Phishing test by a hook latching onto an @ sign.

How to Run Your Own Phishing Test

Email has been a critical form of business communication for decades.

Even still, it’s not perfect. Email can open your company to phishing attempts from cybercriminals who want to steal your data. In 2017, a whopping 76% of information security professionals revealed that their organization experienced phishing attacks.

You can lower your business’s risk of suffering from a phishing attack by training employees on how to recognize and avoid phishing attempts. But even after you train them, you have to wonder whether every employee learned the lessons.

After all, if one person on your team falls for a phishing email, then your whole network can potentially get compromised. So how can you put their knowledge to the test?

Run your own phishing test. It helps ensure that your employees understand how to spot and respond to phishing attempts without the risk of compromising your network.

Here’s how to get started.

1. Start by Training Your Staff to Recognize and Report Phishing Attempts

Before you run a phishing test, you have to make sure that all of your employees have been properly trained to recognize and report phishing attempts. Some of the most common traits found in phishing emails include:

  •      Unknown email addresses.
  •      Bad grammar and spelling throughout the email.
  •      Missing information, such as your name and the sender’s signature.
  •      Incorrect information about you or the supposed sender.

When your employees encounter suspicious emails, they should report them by forwarding the messages to an IT specialist that can analyze the threat.

2. Send an Obvious Phishing Email to Reinforce Training

For a short period after the training session, your employees will be acutely aware of phishing attempts. Send your first phishing test to them within this period so you can reinforce what they’ve learned.

Your first phishing email should contain obvious signs that will encourage employees to report the attempt to IT. At this point, you just want to make sure that all of your employees paid attention to their training and understand how to report suspicious emails.

If someone doesn’t respond correctly, then you know that they need additional training.

Related: Multi-Factor Authentication: The What, Why, and How

3. Send Progressively Deceptive Phishing Emails

After sending an obvious phishing attempt, you need to create a schedule of progressively more deceptive emails. You may decide to conduct phishing tests once or twice a month. As long as you test your employees at least six times per year, you can confirm that they’ve retained their training and know how to respond to phishing attempts.

As your tests progress, you can make the phishing emails harder to identify by:

  •      Improving the spelling and grammar.
  •      Using one of your company’s internal email address.
  •      Addressing the email to the employee (known as spear phishing).
  •      Including other employees, managers and executives in the message.

By the end of the year, you should conduct at least one test that includes all of these features.

Related: Vulnerability Assessments: Here’s What You Need to Know

4. Review What You Learn From the Phishing Tests

After each test, you need to review the results so you will know which of your employees could spot the phishing email. Hopefully, you will see that at least 90% of your team reported the attempts.

Perhaps more importantly, you need to identify individual employees that clicked on suspicious links or leaked sensitive data. Identifying your problem staff can help you pinpoint where you need additional training or security tools.

5. Reward and Retrain

Once you have the results of your test, you need to reward high-performing individuals and retrain low-performing employees who fell for the ruse.

A phishing test is the only way to make sure your employees know how to identify and report phishing attempts. Start planning your test so you can improve your business’s security.

Related: The 5 Most Common Cyberthreats and How to Avoid Them

Run Your Test with the Help of KJ Technology

There’s lots of other questions that you’ll need answers to. From what email do you send the phishing test? How can you accurately track metrics of who clicks and who doesn’t? How can you protect your business against actual phishing attacks?

That’s what we’re here to help with. We can help you test your organization to decrease your chances of ever suffering from a phishing attack.

Interested in learning more on the methods? Have any questions on tools to use? Reach out to us today – we’re more than happy to go above and beyond to protect our clients from security threats.