Back to Table of Contents

Objectives

Once you have completed this section, you will be able to:

  • Identify the core components of PhishSim Campaigns and how they work together
  • Preview educational modules which can be used in PhishSim campaigns
  • View, create, and modify Data Entry Templates
  • View, create, and edit Education Pages
  • View, create, and modify Email Templates
  • View, create, and modify Batteries
  • Create and manage PhishSim Campaigns
  • Install and use the PhishSim plugin to report PhishSim emails
  • View and manage the PhishSim Quarantine
  • Create and run PhishSim reports

Overview

PhishSim is a phishing training and simulation tool that provides realistic phishing tests, custom phishing email templates, and automatic education for members of your organization.

Using existing templates, a PhishSim campaign can be created and launched in just a few minutes. While we will be covering topics such as creating custom Data Entry Templates and Email Templates, SecurityIQ provides many pre-configured templates that can be used immediately. We will cover these topics for the benefit of those who wish to create or modify content.

PhishSim Core Components

There are four primary components that come together to form a PhishSim campaign. Before we explore each in-depth, we will briefly explain what each is and how they fit into a campaign.

1

Figure: PhishSim Menu

Education

When a learner demonstrates a risky behavior (i.e. clicking the link in a Phishing email), PhishSim has the ability to turn that risky action into a teachable moment through the presentation of different types of training material. PhishSim education can be delivered using our interactive video tutorials as well as static content web pages that can be used to quickly convey information.

Data Entry Templates

In a data entry attack, a phishing victim enters data into a legitimate looking but ultimately malicious website. The SecurityIQ Data entry Templates are mockups of login forms and websites that can be displayed to a learner and ask them to enter data of some kind.

Email Templates

Emails sent to learners are based off of templates within SecurityIQ. These templates define how the email will look, who the email appears to come from, and details regard the type of attack the email is intended to simulate.

Battery

A battery is simply a collection of multiple email templates that you can send to learners during a PhishSim campaign.

Campaigns

A campaign is a collection of batteries that are assigned to be delivered to one or more groups of learners over a defined amount of time.

Quarantine

When a learner identifies a possible malicious or phishing email in their email client, the SecurityIQ PhishSim plugin for Outlook, Outlook 365, and Gmail allows the user to quickly flag and report the email to system administrators. The quarantine area is where the administrator can review and manage these submissions.


Whitelisting

IMPORTANT – In order to ensure that PhishSim emails are successfully delivered to your servers, you must whitelist the following IP address ranges and domains within your server and any other filtering software.

 

SecurityIQ Email Source IP Addresses and Domains

199.255.192.0/22
199.127.232.0/22
54.240.0.0/18

email-smtp.us-west-2.amazonaws.com
smtp-out.us-west-2.amazonses.com

PhishSim and AwareEd emails (primary)

67.217.44.158
mail.phish.io

PhishSim and AwareEd emails (secondary)

 

If you whitelist by email header, whitelist this header:

Header:X-PHISH

Header Text: This is a security awareness phishing simulation test from InfoSec Institute that has been authorized by the recipient organization

 

Domains that PhishSim emails are sent from:
phish.io
authorizednotifications.com
loginprotected.com
strong-encryption.com
encrypt-mail.net
zqa.net

In some instances, the security policies of some organizations may prohibit them from whitelisting the Amazon Web Services address space which is listed above. As an alternative, these users may use SecurityIQ’s Dedicated Email Server feature which forces all outbound email to be sent via a single server. For details on configuring this option, please visiting the Dedicated Email Server section of the Account Settings page of this manual by clicking here.

Whitelisting Instructions for Clients and Servers

 

Whitelisting is a critical step in ensuring the delivery of SecurityIQ email to your users, especially those enrolled in PhishSim campaigns.

If you are using a system which is not listed below, please send an email to support@infosecinstitute.zendesk.com containing the client or email server/gateway name, version, and its primary website. We will work to keep this list updated based on customer feedback.

