How often do you do phishing campaigns?

6.6k views49 Upvotes21 Comments

Head of Cyber Security in Manufacturing, 501 - 1,000 employees
Are we sure that phisingtests are not doing more harm then they solve? Business is bussy and those test dont reflect the reality of nowadays stellar phishs. I think better to invest in phishing resistant authentication so creds are not leaked, and SWG who filter bad urls/malware out
2 1 Reply
Strategic Banking IT advisor in Banking, 10,001+ employees

I do agree with you Raphael.

On a weekly basis, we do phishing campaigns.   A very large group of employees will receive an appealing email from:
- HR Department
- An SVP 
- A well recognized vendor (Microsoft for example)
- A delivery company

Then, it either contain a link or a file to be opened.   The employee has to click on a 'fish icon' in Outlook to submit the email to the security team.

If the email was 'fake', you will receive congratulations.   If the email was really suspicious, it will get inspected and the result is sent back the employee (email has been destroyed or no, it is legitimate).

If the email was 'fake', and the employee read it but hasn't click on the fish icon, it counts as a bad usage of emails.    Monthly, managers get reports with stats.

End of story, too many fake emails are received from the organization.     Employees either got lazy of this and no longer follow the guidelines or the declare too many emails as potential risks because sometime it's very hard to tell.

Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech, Self-employed
It's ongoing all the time but people get categorized. Meaning everyone gets at least one a month but not on the same day and time as last month. Those who didn't do well get tested again and after the third oops then it's lunch and learn time. That is one framework that allows you to progressively help people to see more advanced attacks. Too many companies test the same scenario each time e.g. FedEx, UPS.
Senior VP & CISO, 1,001 - 5,000 employees
monthly - entire workforce
1 Reply
Senior VP & CISO, 1,001 - 5,000 employees

we also do targeted training.

CISO in Insurance (except health), 5,001 - 10,000 employees
Monthly for all employees and then supplemental for those who have engaged with phishing test emails. Further, specific high risk roles in the organization are tested with ad hoc relevant testing. based on the role.  
Chief Evangelist | Former Gartner Analyst | Former CISO in IT Services, 11 - 50 employees
There is a difference between phishing simulation and awareness campaigns around new phishing campaigns and techniques. I'm assuming the question is about phishing simulations. I would recommend starting with an understanding of any customer, regulatory or cyberinsurance mandates on frequency of these tests. Unfortunately requirements around phishing simulation have become so pervasive that the frequency might be dictated to you, rather than being able to assess the value of your organization and to your business case for better protection. 
Principle Consultant in IT Services, Self-employed
Director of Cybersecurity Data and App Protection in Healthcare and Biotech, 10,001+ employees
Monthly tests for all. Periodically target more high-value groups with more challenging tests. 
CISO in Software, 10,001+ employees
They should always be conducted annually.  However, it is best to not target all orgs, LoBs, etc. at the same time.  It should be conducted and spread throughout the year.
, Self-employed
Quarterly - entire workforce
Senior VP & CISO, 1,001 - 5,000 employees
entire workforce monthly 

Content you might like


Cyber Security39%


Information Security8%


1.4k views3 Upvotes1 Comment

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.2k views131 Upvotes319 Comments