How to Annoy the Hell out of your Users during Phishing Simulations
 

Secure Click News How to Annoy the Hell out of your Users during Phishing Simulations<br />
 

How to Annoy the Hell out of your Users during Phishing Simulations
 

 
How to Annoy the Hell out of your Users during Phishing Simulations

A couple of months ago, I was attending a business event in Dublin. One of the attendees from a well-known tech company asked what SecureClick did. I told him IT Security Awareness training. His body language changed a little. “Oh, our IT department runs phishing simulations” he said. He then paused, “and you know what - they annoy the bloody hell out of everyone,” he said in an exasperated tone. 
 
It transpired that the team running the phishing simulations were using inside information in their campaigns. That is, they were using information which only company insiders were privy to. This was making their phishing simulations seem unrealistic and unfair to employees. These simulations were creating a sense of resentment. Employees felt that these simulated phishing emails were being used to unfairly catch them out.  

This is not an ideal way to execute a simulated phishing campaign. Phishing simulations should only ever use information which could be gleaned by a person outside your organsiation. For example, using information about your organisation found by a Google search is fine. When devising phishing campaigns, those based on generic themes are often the most realistic because this is what the vast majority of cyber criminals use. These campaigns might be based on themes such as remuneration reviews, over-capacity inboxes or urgent documents for review. Over time (or if you’re running spear-phishing simulations), you can always ratchet up the level of detail. But, whatever you do, don’t use information which only the company insiders would know about.
 


Got a question?

If you would like to make an enquiry about any of our services click the "Contact Us Now" button and fill in your details.