 

 

EMAIL CLIENTS

Listed below are the steps needed manage whitelists and approved senders for a number of different email clients.

Gmail

  1. Open an email from the sender that you want to whitelist.
  2. Click on the little down-pointing-triangle-arrow next to “reply.”
  3. Click Add [user@to-be-added.com] to contacts list to finish.

Microsoft Outlook 2003

  1. Open the email message from the sender you want to add to your address book.
  2. Right-click Click here to download images in the gray bar at the top of the message.
  3. Click Add Sender to Senders Safe List to finish.

Microsoft Outlook 2007

  1. Right-click on the email you received (in the list of emails).
  2. Click Junk E-mail.
  3. Click Add Sender to Safe Senders List to finish.

Microsoft Outlook 2010

  1. Click the Home tab.
  2. Click Junk.
  3. Click Junk E-mail Options.
  4. Click Safe Senders.
  5. Click Add.
  6. Enter [user@to-be-added.com] and additional information if you wish.
  7. Click OK to finish.

Microsoft Outlook 2013

  1. Click the Home tab.
  2. Click Junk.
  3. Click Junk E-mail Options.
  4. Click Safe Senders.
  5. Click Add.
  6. Enter [user@to-be-added.com] and additional information if you wish.
  7. Click OK to finish.

iOS Devices – iPad, iPhone, iPod Touch (needs screenshot?)

  1. On any message, tap the sender and add to either a new contact or an existing contact:

Android Devices – Samsung, Google Nexus, others (needs screenshot?)

  1. In the default email client, touch the picture of the sender.
  2. Click OK to add to contacts.

AOL Mail

  1. Click Contacts in the right toolbar.
  2. Click Add Contact.
  3. Enter [user@to-be-added.com] and additional information if you wish.
  4. Click Add Contact button in the popup to finish.

Comcast

  1. Click Preferences from the menu.
  2. Click Restrict Incoming Email.
  3. Click Yes to Enable Email Controls.
  4. Click Allow email from addresses listed below.
  5. Enter [user@to-be-added.com] you want to whitelist.
  6. Click Add.
  7. Click Update to finish.

Earthlink

  1. Click Address Book.
  2. Click Add Contact.
  3. Save user@to-be-added.com as a contact.
  4. Click save.

Apple Mail

  1. Click [user@to-be-added.com] in the header of the message you’re viewing.
  2. Click Add to finish.

NetZero

  1. Click the Address Book tab on the top menu bar.
  2. Click Contacts.
  3. Click Add Contact.
  4. Enter [user@to-be-added.com] and additional information if you wish.
  5. Click Save to finish.

Yahoo! Mail

  1. Open the email message from the sender you want to add to your address book.
  2. Click Add to contacts next to [user@to-be-added.com].
  3. On the Add Contact popup, add additional information if needed.
  4. Click Save to finish.

Windows Live Hotmail

  1. Open an email from the sender that you want to whitelist.
  2. Click Add to contacts next to [user@to-be-added.com] to finish.

Mac Mail

  1. Click Address Book .
  2. Click File.
  3. Click New Card.
  4. Enter [user@to-be-added.com] and additional information if you wish. .
  5. Click Edit to finish

Mozilla Thunderbird for PC

  1. Click Address Book.
  2. Make sure Personal Address Book is highlighted.
  3. Click New Card. This will launch a New Card window that has 3 tabs: Contact, Address & Other.
  4. Under Contact, enter [user@to-be-added.com] and additional information if you wish.
  5. Click OK to finish.

Mozilla Thunderbird for Mac

  1. Click Address Book.
  2. Make sure Personal Address Book is highlighted.
  3. Click New Card. This will launch a New Card window that has 3 tabs: Contact, Address & Other.
  4. Under Contact, enter [user@to-be-added.com] and additional information if you wish.
  5. Click OK to finish

EMAIL SERVERS

The following links reference instructions on managing whitelist rules and settings for a number of different email servers and gateways.

