Phishing Simulation Emails: Avoiding a Nightmare
December 26, 2020
When a company's phishing simulation emails land in the news headlines, that's a bad thing. The recent news out of GoDaddy about a phishing a simulation email that claimed to be a holiday bonus is a prime example. So is the example out of Tribune Media a few months ago. Although we don't know the particulars about what motivated those particular phishing simulations, we do know that they were not well received, and that there are much more appropriate strategies readily available. Here are four strategies that we recommend to our clients, and that we help them implement by leaning on our massive bank of preconfigured phishing email templates (113 phishing simulation email examples).
1. Widespread Services
Is there any adult in the U.S. that hasn't sent or received a package (from UPS, FedEx, or USPS)? Perhaps. Any businesspeople that have never sent or received an document for e-signature (e.g. from DocuSign)? Anyone that has never had a telecom account of any kind (Verizon, AT&T, Comcast / Xfinity, etc)?
It would be hard to find a person that has never had any interaction with any of these services. And that's what makes them so great as a basis for phishing simulation emails.
If you got a notification from UPS of a package en route, for example, there is a very good chance that you wouldn't trust yourself to remember whether you were or weren't expecting a UPS delivery. That means that in order to guage legitimacy, you'd find yourself falling back to secondary signals such as the sender's address, the information in the message, the domain names observed in the links, etc. It's exactly this type of judgement call that is central to running an effective phishing simulation.
2. Services Your Company Uses
Does your company use Google Suite, or Office 365?
Does your company use Google Drive, Dropbox, or Box?
Does your company use Amazon Web Services, Azure, or Google Cloud?
Whatever your answers are to the above (even if your answers are services we didn't name), you are well on your path to pinpointing a list of service providers that your company relies on. And those are great candidates for incorporating into your phishing campaign strategy. For example, if your whole company relies on Google Suite, sending a phishing simulation email that claims to be a Google Security Alert, would be a great choice.
3. Shadow IT Services
Here's where some companies struggle to extend their phishing simulation strategies, but where there is a ton of hidden value. Do you know what additional services your employees have become accustomed to using, even though they aren't officially considered "approved" by the company? It can be something as simple as employees in a marketing team putting their Canva subscription on their company card (without buying "through IT"). Or as simple as a group of employees that prefers to use Dropbox for file sharing, even though the company's official nod goes to Google Drive. Anytime employees take their own initiative to use an IT service that isn't officially approved, that's called Shadow IT.
And, if you know what Shadow IT is common in your company (e.g. Havoc Shield customers get this information due to our employee onboarding surveys), that is an outstanding source of information about additional phishing simulation emails that could be very effective.
4. B2B Money Movement Messages
Exercise caution here, but if you proceed carefully you'll be able to implement some of the strongest and most effective phishing simulations anywhere. Which employees in your company have funds transfer obligations, and/or are in the approval chain for funds transfers? Here are some ideas to jog your memory:
- Employees who are involved in running payroll
- Executive assistants who make purchases on behalf of executives
- Accounts payable personnel who pay invoices and bills
- Accounts receivable personnel who collect payments from clients
- Any person that holds a company credit card
- Any person who has any type of budget approval
All of the above are individuals that your company is trusting (big time) to be able to sniff out fraud when they see it. It takes caution and care to structure these phishing simulation emails in an appropriate and measurable way. The GoDaddy and Tribune Media stories are obvious examples of how not to handle money movement phishing; so, here are some counterexamples of techniques that are much more considerate:
- An email to an accounts receivable person claiming to be from a particular (fictitious) client, and asking the A/R staffer to click through to see the details of a pending payment.
- An email to an executive assistant requesting a particular gift card purchase, through a very specific purchase link enclosed in the message
- A "notification" to a payroll specialist, claiming to have some direct deposit information change, with a link to click to see the details
Each of these are cases where a clickthrough link can reveal the fact that it was a phishing simulation. And where there is no meaningful personal finance implication (such as a bonus) being dangled. The above three examples are exactly the kinds of phishing simulations that help to raise awareness about the actual tactics that phishing attacks use.
Wrapping Up: Phishing Simulation Emails
We run phishing simulations for our clients on a regular basis, and (for your peace of mind) none of our messages involve supposed bonuses. We use the above four techniques frequently to help our clients stay safe, and we'd love to help your company too.