at sending phishing tests, we can always improve how we send our phishing tests and use them to create a positive and memorable experience for our teams.
If you're looking for a software to help you with your phishing tests, I'd love for you to check out Tandem Phishing. Tandem allows you to send simulated phishing emails to your employees, enroll employees in supplemental training courses, and generate reports to see progress over time. To learn more about Tandem Phishing, check out Tandem.App/Phishing-Security-Awareness-Software.