tonyjarosz
(OolonColuphid)
1
We use KnowBe4 for phish testing our users. The trouble is there’s a group of users who just seem to want us to tell them if something is legit or not. How do you handle such users?
On the one hand, I’m glad they’re not just blindly clicking on stuff they shouldn’t, but on the other hand, if they’re asking about every test, they’re obviously not even trying to apply what we’ve been attempting to teach them.
I feel like every time I tell them it’s not legit, I’m giving away quiz answers.
45 Spice ups
Encourage them to use phish button if they are unsure. Worst case scenario is that the email they report as phishing isn’t a phishing email and then you can just restore the email for them right?
Pros: Users become aware of the phishing button in Outlook, how it works, and learn when to use it.
Cons: Sometime legit emails might get flagged as phishing (but they can always be restored by IT staff so its not a big deal)
26 Spice ups
Rod-IT
(Rod-IT)
3
The simple answer would be to educate them on what to look for, so they become confident enough to not have to have everything checked by IT.
If this isn’t working, perhaps having an external person do the same training will add weight.
Users should not know about the test taking place though, this will only prompt them to report everything - they wouldn’t be informed of an actual malicious link in advance.
2 Spice ups
Do you use Knowbe4 for training or just testing? Their training modules have plenty of information to help users correctly identify phishing attempts. I run my users through quarterly training but encourage them to report any emails that they’re unsure of or want more details about. I examine each reported email using a process laid out by @roger-knowbe4 , and the users know not to act on anything until they hear back from me. I believe it can be watched on demand here:
9 Spice ups
Isn’t this a good thing? Like any test, the only way anyone will know if they passed is if you give out the answer eventually.
As far as I can see, you will have a handful of types of users
The ones that fail the test. These are the ones you reeducate. They are a risk.
The ones that don’t do anything. These “passed” but maybe it was just dumb luck. You do not know if they are a risk or not. Maybe the email did not provide the correct incentive.
The ones that pass the test. Your training program is working for them.
The ones that are reporting on non-test emails. This is good. At least they are aware of scams and are actively looking out for them. Just because it was not a test email , does not mean the email was not malicious
6 Spice ups
matthart5
(CrazyLefty)
6
Do you do any kind of cybersecurity awareness training? If so, I would just ask them to use what they’ve learned, or at the very least if they are in doubt, just use the Phish Alert button.
If you don’t do any awareness training, then I hate to say it but it kinda falls on you to do the training by answering their questions.
2 Spice ups
frankitup
(Frank it Up)
7
We use KnowBe4 for security awareness and phish testing. We have been doing it for a few years now and most everyone knows to “Phish Alert” anything that is suspicious. If anyone asks me about one, I just tell them to Phish Alert it and I’ll look at it right away. If you are not using the Phish Alert, you should give it a try.
8 Spice ups
Don’t tell them whether or not it’s legit unless they report it with the PAB. That way, you’re not giving out quiz answers, you’re getting them in the habit of reporting suspicious emails, and you’re still able to investigate those emails.
9 Spice ups
The Phish Alert button will tell them if it was simulated or not. If not, it moves the email to the deleted folder so they can always get to it without your help. Encourage them to click it as often as they feel they need it.
5 Spice ups
benoitt
(BenoitT)
10
FUD - Fear, Uncertainty, and Doubt; that’s the answer!
For realz… sometimes, you just can’t tell. Sometimes the email was sent by error, or by amateur hackers, and once in a blue moon, it’s a real phishing attempt, that’s cleverly crafted.
We tell our users; we don’t have access to that information; it’s reported, collected, and with enough reports, it’s acted upon, but invisible to us. It’s still important to report anything suspicious though; what you report, protects everyone else.
Drill that into all your users, and they’ll eventually get it. Most importantly though; be consistent with your answer.
We had a phishing exercise that was so clever and timely, it caught 50% of our staff, and an executive!
1 Spice up
I’m with Big Green Man and spicehead-3am6here. That is what I do.
You didn’t mention in your post if you’ve deployed the Phish Alert Button (PAB). If you haven’t, you should. If you use MS 365, you can deploy it to everyone’s Outlook through your admin console.
You should walk a fine line when they ask. Tell them to please use the PAB and thank them for their diligence. Don’t make your users feel stupid or they’ll just stop asking. I know it can drive you nuts but they really are your last line of defense, so making them understand that they are involved gives you as much of an edge as you can get. You will always have those that just want to ask. They’re users after all. 
If you’ve already gone as far to spring for KB4 and are sending out phish tests, consider getting their Phish ER package. It’s pretty cool as you can set it up to automatically respond to your users whether its legit or spam or malicious. The nice part is I’ve customized the response to say this is an automated response but I review each PAB submission to verify it is spam, legit or bad. This also works well as I tell my users that by using the PAB they are helping me train Phish ER, which they are. Gets them a little more invested.
7 Spice ups
Have you found Phish ER to be pretty accurate? I’ve only looked at it very briefly in the past. Does it take you completely out of the loop as far as notifications for and analysis of reported suspicious emails?
1 Spice up
Going to see my Nephew - THE DOCTOR - in a couple of weeks
Should I not ask him to look at that funky red thing growing on my butt?
Should he tell me he has helped enough?
I am big on US ALL having a responsibility to assist
Perhaps it’s all the work I have done with aged & differently abled peeps, but I am happy to be asked a thousand times by someone who admits they ‘could do better’
I’m also willing to tell that annoying user who just doesn’t care, that I will match their level of caring.
8 Spice ups
I would tell them that I don’t know, and advise them that if they had any doubts about the authenticity of an email to use whatever process was in place to submit or report the email.
I find PhishER to be very useful. It basically does a quick analysis of spam, clean, or unknown. You can control what information is supplied to the user, and while it takes a little configuring (KnowBe4 can help), it can alert you on what types of emails you want to be notified about. And, if you are sending tests from KnowBe4, it basically congratulates the user on correctly identifying the email.
Then, instead of answering their question, you just tell them to use the Phish Alert button. Takes a while to train people, but eventually they get the idea.
2 Spice ups
Ecrawf099
(Ecrawf099)
16
I feel ya. It’s all day, every day…
But I would rather them ask than blindly click on malicious email links and attachments.
2 Spice ups
robbjeff
(robbjeff)
17
I sometimes advise our users to contact the source independently of contact info in the email and that is the ultimate way to verify if it is a phish or not (assuming it appears to be from a person or client/vendor, as opposed to Microsoft or one of those generic or mega-corporate phishes (ie Netflix, Amazon, etc.)).
1 Spice up
Don’t tell them either way. Instead ask them what they think it is and report it if they think it is. Especially if they have the phishing report button from KnowBe4. This certainly made things easier for me and end users get instant feedback.
1 Spice up
It’s a teaching opportunity when they call…“why do you question it?”
2 Spice ups
gregdrauch
(gregdrauch)
20
I would contend that your training is successful. They aren’t sure so they ask the experts rather than charge ahead and click on or open something. In my book that’s a win because I’d rather field a 30 second question than spend 2 weeks recovering from malware because of click-happy users.
4 Spice ups
