Successful phishing awareness campaigns
Our advice to make phishing awareness campaigns a success.
Phishing campaign simulation: common mistakes
Phishing is one of the most used attack vectors in data leakage cases (32%). As the result, more and more companies are simulating phishing campaigns to educate their employees. However, these simulations are difficult to control and can sometimes cause more harm than good.
During missions carried out at our clients’, when phishing is discussed, we have observed two phenomena:
- Reluctance: conducting an internal phishing campaign is scary.
This reluctance can come from human resources or communications (who fear the reaction of employees) but also from security teams, which already suffer from an image deficit; IT security is often perceived as a hindrance to business.
- The misuse of this vector: the target population must be large.
Carrying out a phishing campaign is relatively simple, with many tools or managed services available on the market. However, if the campaign is carried out in a one-off way, there is a good chance that it will be useless. Indeed, one should not forget that the phishing campaign must be an integral part of an awareness plan, the objective of which is to increase the employees’ skills, and not just to point out their shortcomings at a given moment.
This observation led us to think about the following problem: how to succeed in a phishing campaign?
Before the campaign
Build an awareness plan before planning a phishing campaign
User awareness should not rely on a single vector for several reasons:
- We do not all learn in the same way.
- Delivering the same message through different channels helps to generate interest.
- The phishing campaign is more of a control vector than a learning vector.
Thus, it is important to ensure that the campaign is preceded and followed by other actions that will allow employees to understand the risk of phishing, to know how to detect it and how to react to it.
Instinctively, companies tend not to communicate about the realization of a phishing campaign, for fear of distorting the results: this is a mistake!
Not communicating in advance means taking the risk of frustrating employees and creating resistance to cybersecurity. It is important to be transparent about the existence of the tests as well as about the reasons for these tests: to help employees progress and participate in the defense of the company’s assets. The objective is to obtain a state of mind of the collective union against the risk of phishing, and not an opposition of employees against a security team. This is one of the reasons why saying that the problem is “between the chair and the keyboard” is counterproductive. Moreover, warning them can also increase their vigilance daily.
It is also necessary to ensure the support of management. Management should not be excluded from the campaign: employees will feel more concerned if they see that it is a strategic issue for management. For this, the executive committee can participate in the communication of results.
Choosing a suitable scenario
- Don’t aim too high: As IT or security professionals, we are usually better trained to detect phishing, which often leads us to create phishing emails that are too sophisticated. It’s best to start with simple emails and work your way up in complexity. An email that is too complex could also discourage employees.
- Do not choose a scary scenario: The choice of scenario is crucial, you have to make sure that it is attractive and makes the user want to click, without being too alarmist. For example, an email about a salary reorganization could stress employees and generate too many emotions.
- Do not split the campaign: It is not necessarily necessary to send different emails to different target groups as this dilutes the statistics.
Actions to be taken after the campaign
- Do not punish or expose employees who have been “phished”
It would be counterproductive to punish employees who have been “phished”, and even more so to communicate their names internally. Beyond the bad atmosphere that this kind of practice creates, the risk would be that in the future, employees would be afraid to alert us in case of doubt about an email, or case of a security incident, for fear of being sanctioned. This is the opposite of the security culture we are trying to develop: vigilance and alert.
Even a relatively “healthy” sanction such as requiring training for mistakes in a simulation is not recommended: employees would see the training as a punishment and it would not necessarily be effective.
Conversely, it may be possible to reward the department that does best in the test: this creates a spirit of friendly competition among employees. Some might argue that this could distort the test, as employees would alert each other to the presence of a phishing email. In reality, this risk is quite small. Even if employees warn each other, it makes them talk about phishing and how they detected it: this is one of the desired effects!
- Communicating the results
By making them anonymous, it is essential to communicate the results. An alarmist communication would serve the purpose: fear marketing does not work. The communication should include an explanation of how to detect phishing or a link to a dedicated space.
- Do not focus on statistics
One of the advantages of the phishing campaign (and this is what makes it so popular) is that it allows you to obtain measurable results. However, one should not fall into the trap of numbers and focus on the number of “phished” users:
- The conditions of the simulation can hardly be identical for each campaign (the subject of the email changes, it could be less attractive for the collaborators, the period of the year can be more or less favorable, etc.). It is therefore not necessarily appropriate to compare one campaign to another.
- The objective being to increase the users’ skills, it is advisable to make the emails more complex little by little. Having a constant ratio of “phished” users is not a problem if the complexity of the emails is different. It would be easy to obtain positive statistics by decreasing the complexity of the email, and yet the risk would be all the more present.
One of the indicators that are particularly important to watch is the alert rate. This is what we expect from users: that they alert in case of suspicious emails. For this, it is interesting to include IT support in the preparation of the simulation, together with the management.
- Train the employees and… start again!
Once the campaign is over, and the results have been disseminated, it is necessary to continue to raise awareness of phishing risks among users. To ensure that the awareness actions implemented are appreciated and acquired by the employees, it is necessary to consolidate adhesion indicators. If these are not satisfactory, we can then adapt the chosen awareness vectors.
Moreover, for the messages transmitted to be more impactful, we always recommend drawing parallels between personal and professional life. This is especially true for phishing, which targets both professionals and individuals. Finally, to be more effective, it is necessary to carry out regular simulations. Once the results of the simulation improve, the level of complexity can be increased.
Conclusion: focus on awareness
To conclude, it seems important to come back to the fact that a phishing campaign is a tool that should not be used as an awareness action: it is above all a control vector. Moreover, as threats are constantly evolving, employee awareness must be a continuous improvement process. Using regular and varied awareness actions, employees will be able to increase their skills in these subjects.
In addition, monitoring vectors such as the phishing campaign must be used to ensure the effectiveness of the awareness strategy. Always in the spirit of continuous improvement, they must also address new threats: smishing (SMS phishing), vishing (by phone), contamination of USB keys, etc.