Security Awareness Blog

Phishing Assessments - A Simple, Anonymous and Free Approach

Phishing assessments are a powerful way to not only measure the awareness of an organization, but to reinforce key learning objectives. Nothing is more powerful then when people click on a link and then get instant feedback they just fell victim to a test, and then learn more about what phishing is and how they could have detected this was an attack. There are now a number of commercial and open source tools out there to help you run your own phishing assessment, which are listed as part of the STH Phishing Assessment Planning Kit. However today I wanted to cover a simpler approach to awareness assessments, one that has the advantage of being both anonymous and free.

Last week I was teaching the SANS MGT 433 course on building high-impact awareness programs. One student brought up a challenge they had with awareness assessments, both legal and unions were blocking the assessments as they could violate employees' privacy. They did not want management to know the names of who fell victim, nor did they want peoples' career impacted. One of the solutions we discussed is using a URL shortener for your awareness program, such as The idea is when creating your phishing email, you use a shortened link in the email (click on image to see what I'm talking about). There are some advantages here.

  1. URL shorteners track and report how many people clicked on the link. They are pretty intelligent on how they do the tracking. So if you click on the link ten times from the same computer, it only counts as one unique hit. As such, the results are pretty accurate.
  2. If your organization is concerned about privacy issues, then this approach addresses those issues as you cannot track who the victims were, only the number. Privacy / anonymity is protected.
  3. You can't beat the price, its free.
  4. If you do use a URL shortener, make sure you use one that protects the privacy of the results, you do not want the URL history publicly available.

Obviously there are disadvantages. For example, you will not be able to track who clicked on the link, or even which department. In addition professional phishing software often provides more in-depth details, such as OS/Email/Browser version of every victim, and perhaps if they have any vulnerabilities. Finally you do not have more advanced attack options, such as tracking open attachments. However, even with all these limitations in mind, if you need a solution that is simple, anonymous, and/or free I recommend you consider this option.


Posted October 15, 2012 at 2:20 PM | Permalink | Reply

Mike Saurbaugh

I think this makes sense and I agree with the ability to track on a low to no budget. One other consideration if privacy is not a concern, is to populate the URL into the URL/proxy filter within the organization. This would identify the department/user based on the unique URL. Many filtering solutions allow for custom entries, which could be used for statistics as well as a custom message about clicking the URL (ie. this is malicious or are you sure you wish to continue).
Anyway, just a thought but depends on the organization.

Posted October 15, 2012 at 2:22 PM | Permalink | Reply


Great idea Mike, I never thought of this approach!

Posted October 16, 2012 at 8:13 PM | Permalink | Reply

Kel Mohror

The short-sightedness of "both legal and unions were blocking the assessments as they could violate employees' privacy. They did not want management to know the names of who fell victim" illustrates the lack of common sense. If someone is repeatedly getting "hooked by phishing," how can that security hole be "plugged" if the perpetrator remains anonymous? Data security is "trumped" by "job security"? That is stupid.

Posted October 25, 2012 at 8:58 AM | Permalink | Reply

Jeff LoSapio

Kel ''" you are correct in calling out the short-sightedness of ignoring the risk of repeat offenders. Unfortunately what Lance describes is reality. I've spoken to a couple of large Federal agencies that had the same issue with their unions. Crazy when you think of the level of phishing attacks against US government agencies.
This is why getting buy-in early from senior management and stakeholders is critical to the success of a phishing assessment and training program.
Fortunately, there are many more enlightened govt agencies that see the value in this type of testing and training.