Security Awareness Blog

The How of Security Awareness Phishing Assessments

Last week we discussed WHY you would want to consider phishing assessments as part of your security awareness program, specifically metrics and reinforcing training. Today we discuss HOW. Below are several different options, starting with the simplest and finishing with the most advanced. Each has its advantages and disadvantages, so try with whatever works best for you. If I left one out, let me know.

  • URL Shortners: Many URL shortening services like http://bit.ly and http://goo.gl have the ability to track how many people click on a link. You can then create your own, custom phishing emails, embed a link using these services, then track how many people click on them. This is a simple, low cost approach. However you will not be able to track who clicked on the link, just how many people.
  • Marketing Services: A more advanced option is email marketing services. These are solutions that let marketing teams send out email promotions and track both who opened the email and who clicked on embeded links. These services costs money, but provide far more detailed information. The downside is they only track links, you cannot track who opened attachments. One of my favorites for phishing assessments is Direct Mail, for the Mac.
  • Phishing Services: These are professional services designed for providing security awareness phishing assessments. They are very flexible, allowing you to choose and custom your phishing emails. Also they often support not only link tracking but attachments. Two very well known options are Phishme and Wombat's PhishGuru.
  • Penetration Testing: If you really want to pump up the volume, you can not only track who opened your phishing emails but actually hack their computers. To be honest, for me this is going beyond most awareness programs and usually reserved for just penetration testing. However, if you are in a situation where you need to demonstrate the full power of human based attacks, and have prior permission, there are options out there. If you like open source, go with Metasploit's Social Engineering Toolkit. If you prefer something supported and has a nice GUI, I highly recommend Core IMPACT.