 

EMAIL GATEWAYS

 

Education

As the administrator of PhishSim, you have the option to specify which training is presented to the learner in order to most effectively modify a particular behavior. The available educational options include interactive videos which can be immediately displayed after a successful simulated phishing attack, as well as customizable web pages that contain a brief overview of the action the user took and how to avoid falling victim to a similar attack in the future. SecurityIQ currently offers interactive educational material for PhishSim users on the following topics:

Module Summary
Phishing Phishing is the way that hackers use electronic messages, often email, to “fish” for unsuspecting users who will perform dangerous actions. Our interactive phishing training covers where phishing messages may appear, how to distinguish phishing from normal communications, how to confirm “borderline” messages, and when to report specific types of attacks.
Spear Phishing Spear phishing occurs when phishing messages are tailored for targeted individuals. This interactive training will help you identify and avoid spear phishing attempts.
Suspicious Hosts Safe Browsing groups a number of best practices that keep users of the world wide web safe.
Ransomware Ransomware is malware, or malicious software, that holds technology for ransom. First, ransomware corrupts and locks technology like computers, mobile devices and individual files. Then, ransomware demands money to restore and unlock those machines and data. Ransomware often infects PCs after someone clicks on a phishing message or downloads its attachment.

In addition to interactive training material, SecurityIQ also provides static content, or simple web pages that contain customizable pieces of information that can be displayed to serve as a quick reminder on how to avoid certain type of risky behavior when it comes to phishing and overall security awareness.

  • Phishing
  • Password Security
  • Avoid Infected Files
  • Mobile Security
  • Social Engineering
  • Public Network and Computer Safety
  • Physical Data & Devices Safety
  • Keep Your Removable Media Secure
  • Safe Browsing
  • Keep Protected Health Information Secure

To view the education content that is currently available in PhishSim:

  • On the main menu, hover over “PhishSim” and click “Education”

A list of all available content will be displayed along with the type of asset.

2

Figure: PhishSim Education Content

If you would like to preview any of the content, simply hover over the name and click the “eye” icon . A new tab or window will open containing the page content.

There are three types of Education Assets available within SecurityIQ. Interactive assets contain video and exercise modules which are intended to deliver an in-depth and engaging overview of a topic. Static Pages are simple pages that contain graphics and text which are used to quickly convey a small amount of information to the learner. External Pages contain direct links, defined by you, to pages outside of SecurityIQ that a learner can be redirected to.

Education Editor

The Education Editor allows you to customize the way existing and new assets look and behave.

To edit an education asset supplied by SecurityIQ:

  • Hover over the Education name and click the “clone” icon . A copy of the original page will be opened in the editor and you can make all desired changes.

To edit an Education asset that you previously created:

  • Hover over the Education name and click the “edit” icon .

To create a new Education asset:

  • Click the “New Education” button

Once a page is open in the editor, you may determine the Education Type, Education Information, and define the actual content of the page.

Setting the education type will determine whether an Education Assets will either display content for the learner or automatically direct them to an external URL.

3

Figure: Education Editor

If you would like to include an existing interactive educational module in your page, you can select the appropriate module from the Education Asset dropdown box. The selected module will then be automatically added to the bottom of the page when it is previewed or displayed to the learner.

The editing area is a standard WYSIWYG (What You See Is What You Get) editor. This means that creating content is very similar to using a word processor for adding and formatting content.

A particularly useful feature is the Source Code editor. If you have the source HTML code from another web page or application which you would like to use in your education page, you can take the following steps to utilize the existing code.

  • Copy the HTML source code from your original document
  • In the Education Editor, click the “Tools” menu item and select “Source Code”
  • In the new text area that is displayed, paste your source code and click “Ok”

You will now see the rendered version of your source code displayed in the editor, which can be edited as you see fit.

