In this article, we will see how to customize a phishing test with Arsen.
More specifically, what elements can be inserted in the email to have a realistic, personalized, and more or less difficult scenario?
Before using Arsen, make sure you are "white-listed", the objective being to test your employees and not the quality of your anti-phishing measures, this is an important step before sending phishing campaigns.
Define scenario attributes for optimal organization and pedagogy
Not all campaigns are equal: some are very difficult to detect and may contain a pretext specific to the company, "private" information, or a sender from within the company. Others are more obvious with generic subjects or spelling mistakes, for example.
Arsen takes into account the difficulty of the scenario in your campaign when calculating the company's security score. The more difficult the chosen scenario is indicated, the less employees are penalized if they are compromised, and the more they are rewarded if they report the email as a phishing attempt.
Feel free to carry out some low-difficulty phishing campaigns to increase positive reinforcement. Indeed, an employee who fails every time may express disinterest over time in the fight against phishing or adopt the belief that they are unable to detect a phishing email, which would be counterproductive.
Another important parameter at this stage is to choose a specific name and description for each scenario to help you administer your Arsen space optimally. The more scenarios you create, the more organized your catalog will be, saving you time and increasing productivity in setting up future simulations.
A personalized email body for better training
A good training is one that is close to reality. This way, you can assess the risks of "real" phishing on your employees.
When writing the body of your phishing email, use psychological triggers to increase realism. Hackers are not hesitant to use social engineering to provoke curiosity, fear, urgency, or even pride.
By using different psychological triggers in your campaigns, you can easily identify the most effective techniques on your company and train your employees to resist different manipulation techniques.
In terms of the email subject, you can insert "RE:" or "FW:" at the beginning to make it appear as if the email is part of an existing conversation in the inbox. These details will increase the difficulty of the scenario for certain populations.
When choosing the sender's email address, it is important to ensure that it is consistent with the chosen scenario. To make a campaign more easily detectable, for example, you can change the email address so that it is not consistent with the email sent, making the difficulty easier.
However, be careful, most anti-phishing systems usually perform checks to prevent impersonation. If you use a sender name that corresponds, for example, to one of your services where the email address is not the same, there is a risk of displaying it in the email client and leaving clues for employees, which is not typical of hackers.
Adding context for more realism
It is important to enrich the context of the phishing scenario with elements that will encourage clicks. They should be consistent so that the employee clicks without too much doubt.
Firstly, you can add the names/emails of authority figures in the company to create hierarchical pressure in your email. For example, for a meeting invitation, add the contact details of a manager or a responsible person as guests. The so-called meeting will therefore be more important, more realistic, and more urgent. In a real attack, it is easy for a hacker to know the identity of authority figures on LinkedIn or in the press.
For a meeting invitation scenario, it is advisable to set the meeting date on the same day to make the compromise faster and create a sense of urgency. This is also the hacker's desire during real campaigns: to create urgency in order to quickly gain access. For a campaign targeting a small workforce, you can schedule the meeting within the hour. However, if you are testing a larger team, display a meeting date at the end of the day so that the campaign has had enough time to be fully sent.
Finally, when it comes to the text of your campaign, it is wise to adopt a communication style similar to the one used internally with the communication codes of your company. This is also a technique used by hackers, who can analyze the company's communication over several weeks if they have access to internal emails.
You can create urgency by writing, for example, "Hello FIRSTNAME, can you join the meeting in 5 minutes? We would like to have your opinion on an urgent matter. Thank you."
Here, it gives the impression that the email was created quickly and implies its urgency but also its "naturalness". You will not use the same tone and communication if you are addressing a contractor, a superior, a colleague, a client, or a supplier. That is why it is necessary to adapt your language to the person being tested, as in your real exchanges.
Evaluate or train: a training redirection
Depending on the type of campaign (link to different types of phishing attacks) you want to perform - silent simulation or simulation with integrated awareness - your destination URL will not be the same.
If you want to carry out a campaign that is as close to reality as possible, opt for silent simulation. It redirects the user who submits their login information to the login page to a page that appears as least suspicious as possible.
We often use a portal with long or single authentication (SSO) or an error page, which makes the attack discreet, without notifying the employee that they have just been tricked.
This simulation raises more awareness about the discretion of attacks and allows you to assess the level of the company in the face of a realistic threat. Since users receive no information about the mistake they made, you prevent them from sharing the information that a phishing simulation is taking place.
However, if you don't provide tools and detection methods to the people being tested, it is likely that you will not see any improvement in the scores of your campaigns. The employee may also feel more trapped than trained, which is why it is interesting to vary your campaigns and dedicate some to awareness.
If you want immediate awareness, the simulation with integrated awareness will be ideal for your campaign. This method redirects the login page to an awareness page. Whether it is your learning management system (LMS) or content provided by Arsen, the compromise action is immediately followed by training. The employee will have better engagement and will be trained at the most optimal time.
You can find our awareness kits (link) to help you in training your employees in cybersecurity.
In conclusion, customizing your scenarios allows you to make the attack more difficult to identify and obtain results closer to reality.
It also allows you to target a specific service or group of employees and adapt the scenario according to their profile.
By varying difficulties, psychological triggers, and scenarios, you will find it easier to identify the different weaknesses of your employees. Based on the results, you can develop campaigns adapted to your company, making your training more effective.