How to Run Ethical and Effective Phishing Simulations

According to CIPD, 85% of employees want to split their hours between the office and home, while 40% of employers cite hybrid working as their new operational model.

Workplaces will soon be welcoming back a stream of colleagues fresh from remote working – an exciting time that may cause distraction as teams enjoy the buzz and adapt to a new balance. Critically for your business, this distraction could trigger a lapse in cyber vigilance – considering that more threat actors target distributed workforces, now is the perfect time to refresh security training.   

Where to start and what to prioritise

We recommend that you put phishing awareness training at the top of your list, for three reasons:  

1. Phishing attacks are rising and becoming smarter. Fast evolving and pervasive, your business wants to guarantee that every user is switched on and up to speed.  
2. Ransomware attacks are up by 148% post-pandemic. This is relevant because phishing emails are the most popular distribution method for ransomware.  
3. Hybrid working makes it notoriously difficult to prevent phishing attacks. Its fluid nature and inclusion of remote work call for constant vigilance.  

For instant impact and tangible results, nothing beats a phishing simulation test. This is when IT departments or cybersecurity experts send and report on a fake phishing email that targets a workforce. The real-world experience is invaluable for opening employee’s eyes, while actionable insights provide managers with a clear course of action.  

How to set up and run a phishing simulation 

1. Plan and run a guided session beforehand. For new and current employees. The aim is to foster vigilance and gravitas around cybersecurity. Employees feeling unfairly tricked or out of the loop will trigger instant disengagement. 
2. Set up an email for reporting phishing scams. Employees can send a message to this address when the encounter a suspected malicious communication. This way you can know not just when users fail, but when they pass with flying colours. 
3. Create your scenarios alongside an expert. You want scenarios that entice a click, but don’t cross ethical boundaries. Security Providers can help you strike the balance between creativity and cruelness, and solutions like Cybersecurity Officer as a service (COaaS) can include simulation testing in their service stack. 
   
   Simulations can include everything from viewing a bonus figure, to responding to a request for help from a colleague and signing up for a social event, to paying an outstanding invoice. They can also focus on current news stories or hot topics in your industry or business – voyeurism always works!  
4. Devise your simulation schedule. You should avoid sending simulations too often, as there is a chance users will identify by expectation rather than analysis. But make sure that you launch enough simulations to generate workable data insights. Once a month is a sensible compromise.  
5. Choose your target simulation group. A mass email to your entire Active Directory will cause a ripple, and your simulation could be outed before most users have a chance to respond. Split your Active Directory into groups and send simulations to these groups on rotation.  

Ethical approaches to baiting your team

Ethical questions have been raised about phishing simulations in recent months. Any organisation serious about protecting itself from human error, must run phishing simulations. The examples of poor form that make industry headlines represent a tiny percentage of tests – remember that thousands are run every day to great success and fair reception from users.  

• Keep the proposition professional. Matters of personal life or health can be substituted for less sensitive context.  
• Never use an employee’s name or image. Unless a whaling simulation, never reference employees, and certainly never implicate anyone.  
• Check news stories on your subject matter. A sensitive news story may take your subject matter from compelling to controversial.  

How to get strong and long-lasting impacts from phishing simulations

The key to achieving continuous improvement is psychological in nature. If a user has been drawn in by social engineering, they may feel humiliated, ashamed or even fearful. Any post-test anxiety could discourage engagement, or even breed animosity. This is at odds with the objective of phishing simulations, which is to build vigilance and confidence.  

As a business manager, you must therefore take steps to ensure that users have a positive response to a simulation, whether they fall short or pass with flying colours. Consider a follow-up process that respects these best practices: 

1. Be confidential. Never publicly share any information that could identify a user’s result.  
2. Be transparent. When all users have had a chance to view the test, inform them that a test has been run and responses will be confidential.  
3. Be sympathetic, but clear. Your response team should be understanding to users that fail, and clearly communicate what went wrong with an open mind.  
4. Be constructive. Come armed with advice and next steps, so that users feel supported and not scolded. 
5. Be pragmatic. The aims of phishing simulations are to fine-tune user skills to reduce human error. But if a fail uncovers an opportunity to bolster security software, address it head on.  

Are you ready to step up your cybersecurity user training with phishing simulations? Arrange a consultation with Node4 to design a bespoke simulation or explore your automated software options.