You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

A right way. And a wrong way.

And there's not much gray area when it comes to Simulated Phishing the right way in your organization.

How well do you learn something when you do it once a year?

Most things aren't like riding a bike - just pick it back up after years, start cruising, feel that breeze and cheerily ring your bell.

So let's think about your organization's Simulated Phishing tests. It's typically part of a broader Security Awareness Training program. And it's critical that it's done well.

Ok, enough rambling...

What's the wrong way?

The wrong way is minimizing your Phishing Simulation program, not giving your team the chance to actually change behavior.

When 90 out of every 100 attacks involves an employee making a mistake and opening the door to an attacker, something that has to change in our routine behaviors!

Here are some of the key wrong ways to phish your team:
1. One and done - doing a single campaign and high-fiving about a low click rate
2. Onslaught - punching out a simulated phishing attack all at once to your team
3. Recycling - using the same content repetitively across the organization
4. Lost to spam - not ensuring 100% delivery to your users
5. Announced - letting your team know that the phishes are coming

Let's take each in stride. Briefly.

What's wrong with the one and done approach?
If it takes 66 days to learn a habit, you can know for certain that your team won't learn a new behavior with once a year phishing tests.

Hot take: your employees (and you) are not the same person at all times.

Your employees need to experience phishing tests in a wide variety of atmospheres, with varied timing AND content.

Why do we have beef with the onslaught approach?
Candidly, this is a convenient option for the IT Manager (ahem... if you're reading this). But it causes problems.

Namely, you don't know how well your team is doing! It takes one person shouting/messaging the team - "hey, don't click that LinkedIn invite. It's a fake phish!"). And your testing is immediately futile.

It used to be called the gopher problem, back in the good ole days when we used to work in offices.

They always told me that recycling is good?
Keep taking your reusable bag into the grocery. But don't keep reusing the same phishing templates with your team!

Content needs to be fresh. After all, those cybercriminals are constantly updating theirs!

What about those pesky spam filters?

First, you should definitely use spam/junk filters. Otherwise, your email inbox would be flowing like Niagara.

The problem is that these filters interfere with your simulated phishing campaigns. After all, you're phishing your own team, so these filters are doing what they're supposed to do!

In the wild, the real attackers do a lot of work before launching phishing campaigns, just to ensure that they can sneak past your spam filters.

This means you have to whitelist effectively for your campaigns. If you've done this before, it can be very tedious, depending on your email stack.

Why don't we give our team a heads up?
This might sound crazy but... cybercriminals don't announce their attacks! That's it. That's an easy one, right?!

Yes, some of your employees will be frustrated by stumbling for a simulated attack. BUT that means the learning process has begun!

Take it from NIST, who specifically calls out "no-notice" phishing tests of your users for regulatory. NIST is the primary organization sending down compliance and regulatory guidance on Security Awareness Training, so we listen!

Ok, so what's the right way?

The right way to Phish your team produces positive results and changes behavior.

You've probably guess where we're headed by now - it's the opposite of the points above. So we'll jump right in.

The keys to a successful simulated phishing program:
1. Continuous - you have to phish your team consistently, throughout the year
2. Varied Timing - your attacks need to be randomized in time
3. Fresh Content - your simulated phishes need to mimic the real world, always
4. Avoid Spam - you have to stay on top of whitelisting, upfront and ongoing
5. No-Notice - don't tell your team it's happening!

Let's wrap this up...

INFIMA does all the above. Fully automated.

Through our incredible Partners, we provide continuous Phishing simulations, using only the best attacks from the wild. No two users will ever get the same phish at the same time, so you avoid that gopher problem! And we keep it fresh. So fresh.

Oh, and we've solved the spam filter problem. Holler to learn more!

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Photo by Alison Pang on Unsplash

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.