Why carry out phishing simulations with groups of employees?

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

The objective of your phishing campaigns is to get as close as possible to the real attacks threatening your company in order to improve your resilience against them. Some hackers are increasingly focusing on the quality of their emails rather than quantity by practicing spear phishing.

They create scenarios tailored to their target while using social engineering to lower their vigilance. The goal of a phishing email is to resemble all the other emails in the victim's inbox in order to not be identified as a threat.

Indeed, your employees do not receive the same types of emails. However, some are similar enough to segment your workforce. You can create groups within your workforce based on their department or region, for example.

In this article, we will identify the advantages of conducting phishing simulations by group.

Conducting group phishing simulations for more realism

Customized phishing scenarios are closer to reality. By conducting phishing simulations by group, you can adapt your scenarios to the employees you want to target.

Let's imagine that you want to conduct a phishing campaign targeting your sales department. There are various scenarios that are suitable for this situation. For example, a request to log in to the CRM is an appropriate test to train your salespeople.

Next, suppose you want to test your HR team. A job application or an alert from the AmeliPro health service are scenarios that will raise less suspicion from the HR department.

Creating a customized scenario based on the tested group allows you to make the attack both more difficult to detect and to obtain more realistic results.

By testing a limited number of your employees, you avoid them "spreading the word," which can bias your results and lower the compromise rate. Testing your entire workforce at once artificially improves your company's security score.

Testing by group for more frequent testing

By testing your colleagues by group, you can conduct more simulations by distributing them instead of testing the entire workforce in every fake phishing exercise.

Rapidly conducting phishing tests in the hope of training your employees faster is rarely a good solution. By conducting too frequent simulations, your colleagues may feel harassed and reduce their participation in detecting and protecting the company against phishing.

In addition, your phishing exercises will be much more predictable by regularly testing the same people. The "random" factor allows you to maintain a higher level of attention, and your employees will be more vigilant over time.

Why we use non-exclusive groups

Employee Example - Arsen Platform

An employee can belong to multiple groups (17 here)

Segmenting your employees in various ways can be interesting. By using the Arsen platform, a user can be a member of multiple groups.

Segmenting your colleagues by region can be useful. For example, some may not have the same working hours depending on their geographical location.

This allows you to choose more relevant timings for each group. You can also create contextual scenarios by region, using news related to the region in your phishing scenarios, for example.

Another way to segment your phishing simulations is, as we mentioned earlier, by department. This allows you to personalize your scenarios based on the targeted department.

If you want to test your marketing department, a security alert from a social network, for example, will be a relevant scenario for a phishing exercise.

Focus on weaknesses

By using Arsen, each user has a personal security score, but each group is also accompanied by a corresponding score. By assigning a score per team, you can rank the groups and prioritize your simulations on groups that require more training.

Security Scores by Group

You can choose to specifically target groups that have a low score to improve your overall resilience.

This way, you can identify the "at-risk" groups to target the most vulnerable users in your future simulations and strengthen your human firewall.

Introduce competition to raise results

During the presentation of the results, you can provide a ranking by group. This makes the learning process more enjoyable and creates healthy competition between groups.

Healthy Competition

This competition among your colleagues will improve their results by challenging each other. Presenting the results by group also makes them anonymous, so you don't target individuals, which could be counterproductive.

This method allows you to showcase the performance of your employees and generate motivation in their training. Providing positive reinforcement also avoids singling out "underachievers."

In conclusion, conducting phishing simulations by group allows you to create more realistic and less predictable scenarios. You can test your workforce frequently by segmenting your exercises to identify the weak points in your security.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.