In this article, we will analyze the process of a phishing test, from its setup to reporting. We will discuss the framing, technical deployment, execution, and post-mortem of the exercise.
Framing: defining the scope of the campaign
Clear objectives
Firstly, framing: what is the objective of the phishing simulation? It is essential to define a specific objective, as having multiple objectives can hinder success.
If the aim is to raise awareness, theoretical content or warning signals will be included in the simulation to train participants.
On the other hand, if the goal is to evaluate behavior in the face of a realistic attack, employees may discuss among themselves. This would result in an artificially favorable representation of what would happen in the event of an attack.
In general, the set objective is to determine employees' behavior in the face of phishing. This is what Arsen refers to as the "hacker's point of view."
Another objective may be to assess a specific risk. For example, if you learn about a new threat impersonating a supplier and want to gauge your employees' reactions to this threat.
It is common for us to encounter overconfident employees convinced that they can detect any type of attack. In such cases, the objective of the phishing test is often to make them aware of the difficulty of detecting a particularly well-executed phishing email.
Choosing the targets
The second parameter of framing is choosing the targets. Establishing who you want to evaluate for your phishing test is a crucial step.
We recommend against testing your entire workforce all at once, even though it may seem practical and time-effective. In reality, hackers rarely proceed in this manner.
However, remote work reduces communication between employees, making mass phishing attempts more dangerous and adding more value to these less subtle tests.
An appropriate scenario
Once the objective and targets of our phishing test have been determined, an appropriate scenario can be chosen.
For example, the chosen scenario will correspond to the internal tools used by the test targets, and the vocabulary and tone used in the emails will resemble those used within the company.
If you choose to test the sales teams with an attempted CRM credential theft, you will use the visual identity of the CRM used by the company.
Take into account the culture and internal communication codes of the company, as well as how colleagues invite each other to events. If you are accustomed to scheduling last-minute meetings, this should be reflected in your scenarios.
Conversely, if it is not customary for the company and your meetings take place on Zoom, a campaign themed around a last-minute Teams invitation would be pointless.
Good timing for a more challenging campaign
Finally, we will define the timing of a campaign based on the target group and the limits imposed by your Work-Life Balance policy.
The right to disconnect is an important factor to consider; certain companies are not allowed to contact their employees before 8 a.m. and after 7 p.m., for example. Therefore, these concepts must be respected in choosing the timing. Even though the hacker will not have these constraints, phishing test operations often fall under the purview of the right to disconnect.
For companies that have the option to test their employees after working hours, after-work hours are a judicious choice. Generally, employees are less attentive during this time, more focused on their mobile phones, and do not feel like they are in a work environment.
Detecting a phishing email on a mobile phone is more challenging because the browsing experience does not allow for link previews or detailed email observation, resulting in more compromises.
Another appropriate time slot is often just before lunch break, between 11:30 a.m. and 12:30 p.m. Employees experience a decrease in energy and attention during this time and rarely engage in complex tasks. They are more likely to fall for phishing emails when reading their messages.
We have written an article to help you choose your phishing campaign timings.
Technical setup: configuring the phishing test
Filtering: allowing phishing simulation
Once the framework is set, various technical steps need to be implemented to successfully conduct the test.
Firstly, it is necessary to choose whether you want to be whitelisted or not, depending on your objectives.
Once you have determined the email addresses and domain names you want to use, you need to authorize them on your infrastructure to avoid most of the sent emails ending up in spam folders.
You can also choose to test your filtering infrastructure by observing whether it detects your phishing simulation.
However, the objective is often to test employees and their behaviors. In this case, it is preferable to set up whitelisting so that all targets can see the phishing emails and genuinely test the human element.
It should be noted that even the most powerful anti-phishing filters allow approximately 10% of threats to pass through, and a determined hacker will find ways to bypass these protections. That's why we recommend directly testing the employee by whitelisting them.
Configuring the attack infrastructure
If you are using Arsen, this step is automatic, and you can proceed directly to the "Scenario Configuration" section.
If you are deploying your own infrastructure using tools like GoPhish, King Phisher, or any other open-source tool, you will need to configure them.
