Do’s and don’ts for a successful internal phishing campaign

1. Arm your employees against phishing

The danger behind the ever-increasing phishing barrage

No (cyber)security solution advertises one hundred per cent protection. This is only logical: antivirus software and other protection measures try to offer an answer to the latest tricks that inventive hackers pull out of their hats. Security therefore always lags a little behind the newest threats. However, the greatest danger does not always come from ultramodern attack techniques or zero-day leaks.

In reality, hackers are just people, looking for an easy way to make a quick buck. They, therefore, look for the weakest link in any cybersecurity system: other people. Then they set their sights on places where there is money: companies.

A small mistake, paid for dearly

The ball lies in the businesses' court: it is up to companies themselves to train their employees and make them aware of the dangers of phishing. This way, you get an interaction where on the one hand, people on the work floor actively cooperate to create a safe company environment, and on the other hand, the acquired knowledge arms them against fraudsters in their private lives as well.

The idea is not new: in the United Kingdom, employees have already been receiving relevant training and support since 2018. The Minimum Cyber Security Standard (MCSS) that the country implemented for UK organisations, requires them to establish a culture of cyber awareness.

And in Europe, the new Network and Information Systems directive (NIS-2) was recently accepted. As of 2024, companies and suppliers from key industries will have to dramatically strengthen their cyber resilience and be able to demonstrate that they are actively and consistently creating cybersecurity awareness. Members of management will even be obliged to follow specific security awareness training.

Testing, not bullying

As an organisation, you shouldn't wait on rules and obligations issued by any government: besides investing in extensive and up-to-date cybersecurity infrastructure, you can also raise your employees' awareness of cyber threats. At Phished we specialise in this; we already rolled out internal phishing campaigns and offered specialised training courses to, among many others, Kinepolis, University of Antwerp, AG Insurance, Studio 100 and Aperam. We confront employees with realistic-looking attacks and provide context so that people are prepared when they come face to face with the real deal.

In this white paper, we highlight the most important do's and don'ts that you can use as a guide for a successful training programme for your own employees. A carefully planned campaign is invaluable, but a poorly thought-out approach can do more harm than good.

We can already reveal one golden rule: your employees must take something away from the test(s). They should never feel that they are being bullied or targeted, especially when they simply need more guidance. Testing is the message, not bullying!

2. How big is your phishing problem, really?

Baseline measurement for shock effect

What is the actual state of cyber awareness within your company? To create a successful training program, you need to know not only where you want to go, but also where you are starting from. That is why a baseline measurement test is so important: it is the very first test that confronts your employees with the state of affairs. The goal is to get a clear picture of the general level of knowledge.

How to get started?

Do warn your co-workers in advance of an incoming test

The first time an internal phishing campaign is launched, many people are guaranteed to fall for it. On average, we see that up to 50 per cent of the employees allow themselves to be caught, even when they know that something is coming. People realise the extent of the problem faster when they see how quickly they can be fooled by phishing. By communicating about the phishing simulation in advance, you also have a stronger case to defend your plans for a training program.

Do repeat the simulation a short while later, but make it more difficult

Pull out all the stops. For example, choose an email with typo squatting, where the sender's name or the link used looks very much like that of a trusted organisation, apart from a typo. In this mail you can use internal knowledge, with references to things that only colleagues (or hackers with access to their mailbox) can know. You will notice that despite the increased difficulty, the result is better than during the first test.

Do warn a colleague if you’ll be sending a phishing email in their name

While this technique is definitely worth a test, make sure that the person indirectly involved is not taken by surprise. We see that people usually like to be part of an educational conspiracy. Although, of course, you have to choose someone who can keep a secret.

After the tests, it is time to analyse the results in depth. Which of your organisation's weaknesses come to the fore? Are there teams or departments that need extra training? Do more people fall for simulated phishing mails when they open them on their mobile phones? With this knowledge, you can take concrete action!

Don't make your first phishing simulation too difficult

Choose a simple email that allegedly comes from a colleague - LinkedIn is a fantastic source for this. Do not immediately start sending emails containing references to internal company knowledge or using the known company layout. A simple first simulation will already make enough victims and shows the need for further testing.

Don't try to persuade people to click on something with the promise of a reward of a bonus

While you could promise extra money in your phishing mail as bait, this is not a good idea. Yes, people will click much faster indeed, but when they learn that your email was just a phishing test and the bonus does not exist, your people will lose the motivation to learn. Criminals are not averse to similar tactics, but you want to keep your employees on your side. So, keep it clean, or be prepared to bear the negative consequences.

3. What do you want to accomplish?

Onwards 0 per cent?

With the baseline measurement results in hand, you know where you stand. Now it is time to determine where you want to go with your business. How quickly and how intensely you want to build awareness, varies from company to company. Typically, CISOs and IT managers set a click-through rate of less than 5 per cent as a goal, and they want to have achieved that after one year.

How do you choose the right objective?

Do set a realistic goal

No one is infallible, so don't expect your entire organisation to reach zero per cent. With good and thorough training, you can already avoid a catastrophe. If someone does get seduced into an inappropriate click, then thanks to the complete training program, the entire organisation knows exactly how to react.

