Security Awareness Blog

Technical Guidance on Phishing Assessments

Several weeks ago we released the Phishing Planning Kit, a resource to help organizations plan and maintain an effective phishing assessment program. This kit is based on the suggestions, lessons learned and feedback from numerous security awareness officers who are actively leading their own phishing assessment programs. The reason we released the kit is that most organizations that have problems with their phishing assessment is not due to technical issues but how they failed to properly communicate and execute it.

EJ recently asked for some technical questions on rolling out his phishing program (see the comments in the Phishing Planning Kit post), and I wanted to take a moment to answer his questions. First, the simplest way to address most of your technical issues is to use a phishing service. There are many to choose from and all are similar and good, including ThreatSim, Wombat and PhishMe. SANS even has its own phishing solution you can use, so you have lots of options. What makes these solutions so good is they do all the work for you. They have numerous phishing templates to choose from, detailed reporting, long term trending, control numerous domains for your phishing emails, and make sending multiple phishing campaigns to different targets simple. As you can see with EJ's questions, things quickly get complex if you try to set all of this up yourself. Based on my experience, its not worth it. If you are in a small organization that cannot afford these services, then use email marketing software like Direct Mail for Mac to send and track your 'phishing emails', but you loose most of the features that the phishing services offer.

Second, start simple, start your phishing campaigns with the simplest emails to detect. Then over time you can 'pump up the volume'. Every organization is different, so what phishing emails will be effective in your organization depends on your culture. In general, accounts that use personal emails will not be that effective at work, such as personal banking sites or personal social media sites. However, emails such as package deliveries, flight cancellations, hotel reservations or updates concerning work or technology can be very effective.

To be honest, I would not get too caught up in all the technical complexities of phishing, let the phishing companies take care of that for you if possible. If not, even simple phishing emails will work. What is important is start slow and learn from your phishing campaigns on what is and is not effective. Technology plays a small part in the success of your awareness program, its ultimately about how you communicate and execute it. That is the reason why we developed the Phishing Planning Kit.