When your changes are complete, click save. You will now be able to reference this education content in any PhishSim Email Template. If you started by copying an existing education asset, enter a new Education Name before saving.

Data Entry Templates

Data Entry Templates are used to collect data from a learner during a simulated Data Entry attack. These templates are usually made to look like familiar websites that collect user information, such as a Google or Salesforce login page. SecurityIQ provides a number of Data Entry templates for you to choose from, but you also have the ability to customize existing templates or create new ones.

To view the Data Entry templates that are currently available in PhishSim:

  • On the main menu, hover over “PhishSim” and click “Data Entry Templates”

4

Figure: Data Entry Templates Listing

Both Data Entry templates and Email templates are stored in three sections; System, Contributed, and Personal.

System templates are provided by SecurityIQ and can be used as a quick way to get started with data entry attacks. You can clone and customize the templates if you wish.

Contributed templates have been created and shared by other SecurityIQ users. These templates have been reviewed and approved by InfoSec Institute.

Personal templates are those which you have cloned and modified or created from scratch.

Within each of these sections, templates are broken down by category. Templates can be quickly located by clicking the search icon and searching for a particular template. The search function will only return results for the currently selected section.

To clone and edit an existing Data Entry Template:

  • From the Data Entry Templates page, Hove over the content name and click the clone icon .

A copy of the original page will be opened in the editor and you can make all desired changes. When your changes are complete, enter a new Data Entry Template Name and click save. You will now find this template in the Personal section and it can be referenced in any PhishSim Email Template.

To create a new Data Entry Template:

  • From the Data Entry Templates page, click “New Template”
  • Enter a name for your template in the Data Entry Template Name field
  • Select the domain that will be displayed in the learner’s web browser when they load the Data Entry page after clicking a link in the phishing email
  • Create the actual content of the page by using the editor.

Source code

If you have the source HTML code from another web page or application which you would like to use in your Data Entry template, you can take the following steps to utilize the existing code.

  • Copy the HTML source code from your original document
  • In the Template Editor, click the “Tools” menu item and select “Source Code”
  • In the new text area that is displayed, paste your source code and click “Ok”

You will now see the rendered version of your source code displayed in the editor, which can be edited as you see fit.

To see how your template will be displayed for the learner:

  • From the Template Editor page, click “Preview in Browser”
  • A new tab or window will open and display the page as it will be seen by the learner

Using Variables

One method of gaining a user’s trust is to customize the data entry page with information that pertains to them. For example, including a learner’s First and Last name along with their email address on a Google login page will help to convince them that they have logged into this page in the past and likely lead them to do it now. A list of available variables can be found by following the available variables link located in the System Note section at the bottom of the Template Editor page. As you can see in the example below, this Google Data Entry Page includes three variables.

When your changes are complete, click save. You will now be able to reference this education content in any PhishSim Email Template. If you started by copying an existing Data Entry Page, enter a new Data Entry Template Name and set the appropriate Category before saving.

5

Figure: Data Entry Template Editor

Email Templates

Email templates are the heart of PhishSim. The templates define how actual phishing emails look, who they will appear to come from, the type of attack you will simulate, and which education asset should be displayed for the user after they have taken the bait and fallen for the phishing attempt.

To view the Email Templates that are currently available in PhishSim:

  • On the main menu, hover over “PhishSim” and click “Email Templates”

6

Figure: Email Templates Listing

As with Data Entry Templates, Email Templates are stored in three sections; System, Contributed, and Personal.

System templates are provided by SecurityIQ and can be used as a quick way to get started with your PhishSim campaign. You can clone and customize the templates if you wish.

Contributed templates have been created and shared by other SecurityIQ users and serve as an excellent source for finding effective templates targeted at a wide range of scenarios. These templates have been reviewed and approved by InfoSec Institute.

Personal templates are those which you have cloned and modified or created from scratch. Within each of these sections, templates are broken down by category. Templates can be quickly located by clicking the search icon and searching for a particular template. The search function will only return results for the currently selected section.