Do communicate transparently about the results of you simulated phishing campaigns

Let people know how many employees have been caught out but realise that anyone can fall for it. Even at Phished, where we work on phishing every day, colleagues sometimes get caught by surprise. Make sure everyone knows what the objective is, so you can work towards it as an organisation.

Don't punish people for clicking on a simulated link

Awareness takes time and not everyone learns as quickly. Choose a positive story with a focus on support and give people the time they need to grow.

4. Step by step to a safer company

The ultimate goal is to make your company safer and arm your employees with a healthy suspicion, in order to create a cybersecure work culture. Four factors contribute to the growth of your employees: frequency, personalisation, training and engagement.

Repetition, repetition and more repetition

How quickly the level of knowledge within your company increases goes hand in hand with the intensity of the training. It's not rocket science: the more often you run phishing simulations, the fewer people will fall for them by the end of the year. If you choose to use our algorithm to send out a phishing simulation only once every 90 days, you will see the phishing percentage drop to less than 13 per cent. Usually, companies choose a more intensive approach with a simulation every 15 days. This does not fail to produce results: it lands you below the 5 per cent mark. With a simulation every 5 days you can even get the figure down to 1.5 per cent.

Do plan simulations regularly

It is not enough to work with an ad hoc approach and only send out simulations when you think about it. You have to test regularly: frequency and result go hand in hand. Setting up and sending out e-mails yourself takes up a lot of time. So, choose a tool that automates the work.

Don’t limit yourself to one test per year

We notice that an annual simulation has little to no effect in the long run. Figures show that even a thorough cyber security training is forgotten after 6 months. So, repetition is the message.

Personal touch

Don't fool yourself: everyone is susceptible to phishing. From the head of a hospital department to the cleaning crew, from the dean of a university to the receptionist, even from the IT specialist to the digital illiterate: everyone is a target and everyone can get caught. Of course, this is not possible with generic e-mails; therefore, anticipate personal pitfalls. Your marketing colleague might be a little too quick to click on a Facebook simulation, while your accounting friends won't think twice about a professional-looking email about late payments. That's why it's important to test employees with emails tailored to them.

Do test people in different ways

With different topics and possibly even at different speeds. Approach the simulations with a personalised approach and surprise departments. This way, you will have the greatest impact on their way of working and thinking.

Don’t limit yourself to company-wide simulations

Colleagues will quickly inform each other when they find out what is going on, and that ruins the simulation. An occasional test in which you present the same content to everyone is fine, provided that you alternate such tests with more personalised campaigns.

Phishing simulations are not enough

Phishing simulations are a great way to enable your employees to spot real threats, but they are only a first step towards a safer, better protected organisation. Because awareness alone is not enough, it has to be part of a holistic approach. It is important to offer your employees a complete training that covers a wide range of cybersecurity topics. Teach them how to handle every type of threat through time-efficient, frictionless microlearnings.

Do choose fun and interactive training

Your employees don’t care for Netflix-like libraries filled with videos that aren’t actionable. Teach them what to do when things really go wrong and motivate them, using proven techniques from gamification such as nudges, rewards and certificates.

Do use locally relevant content

While educating on the dangers of end-of-year shopping revolving around the Christmas period is globally relevant, modules on public holidays such as Cinco De Mayo or 4th of July in the USA do not work in Europe.

Don’t require your high-performing employees to participate in tests that are too easy

They do have their use for people who might learn a bit slower, so don't lump your entire workforce together. Everyone follows their own learning path.

Together against the AI

The cyber awareness training at Phished is powered by our own proprietary AI, which sends phishing simulations to individual employees fully automatically. This appeals to the imagination: employees see that they are being tested by AI and immediately feel motivated to show that they are smarter than the robot on the other side.

This is how phishing lives within an organisation. Around the coffee machine, colleagues talk about the phishing mails the algorithm sends their way. They feel they are fighting a common enemy and are proud when they detect an email and report it. This dynamic drives awareness.

Do give your co-workers the opportunity to report simulations

This gives them an active role in the process. An additional advantage: colleagues will also automatically report real spam as well as and phishing emails, giving the company's cybersecurity attitude an extra boost. We call this involvement activation.

Don’t make the training campaign too non-committal

The simulations and training work best when everyone feels involved and understands the company's philosophy. Everyone really means everyone: from C-level to assistant.

6. Conclusion with ethical hacker Inti De Ceukelaire (Intigriti)

Recognising that you are vulnerable is the first step in mitigating risks

The main argument for people not to get involved in anti-phishing training - "it will never happen to me" - is invalid: everyone is susceptible to a well-executed campaign.

Everyone regularly experiences less vigilant moments, which is exactly why continuous testing is important. Cybercriminals don't wait until the first coffee has been consumed or until you have completed your annual awareness training. Every training course you take will be outdated the very next day, because rogue hackers are constantly using new techniques and methodologies to make their traps more realistic and up to date.

Recent data breaches at Facebook and LinkedIn, among others, teach us not only that attackers have huge databases on which to base their phishing campaigns - and which help them make them credible - but also that they need little more than a simple scraping tool to convincingly target people. In just a few seconds, a hacker is able to trap anyone.

To counter new attacks and prevent catastrophic scenarios, we must learn to recognise patterns in order to build up a permanent vigilance. This can only be done by providing an ongoing training for our employees; one that is as agile as the growing cyber threat.