It is necessary to set up an email sending server to launch your campaign and authorize its IP address or a code placed in the email header to ensure authorization with your anti-phishing filters.
Creating a realistic scenario
The framing step is used to identify the characteristics of the email. It is now time to apply these characteristics and create the email that will be sent to test your employees.
You can copy an existing email, such as one from a brand or service you use. Be careful not to have too many calls to resources hosted on their servers, which could block the display or reduce the deliverability of your messages.
You can also use a service like Arsen, which provides pre-designed phishing scenarios that can be easily adapted to your needs.
In our case, we have rewritten all the emails to ensure maximum compatibility.
Launching a test to verify the configuration
The penultimate step is to launch a test.
A test allows you to verify the proper configuration and execution of your campaign under real conditions, on a limited sample.
This will help you avoid unpleasant surprises such as detection devices creating false events or false clicks, which could completely distort campaign behavior data and compromise the objective of your test.
Scheduling the phishing test
Once all the previous steps have been completed, it is time to schedule your simulation. Although you can manually launch your campaign, we recommend scheduling it to ensure the execution parameters are properly set. As mentioned before, the choice of timing is crucial.
Launching the phishing test
Once you have scheduled your campaign, it is time for its execution. You can choose either not to intervene until reporting or perform certain tasks to align your test with specific constraints.
Notifying about the attack for better engagement
Depending on the company policy and your IT charter, you can choose to notify your employees about the test or not. Obviously, if they are aware, the attack will be less realistic.
This choice greatly depends on your initial objective. If you want training comparable to a real attack and have the right to test without prior notice, do not inform them.
The advantage of notifying your colleagues is that they will also feel less trapped compared to a realistic simulation.
A good compromise is to send an email at the beginning of the year announcing that you will be conducting phishing tests during the year. After several months, the element of surprise will have disappeared, but your employees will have been forewarned.
Tracking progress to detect unforeseen issues
Some tools allow real-time tracking of campaign progress.
With Arsen, you have a screen where all events – clicks and compromises – are displayed in real time. This allows you to ensure that there are no unexpected issues.
The configuration test conducted earlier may have been launched on only a few email addresses with specific security rules. It is therefore interesting to check if all the emails have been delivered correctly and if there are no particular issues related to the launch of a larger-scale campaign.
There are often specific deadlines for presenting campaign results, so it is preferable not to waste time due to unforeseen issues.
Varying data collection duration
Once the phishing emails have been sent, we advise our clients to collect data between 24 and 72 hours, although some campaigns may last longer.
Most at-risk employees tend to respond impulsively to their emails, clicking and compromising their credentials shortly after reading the email.
The majority of compromises occur in the first few hours, with others taking place within 24 hours. Collecting data for 72 hours is generally because some people do not work on the day the campaign is launched.
Post-Mortem: the opportunity to convey your analysis
The post-mortem is the step where data is gathered for interpretation.
The purpose is to determine if the threat is real for the company, if more awareness is needed, and if the hacker's perspective is satisfactory.
Once the results have been collected, they need to be communicated. In this case, corporate culture is essential. If your employees feel victimized by awareness campaigns and IT security teams, they will not be proactive and will disengage from their training.
Ensure to foster a team spirit between the security teams and employees in the fight against phishing.
Congratulate your team if the reporting rate is good and explain the different issues again when the compromise rate is high. The idea is to maximize transparency during this step.
Be careful not to isolate individuals with poor results when communicating the results as it can hurt their feelings and be counterproductive. Instead, opt for statistics by group, which will mask the culprit and avoid any discrimination.
The final step is to decide on future actions based on the results. Generally, this involves implementing a comprehensive awareness strategy and planning additional tests to verify the progress of the results. You can also choose to engage an external party to raise awareness among the highest-risk groups.
If, for example, you detect the presence of Shadow IT during your reporting, you may need to review the company's security policy.
Conclusion
In conclusion, phishing tests are an excellent tool to incorporate into your awareness strategy.
Some performance indicators obtained during these campaigns are essential in evaluating and protecting against phishing risks. However, you should not rely solely on these tests for your strategy.