To preview a PhishSim Email Template:

  • On the Email Templates page, hover over the Name and click the “eye” icon . A new tab or window will open containing the page content.

Open Rate and Phish Rate

At the top of each section you will notice a Highest Phish Rate category. The five templates listed here are the highest performing templates based on usage statistics from all SecurityIQ PhishSim users and is updated on a daily basis. The open rate indicates how many times a particular template has been opened and Phish Rate indicates how often the email was successful at getting a learner to click a link or interact with the email. In the next section we will create a group of templates to be used as part of a PhishSim campaign. If you are just starting out and want to include templates that will likely produce results without any modification, we recommend trying some of the templates that are listed in the Highest Phish Rate category.

7

Figure: Highest Open and Phish Rate Templates

Creating an Email Template

To clone and edit an existing Email Template:

  • From the Email Templates page, hover over the content name and click the clone icon .

A copy of the original template will be opened in the editor and you can make all desired changes. When your changes are complete, enter a new Email Template Name and click save. You will now find this template in the Personal section and it can be referenced in any PhishSim Battery (a battery is a group of email templates to be used in a campaign).

To create a new Email Template:

  • From the Email Templates page, click “New Template”

To configure a template:

  • Enter a name for your template in the Template Name field
  • Configure the From Email (see below for details on how to configure the From Email)
  • Add the From Name
  • Enter an email subject (The subject can include variables to customize the subject which are discussed below)
  • Select the domain that will be displayed in the learner’s web browser when they load the Data Entry page after clicking a link in the phishing email
  • Assign your template to a Template Category
  • Select the Attack Type (learn more about the different attack later in this section)
    • Drive By
    • Attachment
    • Data Entry
  • Select which Education asset will be displayed for the learner after they have fallen victim to the attack.
  • Create the actual content of the template by using the editor.
  • Preview the template by clicking “Preview In Browser”
  • To receive an actual email version of the template, click “Email Preview To Me”. This will be sent to the email address of the account administrator

8

Figure: Email Template Editor

Configuring the From Email address

Each template can be configured to appear as those it is being sent from a specific email address. There are three components to the From Email address; the domain, subdomain (optional), and the name.

Name – This is the account name that will be displayed in the email address. It can be anything you’d like.

Subdomain – By adding a subdomain, you have the ability to give the appearance that the email is from your organization. Especially in the case of mobile users, longer email addresses may be cutoff when being displayed. By adding your actual domain name or an extended variation of it, your chances of misleading a learner are improved.

Domain – SecurityIQ provides a number of domains to choose from when sending email. These domains are meant to be unfamiliar to the learner but look legitimate if they examine them. They have been configured to ensure maximum deliverability of email messages to your servers, and our systems engineers constantly monitor and engage with more than 35 different blacklist providers to keep these domains clear of any blocks.

Example From Address: humanresources@email.mycompany.authorizednotification.com

From Name

This is the name of the individual you wish to have displayed to the recipient.

Email Subject

You can create a static email subject that doesn’t change, or you can include variables to customize the subject. This may be especially useful if your email is related to product orders or online services in which you may want make the learner feel that the email is just for them.

Example Email Subject: {{learner_first}}, Your Office 365 Password is About to Expire

Template Category

The Template Category is provided for organization purposes. Simply select the category that your template best fits into. This is where it will be stored for future access.

Attack Type

PhishSim allows you to simulate three different attack types. The following is an overview of how to configure each of them.

Drive By – The purpose of a drive by attack is simply to get a learner to click on a link contained in the email. Once they have done this, they will be directed to a web page which contains the training content you have defined in the template.

Attachment – When an attachment attack is conducted, PhishSim will include a file attachment with the email. When a learner opens the attachment, a macro is executed within the document which notifies the SecurityIQ platform that the user has opened the file. You can choose from three different file types to include in the email and also provide a name for the attachment. When providing the name, you do not need to include the file extension. This will automatically be added when the email is sent, based on the type of file being included.

