How are you approaching phishing tests to make sure they really educate folks and aren't just about "tricking" employees?
Sort by:
We emulate real-world phishing campaigns and craft lures with intentional indicators and learning objectives. We then tailor the just-in-time training to educate users about the specific indicators they may have missed in the email. Finally, we assign every phish simulation a susceptibility score based on the overall complexity of the phish and measure results from the baseline.
The most important element is to have targeted and specific training provided to an employee when they "fail" a phishing test.
Red Team testing is a perfect way to test system and employees. Phishing, mystery guest on the floor trying to get into local network and find hardware and connectivity risks, and real testing based on credentials from phishing.
They have to be done in a formal manner. Great new book with ideas on how to do that. By Roger Grimes, see: Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing.
https://amzn.to/43hTyKd
Training on phishing is done prior to the test - about a week prior. The training is short and dedicated to one way of checking for phishing.
The test is to evaluate what has been retained. We rinse and repeat every 2 months with the goal to raise awareness over many months. It's a process.
We also like it when employees report the phishing tests, or real ones. Employees learn better from other employees than from something that's mandatory.