Phishing Awareness Exercises to Test Your Employees

May 18, 2021 | By JF Stubits

Employee security awareness is critical to company success - and the outlook is often worse than businesses realize. In a 2020 test, about 25% of U.S. users fell for phishing scams, and nearly 20% of them submitted their credentials.

Phishing awareness efforts should be cyclical: measure awareness, train, and measure again. Here are a few exercises you can do to both test employees and measure their performance.

Send a Simulated Phishing Email

Create a fake phishing email and share it with employees to see how they would react. There are several tools and providers that offer phishing awareness simulations. If you're creating it yourself, make sure it has some telltale signs of a phishing attack, like:

  • Poor grammar.
  • A sense of urgency.
  • Requests for personal information, like company logins or bank account numbers.
  • A suspicious sender address.

Track how many employees click the email and how many submit credentials. If you can, separate users by department, permission level and other important factors to help you get an idea of which areas of your team need the most attention.

This is a great exercise to start with and establish a phishing awareness baseline.

Train Employees

After establishing a baseline, train employees on phishing best practices, focusing on the most commonly missed items. Be sure to cover:

  • What phishing is, and what forms phishing attacks can take.
  • How to identify a phishing attack.
  • What not to do when they receive a suspected phishing email, text or other correspondence (i.e., no clicking or submitting credentials without verifying the sender's address).
  • How to report a suspected phishing attack. 

Simulate Spear-Phishing

Spear-phishing is a more targeted form of phishing, where attackers find information about a specific person and use it to trick them into giving up confidential information with a more personalized, convincing attack.

To simulate a spear-phishing attack, create personalized emails that use the target's own email address and name. Consider also including information you know about them like their business title, boss's name or other factors that make the email look more convincing. Send these out and monitor responses just as described above, tracking response by department and permission level to get granular insights into performance and training needs.

Implement Necessary Training and Remediation

This training should be less high-level than the original training and should focus on covering missed items or remediating departments or employees that performed poorly in the spear-phishing attack.

Conduct an Advanced Phishing Simulation

Try moving outside of email to conduct a simulated phishing attack via text or phone call (we recommend sticking to employees' work phone numbers for privacy reasons). You could also try implementing another simulated attack similar to one employees performed poorly on in the past to test the effectiveness of your training and remediation.

Continue the Cycle

Measure results and continue to hone your employees' security awareness regularly with new exercises that focus on areas that need improvement.

Work With an Expert

Some IT providers can help with the phishing awareness process, from initial measurement to ongoing testing implementation and monitoring. Convergent is a managed IT services provider that can help you develop and implement a phishing awareness plan customized to your business. Visit our website at www.askconvergent.com to learn more about our services.

To get started with your own phishing test, download the free infographic for a step-by-step guide to phishing test implementation.

Download the Phishing Infographic