The three file types which can currently be attached are Microsoft Word, Excel, and PowerPoint.

Data Entry – Many breaches that occur are the result of a data entry attack in which a user is taken to a webpage designed to look like a legitimate site such as Google. The user is then prompted to enter a username, password, or other information. In a real-world scenario, this data would be collected and used to gain access to the user’s account. In PhishSim, we present the learner with a fake login page and then simply register whether or not they entered any data in the form and submitted it. None of the entered data is collected or stored.

When the Data Entry attack type is selected, an additional configuration field is displayed in which you can select the Data Entry Page to be displayed when the learner clicks the link in their email.

Education – When a learner interacts with a phishing email, opens and attachment, or falls victim to a simulated data entry attack, they are presented with the education content you define in the email template. The selected education can either be one of the SecurityIQ interactive learning modules or a static education page.

Email Body

Body – What You See Is What You Get! (WYSIWYG) – The actual body of an email can be as simple or complex as you’d like to make it. The template editor works much like any word processor. You can enter text and adjust the format, insert images, links, and other forms of content. To monitor your progress along the way, you may either preview the email in your web browser by click the “Preview In Browser” button below in the main editor, or by receiving an email copy by clicking “Email Preview To Me”.

Variables – One method of gaining a user’s trust is to customize the email they receive by including pertinent personal data. For example, including a learner’s First and Last name, or the department or location will help to convince them that the email is being sent from a trustworthy source that knows who they are. A list of available variables can be found by following the available variables link located in the System Note section at the bottom of the Template Editor page.

Footer – Email templates can include a footer, which notifies the user that the email has actually been sent on behalf of their organization. If the leaner identifies the email as a phishing attempt, there is a link included in the footer which they can click to register their acknowledgment. This action will appear in your PhishSim reports and is a good indicator that learners are taking a close look at email that they identify as potentially suspicious.

The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them. In order to comply with the CAN-SPAM Act, SecurityIQ also includes a footer in all PhishSim emails which states the purpose of the message and provides a mechanism for unsubscribing from future messages.

If you are using an enterprise account, you do have the ability to suppress the inclusion of a footer on all emails. (see suppressing email footers in the Account Settings section)

Create an Email Template from Source Code – Often, people within an organization will forward suspicious emails to their technology support department. A great way to create new email templates is to base them off of real-world phishing messages. With SecurityIQ, this is very easy to do.

  IMPORTANT – If an Email Template is created from external source code, SecurityIQ will automatically sanitize any links that may be included in the source code and redirect them back to a PhishSim landing page. This ensures that emails received by learners will not direct them to a malicious site.

 

To convert a real email into an email template:

  • Using your email client, view the source of the desired email
  • Copy the HTML source code from the original email
  • In the Template Editor, click the “Tools” menu item and select “Source Code”
  • In the new text area that is displayed, paste your source code and click “Ok”

You will now see the rendered version of your source code displayed in the editor, which can be edited as you see fit.

To see how your template will be displayed for the learner:

  • From the Template Editor page, click “Preview in Browser”. A new tab or window will open and display the page as it will be seen by the learner

OR

  • From the Template Editor page, click “Email Preview To Me”. This will be sent to the email address of the account administrator

When your changes are complete, click save. You will now be able to reference this Email Template in any PhishSim Battery. If you started by copying an existing Email Template, enter a new Email Template Name and set the appropriate Category before saving.

Batteries

Batteries are a collection of email templates that will be sent out during a PhishSim campaign. Batteries are a great way to group templates based on the individuals that will be receiving them. As we discussed earlier in the planning section on role-based training, it is important to deliver training and content based on a learner’s role within the organization or their use of technology. For example, one battery may contain bank account and financial based templates, which could be sent to an accounting department. Another battery may include the types of templates normally seen in whaling attempts targeted towards executives.

