1

I would like to announce the phishing simulations that i am preparing for the employees.

Could anybody help with a fun engaging message? I would like the campaign to sound fun and I wish the employees would brag to eachother about how they nailed one.

Then the plan is to tell them at the end of it how proud I am with the results, but that’s a different step.

So the results are not as relevant as making it fun. I’m training and re-training them all the time so I am not into finding out who’s bad and should be pointed fingers and re-trained. It’s just another approach based on fun and achievement on their side.

I can try serious and not announced in the future but it can only be fun the first time (if I manage to make it that way for them).

12 Spice ups
2

I think announcing the campaign will make it way less effective. I would go ahead and complete the project and then reveal the results at the end.

8 Spice ups
3

I agree with Beth. Announcing an attack is just going to make users prepare for it and be more diligent, the point of the simulated attack is to surprise your users so that results would be genuine. It would be like announcing a pop quiz the day before.

5 Spice ups
4

I’m in the same boat as the replies above. Typically, we don’t recommend announcing a new phishing simulation, as it would not be an accurate reflection of your organization’s vulnerability to a phishing attack. Afterwards, though, you can share out the results of the simulation to the rest of your organization if you choose to. You can then announce that you will be “periodically” sending out phishing tests, which will encourage your users to be more alert, but won’t necessarily train them to “watch out for the pop quiz.”

If you’re looking for any resources related to security awareness and phishing, feel free to check out Infosec’s Resource Center ! We’ve got a ton of useful resources to help you with your campaign, including some posters to hang around the office to promote awareness! If you’re interested, go ahead and give it a visit, and let me know if you have any questions!

3 Spice ups
5

Make sure you notify HR that there will be simulations in the future. Some people are a little sensitive and if they feel as though they’ve been “tricked” they might get offended. Just ensure that HR knows so in the case that does in fact come up, you yourself will be covered. Also, you’ll need to know what to do in case of a failure – will the employee be required to take follow on, remedial training? What if they fail again? Make sure you have some policies set aside, with HR/management approval, that you can fall back on.

2 Spice ups
6

most people don’t announce individual campaigns, but a lot of people announce the overall project or make a game out of yearly results, etc. One person on spiceworks even gave out trophies and other awards for whoever got the most points for the year. The points were based on not clicking, sending phish alerts, whether any information is entered into links, etc. etc.

3 Spice ups
7

Telling staff you are doing it negates doing it. Don’t tell them, you want it to be as real as it can be.

When have you ever had an email from a hacker warning you they are about to try and break in?

1 Spice up
8

Echoing the other comments; definitely don’t announce it. You want to train them to not be complacent; announcing it only reinforces that complacency. We’ve ran campaigns where only IT management knew about it so we could see how the help desk staff would react.

Security isn’t meant to be fun; phishing threats are a huge issue and can cause major disruption in a corporation.

1 Spice up
9

Bad idea to announce as you’re trying to gather what the human factors are and to see if the training is working. Besides you’ll get better results

1 Spice up
10

I would start the campaign, give it a couple cycles before announcing anything. Let some people start to get cocky.

I made the fatal mistake of telling the security team at my office that I could not be gotten easily, if at all. They proceeded to launch a 2 month long spearphishing campaign against me. They caught me one morning with a VERY well crafted fake email from someone I had been working with securing credentials for a customer. I hadn’t had my coffee yet for the day and just was quickly reviewing my emails, only to click absentmindedly and receive a rickroll video.

Needless to say, I ponied up and got them both the cases of beer I had promised.

On the bright side, they know that I’m very wary of emails, and now ask me for help in catching some of the more difficult people here, undoubtedly under the hopes I’ll let my guard down.

You could always do an award after a set period of time to the person who was caught the least, as a way to generate excitement.

3 Spice ups
11

Got anything @atatngie ​??

12

As others correctly point out, announcing the simulation, especially the first one where you want to establish the baseline security awareness of your users, is a bad idea. You want that to show what happens on a normal day, with nothing done to increase their awareness. If you have permission to do this, do not notify anyone else. Hopefully, word of such things travels fast and your users will take care of warnings for you. I say “hopefully” because that culture of users sharing details of suspect emails is to be encouraged, just not for this first test. If they’re already doing that you’re ahead of the game.

Chances are though, with an unannounced simulation, you’ll see a “phish prone” rate of 20%, or higher. That should be more than enough to generate support for an ongoing program.

13

Here is 8 years of experience speaking… :-D. Indeed you do not want to announce the initial phishing test to your whole user population.

However, informing a few key executives that this is coming down the pike is a good idea, especially if they might get hit with requests of this email is legit. I’m talking the people who might field any resulting trouble tickets, or perhaps HR, and especially IT if this is done from another group. Once you know the Phish-prone percentage of your org, use that as the ammo for your general announcement that there will be on-demand, engaging training and also frequent simulated social engineering tests. That sequence has worked out the best for our customers. Hope this helps. Warm regards, Stu

4 Spice ups
14

I’m with the others. Don’t announce when you’re trying to establish your baseline. your baseline is very important.

15

Just talked to the COO yesterday about launching our KnowBe4 campaign, Stu. Thanks for the practical info you’ve shared with the community over the years!

Oh, yeah, ONLY the COO :wink:

1 Spice up
16

Why would you announce a phishing test? You will not get “real” results, the users will not be using their usual lackadaisical approach to email.

17

I personally would never announce a Phishing campaign… it negates the whole idea behind it.

In addition, I would schedule consistent phishing campaigns, no more than 1 per month. Many clients want to run them weekly, but we have found in the real world that anything more frequent than monthly will desensitize the employees.

Hope that helps.