Crafting Impossible Simulated Phishing Campaigns? Stop It!

While new phishing tactics emerge regularly, many of the same tactics used in the past keep recirculating. Why? Because people keep falling for them.

Stop overthinking your simulated phishing campaigns. Security and IT leadership need to remember that the purpose of the campaigns isn't to see how many people you can get to fail - it's to educate the workforce on common tactics and templates used by the bad guys.

Be Strategic

If you're thinking of your next phishing campaign days before it's being launched you may already be missing a great opportunity. Security awareness and training programs should be well-documented with strategic objectives and goals. How else are you going to measure the effectiveness of your training and increased awareness?

Incorporate a 12-month plan for simulated phishing into your overall awareness and training program, outlining a general theme for each template and the difficulty level of each template.

Be Pragmatic

If you've been around cybersecurity and phishing you know there are varying degrees of difficulty, some of which even the most seasoned and vigilant cybersecurity professional may fall for. Avoid doing this to your workforce. You're after positive awareness progress, reinforcement, and training. People should feel like their training will give them a fighting chance if put to use and know that a successful pass will get them the kudos they deserve.

Consider running quarterly campaigns for all employees at a minimum, and run separate campaigns in between for those who failed the previous all-hands version. These folks have told you through their actions that they need more training - give it to them!

Be Real

If you're using templates never seen in the wild you may be missing a huge opportunity to reduce risk. While new phishing tactics emerge regularly, many of the same tactics used in the past keep recirculating Why? Because people keep falling for them.

Identify real tactics being used and plan your campaigns accordingly. Don't send a fake IRS email in September. Send it during tax season! Is benefits renewal coming up in your organization? Are fake amazon package alert tactics being used again around the holidays? Build your campaigns in a way that truly prepares the workforce for the likely emails they will see from cyber-criminals. The chances of employees reporting a phish if they've seen it from you first are high.

Don't miss the point of simulated phishing when conducting it at your business. This is a useful training and measurement tool when used correctly; however, if used incorrectly it's a tool that will fall out of favor with staff and senior leadership very quickly.

For more information on simulated phishing or managed security awareness programs, please contact info@advosec.com

#phishing #securityawareness #campaigns #riskmanagement