To access PhishSim Batteries:

  • From the main menu, click “PhishSim” and then “Batteries”

To create a new Battery:

  • On the Batteries page, click “New Battery”
  • Enter a Battery Name

To edit an existing Battery:

  • Hover over the Batteries name and click the “edit” icon .

9

Figure: Battery Editor

To modify a Battery:

  • Once in the Battery Editor, click Add Template to add new Email Templates to the battery
  • The Available Email Templates window will appear. You can navigate to the appropriate section and category to select the desired templates to be included in this battery. Click the checkbox to the left of the module to select.
  • Once all of your modules have been selected, click “Save”

Your battery is now ready to be included in a PhishSim campaign.

10

Figure: Battery Email Template Selector

PhishSim Campaigns

A PhishSim campaign is a scheduled event which allows you to send a group of email templates (battery) to a group of learners for a defined amount of time with the option to repeat the campaign a given number of times. Each time a campaign is executed, we refer to it as a run. A campaign usually has multiple runs so we can clearly identify the change in learner behavior over time.

To access PhishSim Campaigns:

  • From the main menu, click “PhishSim” and then “Campaigns”

11

Figure: PhishSim Campaign Page

To create a new Campaign:

  • On the Campaign page, click “New Campaign”
  • Enter a Campaign Name
  • Select the Participant Type
    • Real Learners will use learners which you have added to the system
    • Practice With Learner “Bots” will simulate learner activity so you better understand how campaigns and reports will look once there is real activity.
  • Click “Next Step”
  • Select the group or groups you would like to include in the campaign. Users in these groups will receive the simulated Phishing emails.
    • If you chose real users in the previous step, you will see a list of group and individual users. To add them, click the desired entry in the “Available Groups” or “Available Users” list. That item will then move to the Selected Groups list.
    • If you chose “bots”, you can select from groups based on how the type of user they represent.
      • Reckless and Lazy Bots are very prone to clicking links and taking risky actions, but it may take them a while to do so
      • Normal Bots simulate normal user activity
      • Safe and Responsive Bots are less likely to interact with Phishing emails
    • Click “Next Step”
    • Select the Batteries which include the email templates you would like to send during this campaign. You may select one or more batteries. To remove a selection, simply click on it in the Selected Batteries section.
    • Click “Next Step”
    • Choose a group to add Phished Learners To (See Phished Learners group below for details)
    • Set the Start Date of your campaign
    • Specify the length in days that the campaign should run.
    • Set the number of times the campaign should repeat
    • Set the Phished Learner Action
    • Click “Schedule”

You campaign has now been created and will begin on the start date you specified.

Phished Learners

When a learner is phished, they have demonstrated a risky behavior and we immediately begin providing training based on the actions taken. In many cases we may want to provide additional training to a user in order to reinforce the information they have been given. One way of doing this is by adding the user to a group which can later be assigned to an additional PhishSim campaign or a targeted AwareEd campaign.

Campaign Math

In step 4 of the Campaign creation process, you will see some math that provides an overview of how many emails will be delivered per campaign, how often an individual learner can expect to receive a phishing email, and how many emails will be sent across all runs of the campaign.

Phished Learner Action

When the Phished Learner Action is set to “Send Training Reminder”, a learner who has been phished will receive periodic emails with a reminder to complete their training.

To edit an existing Campaign:

  • Once a campaign has been started, it cannot be edited. You may either clone a campaign and edit the new version, stop a running campaign and all future runs, or delete an existing campaign. IMPORTANT – See notes below on deleting a campaign before taking this action.

To view details of an existing campaign:

  • On the Campaign page, hover over the Campaign name and click the “Information” icon.
  • Your campaign will be expanded and you can now view details about each run by clicking the “Graph” icon .

