Boosting Security Awareness: Tips for Engaging Phishing Simulations

Undoubtedly, phishing users is an excellent way to create awareness of social engineering risks and to change employee behaviour. At Change Champions, we specialize in creating security awareness programs that are both engaging and transformative for employees so we decided to write this blog to share our learnings helping clients with their learning efforts.

Why write about phishing simulations?

More often than not, we observe that the way in which simulations are conducted are not conducive to changing behaviour. For instance, employees are barely aware that simulations are happening (by virtue of participating in them as “receivers of the phish”) but they are not involved in the process or informed of the results. In turn, they feel like this is something that is being done to them and have little stake in the game.

We think that there is a better approach and we would like to share that with you here.

Engage employees in the simulation process (before and after)

We recommend that you start by formally communicating your intentions to phish employees as one of the steps towards reducing risks and increasing awareness. That is, frame the phishing campaigns as something positive rather than as a threat. You want employees to feel part of the solution, not scared of the consequences of their behaviours.

Once a few campaigns have been completed and having gathered enough data to share a true baseline of risk, we recommend that you communicate your findings. Why? This will give employees insights into how the organization is doing, areas to improve, and—once again—reinforces the idea that “we are all in this together” and creates a culture of safe only behaviours.

Side note: if you ever worked in an organization where safety is a core value, you probably recognize this. People are encouraged to speak up, even when something they did (or someone else did) could have been risky and lead by example in contrast to feeling embarrassed by this.

Conduct frequent simulations

To see true changes in behaviour, you need to conduct these simulations often. Some organizations resist this idea because leaders don’t like to upset employees. To them we say “think twice”: If an employee shares credentials during a real phishing scam, you will regret not having taken this seriously.

In our experience, a campaign per month (at least) is a good way to keep employees alert.

Increase the complexity as you go

If your phishing campaigns are not challenging enough, your employees will implicitly become complacent and stop learning. The reality is, in real life, phishing scams are getting progressively more realistic and complex, with scammers crafting sophisticated scams with the help of artificial intelligence and social engineering techniques.

So, to see improvements, we recommend that you progressively increase the complexity of your phishing campaigns. You can do so by, for example, creating more realistic campaigns, spoofing your sender, or timing your campaigns with corporate events (e.g., a holiday party). Another way to really make your employees work is to create specific campaigns targeted to groups at risk such as your AP team, your Executives and Executive Assistants, or even your IT team.

Vary your phishing techniques

While the majority of phishing scams come in the form of emails, more and more, organizations need to be prepared to prevent other scams such as those that come in the form of phone calls (vishing), text messages (smishing), and QR codes (quishing).

The majority of our customers have not experienced with these other types of phishing techniques even though the risk is likely there. The only way to know your susceptibility to other forms of phishing attacks is to test employees. Contact us if you have any questions about how to conduct phishing attacks using phone calls, text messages (smishing), or QR codes.

Enlist a network of sponsors and make phishing metrics part of their KPIs

We learned this strategy from one of our clients. As we started working with them, we quickly realized that they were serious about their security awareness effort because they tied the organization’s rate of response to phishing emails (i.e., clicks, credential disclosed, and reports) to the KPIs of executives.

In the case of our client, if the organization as a whole surpassed the threshold accepted, this would mean that executives’ compensation would be affected. While the goal this client set out for themselves was relatively easy to meet, the benefit of what they did relied in the awareness that it generated amongst executives. Rather than feeling that the outcomes of a phishing campaign were a problem of the IT team, this action made the execs share the responsibility for these outcomes.

In Closing

While phishing employees is an excellent way to drive security awareness and behavioral change, there is a lot more that IT teams can do to see higher ROI of their phishing efforts. Follow some of these recommendations and you will see changes in as little as three months, guaranteed. 🚀

Share This Post: