1

Hey gang wanted to share a fun, practical and effective campaign I ran through September.

I implemented KnowBe4 at my worker over 2 years ago and have been training and phishing my users all along. However it can get stale saying the same things month after month. Being a person that likes to motivate users through positive reinforcement I run a year long contest to see who can stay clear of Phishing tests and correctly label them using the Phish Alert tool. However someone accidentally gave me the idea to run a “Phishing Derby”. My boss saw me putting up KnowBe4 marketing materials and said something like “Are you running a ‘Fishing Derby’?” I immediately had the idea about how I was going to do it.

So I started making up plans for a month long phishing campaign. I built out basic rules and got approval from department managers. I would be adding multiple Phishing tests throughout the month of September I wanted to make sure I had buy-in from management.

The Rules:

  1. Don’t click any simulated Phishing email links

  2. Mark as many or all the Phshing tests using the “Phish Alert” tool I have deployed in everyone’s Outlook.

Winners would be the one(s) with fewest clicks and most correct Phish alerts!

Prior to September I worked with our marketing team to come up with a nice flyer:

PHISHING_DERBY_revised-01.jpg
PHISHING_DERBY_revised-01.jpg800×1119 220 KB
I also made sure to send out a few reminder emails in the weeks leading up to September, including one with a nice take on Pokemon:

Takeform-vector-logo-gotta-catch-em-all2.png
Takeform-vector-logo-gotta-catch-em-all2.png700×500 39.8 KB

Then once September hit the gloves were off and it was ON!

My first Phishing test was from me and had a simulated phishing link to “Rules and Regulations”, I got a few users with that one right out of the gate.

The next few were a random mix of some tweaked templates that had 4 to 5 star ratings (out of 5 stars) fro difficulty. All templates were for services we use on a regular basis and a few I hand tweaked to include relevant names and projects.

Then I spotted an opportunity when our HR person sent an email about our annual football celebration for the beginning of football season. I sent out a phishing email from her (I even mimicked her style, font and threw in an image like she would) that had a link for employees to get a square for the upcoming Bills game. This would be the type of thing we do here for our employee fun days, no betting they would be all free squares and prizes would go out to whomever won. Well that one got a lot of clicks even from some people that should know better. It was met with a lot of frustration and I was told it was dirty. I took the opportunity to explain how I was simulating a spear phishing attack, where a hacker may watch an email stream for weeks before attacking and then take full advantage of the circumstances.

I returned to the standard high difficulty random phishing test, but quickly saw another opportunity when the company was all buzzing over an upcoming training session with some sales reps that would be coming in. I know when this happens there is usually a “schedule” that gets updated several times and our CEO is the one pretty much driving the whole production. So again I used the circumstances to my favor and sent another crafty phishing email this time from the CEO including a pretty convincing looking OneDrive link to “Rep Training Schedule.pdf” out to the whole company. This was the most clicked one in the whole campaign. Even the CEO clicked on the link, LOL. I purposefully misspelled the CEO’s email address to see if anyone would catch it, but nope. Again this one had a lot of high profile clickers.

I finished of the campaign with the dirtiest phish of all. It didn’t get the highest click rate because by this time people were catching on to me. The last Phish was recursive in nature. I sent out a phish from me claiming to be a link to personalized results from the Phishing Derby, where users could see their results. At the time I sent it I had 17 perfect scores in the phishing campaign and 4 users fell “hook line and sinker” for my final phish. I guess they didn’t realize it was still September and no one was safe yet…

Outcome:

My last ‘standard’ phishing test went through with a 0% click rate. This was high difficulty with random and sometimes personalized templates. It worked. Our click through rate dropped significantly. I don’t know if I can keep it there, but this was a victory in my opinion. I plan to do this again next year.

My users are excited about the campaign and there was a lot of buzz. Some of it was people upset with how dirty I got or how it was impossible to tell on mobile, but any buzz on this subject is good buzz.

I learned things that worked and maybe a few that didn’t. Going to have a hard time giving out awards since I have 13 perfect scores and many people that missed only by not reporting a Phish before the particular phishing test closed (I closed them all in 1 business day to keep the momentum).

