How to Run a Phishing Test on Your Employees
Is your company safe from phishing attacks? There are two ways to find out: either through a pre-planned simulation or an actual event. In this article, we’ll show you how to run a phishing test on your employees that will let you know how vulnerable you are before it’s too late.
SecurityIQ/PhishSim
In order to find out how vigilant your employees are against various forms of phishing attacks, InfoSec Institute has created the SecurityIQ platform and its application PhishSim. PhishSim, as the name implies, is a simulator that sends out phony phishing emails. However, instead of containing a link to a malicious website or virus, PhishSim sends those that click it to a landing page that informs them of their error. This landing page can be customized and branded to your company.
Phishing simulations & training
Email Templates
PhishSim makes it very easy to run a test on your employees. We have an Email Template Library that cover a wide range of standard phishing messages. These include templates created by InfoSec Institute as well as those from our user base. They are grouped into subjects such as Banking, Corporate Communications, and even Highest Phish Rate.
The templates all have information such as Difficulty, Open Rate and Phish Rate. You can select an email template that suits your company as-is, or you can duplicate it and modify as you see fit. You can also select New Template to create your own.
A few of the Banking Templates
Additionally, there are Data Entry Templates, which simulate login pages to such things as bank or email accounts. These can be used with Email Templates for a more sophisticated phishing simulation.
Educations
Paired with the phishing emails are Educations – a landing page with a message to anyone that clicks on the link, informing them that they have made a mistake. As with other elements of SecurityIQ, there is a library of Educations, which can be customized for your workplace.
Some Educations are a simple message; others include interactive videos. Regardless, whenever an employee clicks on a link and is sent to an Education, you will be alerted to the event.
Best Practices
When creating or choosing emails, it’s best to put on your “Criminal Minds” hat and think like a phisher or hacker. What departments are most vulnerable? Which type of communication is most likely to elicit a click?
While our Template Library is a great place to get started, try creating or customizing one for your company. Create an email with your boss’ name asking for a W-2. Send a phony invoice from a company you actually do business with.
Create a sense of urgency. Many phishing requests try and make the user act quickly without thinking, so emulate that in your email.
Drop subtle clues. Put in typos or misspell the company name. These should be red flags to the recipient.
Batteries and Campaigns
After you’ve created or chosen a selection of Email Templates and Educations, you can create Batteries and Campaigns. A Battery is a group of phishing emails that are sent at once, and a Campaign is a series of Batteries over a period of time. With a Campaign, you control such things as which employees get which emails, as well as the simulation duration.
Creating Batteries and Campaigns can be very easy; there is a Default Campaign that can be used as a good starting point.
The Start Campaign window
Running a Campaign
Once you’ve created or imported your employee address list and decided on the duration, you can start your Campaign. (It’s a good idea not to tell anyone that this is happening, so as to get a truer gauge of their vigilance.)
During the Campaign, you can view a variety of different reports from your Dashboard; they can also be emailed to you weekly. This will show you how many of your emails were opened or clicked, as well as those avoided or marked as spam.
The Phish Campaign Run Status details specific actions taken by individuals. You can use this information to require them to take further training courses in the AwareEd section of SecurityIQ.
A PhishSIM report
Conclusion
This is a very general overview of PhishSim and how to run a phishing test on your employees. SecurityIQ is intuitive to use, but this platform also has highly-advanced features to ensure you are truly raising awareness about the dangers of phishing.
The best way to get started is sign up for a free account. You can explore the different areas and even do a simulated Campaign with “learner bots” that can teach you more about how PhishSim works.
Phishing simulations & training
Don’t wait another day – start phishing your employees today before someone else does!
In this Series
- How to Run a Phishing Test on Your Employees
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness