Security Awareness Blog

Phishing Assessments - How Targeted Should It Be?

I'm a huge fan of phishing assessments, not only are they a great way to measure the impact of your program, but a powerful way to reinforce key behaviors. However as with any tool, you have to use it correctly. A common challenge with phishing assessments is how targeted should you make the emails? Make the assessments too simple, and over time people will get complacent. Make them too targeted and people not only resent the program, but you destroy trust. There needs to be a balance.

  1. Start your emails as simple and basic as possible. Yes, its obviously a phishing assessment, but that is what you want. Lots of people will still fall victim, but instead of resenting the program they will respect the program. "Oh yeah, okay I should have figured out that was a phish". In some ways the first phish or two is more about getting employee buy-in then training.
  2. I always wondered how I would know when to 'pump-up-the-volume' on the emails, but quickly discovered my answer. When employees start asking you to create more targeted or harder emails. Yes, they will ask, they want to be challenged. Once you see the percentage of people who fall victim dropping, once people ask for harder emails, then it is time to create more targeted phishing assessments.
  3. The real challenge becomes how far to go. I've learned don't go too far too often. If you repeatedly make your emails too targeted or challenging you do more harm then good. First, people will resent the program, they will feel you are out to get them. Second, people will no longer believe in the program. "Yeah, sure you got me but you know what, the email was so targeted there was no way I could have figured it out." Third, people will stop trusting emails from other employees or partners, impacting how your organization operates.

Yes, spear phishing is a risk, for some organizations a big risk. Just keep in mind, you can do more long harm then good with repeated, highly targeted assessments. How often and how targeted should your phishing assessments be is something only you and your organization can decide. If you are not sure how targeted you should make it, I reccommend error on the side of making it too easy as opposed to too hard.



Posted October 21, 2013 at 3:29 PM | Permalink | Reply

Paul Hershberger

Manufacturing phishing attacks for awarness purposed is good however, why not better leveage the phishing attacks that come in on a daily basis and use those more effectively to train users who are falling victim to the real thing. In my opinion, leveraging the real events and using them to train the user base is very effective and can have a greater impact overall. Measuring the number of actual click events over time shows real world behavior changes and can drive better awarness into the effectiveness of your overall security program.

Posted October 21, 2013 at 3:36 PM | Permalink | Reply


How would you do this differently from standard phishing assessment software? Many organizations I know will simply use the software to copy/replicate the very same attacks they are getting, as the software makes it far easier to track and report who fell victim. It also controls who gets the phish, and when.

Posted October 23, 2013 at 12:17 PM | Permalink | Reply

Paul Hershberger

Rather than copying and simulating the attacks we track actual click events (real phishing victims) in our environment and use those events to educate the users based on what they saw, what actions they took and the implications of their action (the click). Of course this is in conjunction with broader education efforts. What I have found is that using real events we build trust with the users and they tend to become security advocates from there.

Posted October 23, 2013 at 1:16 PM | Permalink | Reply


Got it, and thanks for sharing!