@stu-knowbe4 @roger-knowbe4

149 Spice ups
2

This is an awesome story and write-up. The 0% outcome was THE test of your strategy and says a lot about it’s ability to reduce risk. Of course, over time, you probably can’t expect 0% every time, but that’s probably not an attainable goal. The goal is to minimize risk as much as possible…and you’re already doing that. Cheers.

21 Spice ups
3

should have sent out a clickbait, You won’t believe how many of your coworkers fell to phishing…

sounds like a lot of fun though! We’re pretty suspicious here, but the phishing testing always seems like a fun thing to do :stuck_out_tongue:

6 Spice ups
4

That’s amazing! We definitely think a strong foundation in anti-phishing is important for keeping your employees and your data safe, but it’s even better when the users learn not to click on any links on suspicious emails that come through. Must give you a lot of peace of mind :slight_smile:

1 Spice up
5

Brilliant idea, I may have to steal it!

9 Spice ups
6

Great story.

You could always do a holiday bonus derby. The winner could receive a themed gift. The gift doesn’t have to be a physical gift :wink:

2 Spice ups
7

Great work!. I was planning on doing something along these lines using gophish. Does anyone have any good resources for email templates?

1 Spice up
8

Well done - interesting story to read!

1 Spice up
9

I have done a similar thing in the past. However, instead of coming up with the emails myself, I put it on my coworkers. I let them decide who they wanted to phish and the email. Whoever got the most clicks on an email won. The winner was awarded a fishing line full of fish themed foods (mostly Goldfish and Swedish Fish).

4 Spice ups
10

Great idea!
I’m going to see if I can get this one going at my workplace.

I’ve got my KnowBe4 setup to automatically email users each month with a totally random difficulty level (1-5) and I’m thinking I can assign “weight” to each user’s catch based on the difficulty rating and also roll in the non-simulated phishes that people have been catching. Sometimes people flag non-phishes… maybe they will get a “boot” or “old tire” for a bad flag - no points.

Thanks for sharing this! It’s got me thinking!

2 Spice ups
11

I’ve been using knowbe4 for over a year and I’ve never seen a 0% result yet. I have a rolling monthly phish campaign so I’m not hitting them weekly, just 1 per month each.

Really need to get some more templates though because people are getting wise and spotting the knowbe4 emails. Although a few real emails have been deleted for fear of doing another training session!

12

MrTartan,

This is similar to what I was experiencing, but we don’t run people through training unless they are really falling down. However I wasn’t seeing improvements so this idea was perfect and has seriously upped everyone’s game. You will need to invest time and effort into setting up the campaign and spend some time customizing templates. I like to browse the community templates and the top phish templates for some good starting points and then add a little extra to make it more customized to our company.

1 Spice up
13

What phish alert tool do you use?

Love the idea. I will be doing something similar in the next few months for sure!

1 Spice up
14

I like it. Most of my users are super-suspicious and many have perfect history with phish tests. But some just don’t seem to get it. These are the users that don’t care unless it affects them directly, not even a contest or wall of shame would motivate them to be more attentive.

Luckily my managers love the KnowBe4 program. When we have management meetings, they are usually comparing notes about which scams almost got them and occasionally which ones actually did.

I require all new users to go through one of the KnowBe4 training programs and then I leave them to it. If they fail a test, they get added back in for re-training with a different program. They receive at least 1 random phish email every two weeks. My best users generally report 1-2 phish messages every week. They alert me to any suspicious emails or requests, so the system works.

For those that just don’t get with the program, I haven’t figured out what to do to motivate them, though I’m lobbying to get failing clicks added to our discipline system with a 6 month reset. First click: train, second: verbal warning + train, third: write-up + train, fourth: unpaid suspension, fifth: termination. If they make it 6 months without any clicks, they get reset. And naturally, maybe some sort of bonus for no-clicks in a calendar year to reward the most diligent users.

1 Spice up
15

I like it. Seems like a good way to motivate your staff and gamify it to make it more enjoyable.

16

My users would not like this game!

2 Spice ups
17

I like the poster idea, and all the little fish. My tactic recently is to not tell them and just say “I’m still gonna send it!” I get more clicks when it’s unannounced, but I would so like that 0%.

18

Great idea! It’s like boot camp for phishing!

19

This is great. I would love to do something like this, but my users wouldn’t be this cool about it.

20

As someone else that uses KnowBe4, I’m assuming he uses the Phish Alert Outlook add-in from them.

1 Spice up