benbeard
(Capt_Beard)
1
So I’m looking for a way to send a realistic phishing email to my company to gauge my users ability to tell the difference.
I have had several attacks via email hit my company and I believe I have over-communicated opening with caution.
But… I want a way to test my users and see how they do.
Here’s what I would like to do, but I have no experience with this stuff.
Send an email requesting a reply or requesting a link click.
Have them submit seemingly confidential information
Track who did and did not follow the emails instructions
Anyone have a product that does this or has experience testing their users?
@KnowBe4
44 Spice ups
Have a look at KnowBe4, they have a free service for this and are well-respected in the community.
@KnowBe4
@stu-knowbe4
30 Spice ups
adam223
(Adam223)
3
+1 for KnowBe4. We use them and it has vastly improved the awareness of our users.
1 Spice up
benbeard
(Capt_Beard)
4
Great suggestion, will definitely try KnowBe4!
If you don’t mind getting your hands dirty download a Turnkey Linux LAMP stack and SPT might be worth a look https://github.com/sptoolkit/sptoolkit
KnowBe4 looks interesting but I’m just not a fan of all this “Contact us for a quote” stuff.
4 Spice ups
seanwolsey
(Sean Wolsey)
6
I just set up a bogus (not associated with the company) but fairly realistic-looking address at hotmail.com. Then I set up a form with Google forms. I sent a message from the Hotmail account and waited for the completed forms to show up in my Google Drive, which is where Google forms saves them for you. Anyone that filled in the form an clicked submit got a “tut-tut” message from me. Users that didn’t, got a goodie.
7 Spice ups
General suggestions would be do not make it personal.
People don’t like being made to feel stupid or worst still like the only stupid one.
If you send to 10 people and 2 click just treat it as 20% but educate everyone - don’t yank out the two special ones for anti-stupid training and all the other stuff that IT has a bad reputation for.
7 Spice ups
Does anyone know the average costs of using KnowBe4? This sounds like a great idea and would like a ballpark figure before I present it to upper management.
molan
(molan)
9
I am using knowbe4 currently it is a good solution and it works well. You also get training for your users in addition to the phish testing. There pricing is very reasonable
1 Spice up
molan
(molan)
10
Just email knowbe4 and get a quote for what you are looking for. Then you have the exact cost to present
benbeard
(Capt_Beard)
11
I was able to run a phishing email test for free.
1 Spice up
I wish I could do this for our customers! Being a Credit Union, I get calls quite often (or hear about them) where our members clicked on something they shouldn’t have, and they want me to “fix” it for them!
2 Spice ups
Yes, KnowBe4 has a free service to run phishing tests. See my link above.
2 Spice ups
benbeard
(Capt_Beard)
15
Yes, sorry. KnowB4 offers a free test to up to 100 users.
Works well, but my spam filter caught the email. I guess thats a good thing.
2 Spice ups
Knowbe4 is a great source for user training, part of their package includes spoof emails.
You must be new, if ya don’t know Stu!!!
@stu-knowbe4
2 Spice ups
molan
(molan)
18
They do suggest whitelisting their email domain before running the test 
Which kind of make sthe test pointless, you’re also testing your whole electronic environment, not just the meaty bit. Why not create an internal account with a name of someone who they have never heard of, with a PDF or XLS sheet on (the worst kind of attachments).
They certainly shouldn’t open an email from a trusted domain if it looks dodgy, let alone an external domain.
benbeard
(Capt_Beard)
20
My biggest thing is tracking.
I want to be able to see what % of people are opening the documents.
The KnowB4 test comes from what looks like an internal email address.
The fact that it hits the spam filter and goes to the user’s junk mail is a good sign.
