Phishing test "do's and don'ts" - what are the most important DON'Ts in your opinion?

Use a resource that has a good reputation for creating meaningful tests that provide staff with an opportunity to be successful while testing their capabilities to spot threats.

I wrote a university course on phishing countermeasures a few years ago. Here are a few of my recommendations and my biggest "don't" at the end:

The purpose of simulations is not:
1. To prove you know more than your employees about phishing
2. To make your employees look stupid
3. To surprise them

Phishing simulations are designed to teach the recipient to:
1. Identify phishing communications
2. Report phishing attempts

There are multiple decision making factors that affect the success of phishing simulations including:

Psychological triggers
Cognitive bias
Framing effect (context)
Availability heuristic
Confirmation bias
Relationships
Individual differences
Behavioural traits
Demographic characteristics
Personality
Habituation
Current psychological state e.g. current emotions
External factors e.g. social influence, ambiguity
Training
Visual/structural clues
Trust indicators e.g. SSL, web-based phishing warnings, endorsement
Email design e.g. logos, supporting imagery, layout
URL
Email visual metadata e.g. From
Social engagement indicators

When planning a phishing campaign, you can use these factors above to influence the likelihood of susceptibility and incorporate them into the style and design of a campaign:

Context: How relevant is this to the recipient
Probability: The likelihood of receiving a similar communication
Emotions: Drive the recipient to action
Similarity: The design and style, to make them reflective of what a recipient would expect

When you first start simulations, take a baseline of the difficulty level and where your users generally sit. For example, define an easy, medium and hard classification. Run each level over a period of 6 months.

This is an example of difficulty classification:

Easy: 3+ visible clues
Mispelled words and poor grammar
Low resolution graphics
Limited work context
Link unrelated to stated link purpose
Multiple recipients with content unique to an individual
Common links for different purposes
Medium: 1-2 visual clues
Few visual clues (grammar, spelling, graphics)
Work context exists
Specific and appropriate recipients
Links and graphics which appear correct without exact verification
Hard: 0-1 visual clues
Perfect and visually appropriate email, subject, recipients, and context
Correct branding – colour scheme, logo, layout, footer notifications
Obfuscated link destinations
Invokes strong emotional response to hinder detecting the pretense
Double barrel and business email compromise

If they generally can recognise easy and medium, DON'T send out phishing sims at that level again - they know that level and it is pointless teaching people to recognise emails that they already know is phishing. But if most staff fail at easy or medium, you have a bit further to raise their knowledge over time.

Hope that helps!

Do not run it so often, employees know exactly what to look for. 

Effective phishing programs should educate, not alienate.

GoDaddy did the latter. Don’t be like GoDaddy.

 

https://www.engadget.com/godaddy-sent-fake-phising-email-promising-holiday-bonus-220756457.html

Biggest opportunity these days is to take advantage of the opportunity for real-time training if someone fails the phishing test. Many phishing test providers provide the option, and there's no better way to cement the knowledge necessary to pass phishing tests than getting people in that moment just after "gotcha". No one likes that feeling, and its likely those same people understand their organization is trying to protect their customers and their business priorities.