12

Figure: Campaign Overview Page

 

13

Figure: Campaign Detail Page

To delete an existing campaign:

  IMPORTANT – Deleting a campaign will also delete all associated history for campaign and its associated learners. If you wish to retain data and results from a campaign, you must run a report for the campaign and export the information prior to deleting it from the system. You cannot undo a deletion, so be sure to export any needed information before doing so.
  • On the Campaign page, hover over the campaign name and click the “Trash Can” icon and click yes to the prompt to confirm deletion.

PhishSim Plugin and Quarantine

When a learner receives a PhishSim email, they have two options for letting you know that they have identified the message as a Phishing attempt. First, is by clicking a link contained in a footer which is added to the bottom of every email that is sent out. By clicking this link, SecurityIQ tracks that the user has identified the email as a phishing attempt.

14

Figure: PhishSim Footer

Additionally, users may choose you use SecurityIQ’s PhishSim plugin for Microsoft Outlook, Outlook 365, and Gmail. When installed, a user can not only report emails that originated from PhishSim, but they can also report actual phishing emails to their SecurityIQ administrator by highlighting the email message in their client and clicking the “Report Phishing” button within their client.

 

15

Figure: Outlook PhishSim Plugin

To download the PhishSim plugin:

  • From the main menu, click your name to the right of Reports
  • Download the appropriate plugin from the PhishReporter section
  • Run the install application

 

16

Figure: PhishSim Download Page

Once the plugin is installed, if a learner reports an email that isn’t from PhishSim, they are notified when reporting it.

17

Figure: PhishReporter Message

That email is then submitted to the PhishSim Quarantine, which can be reviewed by the SecurityIQ administrator.

18

Figure: PhishSim Quarantine

To access PhishSim Quarantine:

  • From the main menu, click “PhishSim” and then “Quarantine”

To view the details of a Quarantine submission:

  • On the Quarantine page, hover over the Subject and click the “Preview” icon

To delete an item from Quarantine:

  • Hover over the subject of the item you wish to delete and click the “Trash Can” icon .

Reports

PhishSim provides two types of reports which are designed to be simple and powerful.

Summary reports provide an overview of your learners’ risk, the changes in their behavior, and offer an overall view of the effectiveness of your PhishSim campaign. As you can see in the report below, our initial PhishSim campaign help determine a baseline of how your learners interact with phishing emails. The second run of our campaign indicates that after learners received training the first time, their behavior has improved, which is indicated by the decrease in the number of users who were phished. The third run indicates that while some users are still opening emails, they are no longer interacting with them. In the last run we see the number start to trend upwards again. This could be due to the inclusion of new email templates that simulate a new type of attack. If the graph were to continue, you would likely see a downward trend once again after learners received training pertinent to the new threat.

All SecurityIQ reports can be exported to CSV files for retention purposes.

19

Figure: PhishSim Summary Report a

20

Figure: PhishSim Summary Report b

21

Figure: PhishSim Summary Report c

Detailed reports provide a detailed history of the actions that each learner has taken.

22

Figure: PhishSim Detailed Report

To view a list of currently configured reports:

  • From the main menu, click “Reports”

23

Figure: Report List

To view an existing report:

  • On the reports page, hover over the report name and click the graph icon.

To create a PhishSim Report:

  • From the main menu, click “Reports”
  • On the reports page, click “New Report”
  • Enter a Report Name
  • Select the type of report you wish to create
    • PhishSim Campaign Summary Report – Provides a graph of PhishSim activity
    • PhishSim Campaign run Events Report – Provides a detailed line item report of PhishSim activity
  • For a Summary report, select the Available Campaigns which you would like to report on
  • For a Run Events report, select the Available Campaigns and user groups you would like to report on
  • Choose the Run Selection option that meets your needs.
    • All Runs
    • Last Number of Runs
    • Last Number of Days
    • Date Range
  • Select the event types you would like to include in your report from the Event Filters section
  • Select all of the items you would like to display in your report from the Display section
  • If you would like to have the report emailed to you on a weekly basis, check “Email this report to account administrators once a week” in the Delivery section
  • Click “Save Report”

 

24
Figure: Report Configuration