How to Successfully Launch a Phishing Training Program
In this webinar, Habitu8 cofounders Jason Hoenich and Chad Loder discuss how to put together a phishing simulation training program. Jason promises to offer some helpful tips based on his experience and to keep the steps for launching a successful program to just five. He also promises to offer tips for once the program is up and running, as well as pitfalls to avoid.
To get started, Jason asks Chad what a phishing training program is, and Chad’s response is pretty on point: “It’s basically this thing where you send out phishing emails to your whole company and then the infosec sits there and watches the console and giggles … and shames people for falling for it and then puts them through some type of boring CBT-based training.”
The truth is, a phishing training program is a great introductory way to train your employees about the risks of phishing emails. Chad reminds us about how brutal phishing has been in recent years, specifically the DNC and Podesta email hacks.
A post-webinar download offers complete notes, but the five steps (that could have been seven or eight) are:
Learn how a phishing training program works.
Know your environment, your needs, and what hiccups might occur.
Build a team of pertinent stakeholders, formulate a plan, and be transparent.
Communicate, communicate, communicate.
Collect data and understand how repeat responders develop.
One of the biggest mistakes Jason sees with phishing training programs is that companies assume that the outcomes of the campaigns reflect the reality of their security. The purpose of a training program should be to look at the average of campaigns—not sound the alarm when a single campaign goes haywire.
Find Teachable Moments
The real training? When someone clicks on an email, realizes they shouldn’t have done it, and feels foolish. The likelihood that someone is in a teachable frame of mind after falling for a phishing campaign? Pretty slim. Psychology shows that when you experience something you weren’t expecting, your brain starts to rapidly take in information in order to make sense of it. But that doesn’t mean it’s time to deliver an hours-long training or pages upon pages of tutorials. “Give them one piece of information, and let them take that in,” Jason says.
Report Like a Pro
Whether it’s a plug-in for your email client or a reply-to that says exactly who the sender is (e.g., firstname.lastname@example.org), make sure you have a basic reporting process in place—otherwise your program and data are going to get lost. Having access to accurate data is crucial. As Jason always says, “Good data in is good data out.”
Help Your Help Desk
Your help desk is only as good as the information you plug into it. Why? People will always—by default—call or email the help desk if something comes in. If you don’t understand the help desk’s processes for responding, and if the knowledge base or whatever they use to respond to help queries isn’t updated with the right information, you’ll be set up for failure before you even launch your phishing training program. It could set your program back a year or more. Yikes.
You Can’t Fail
There are tons of best practice suggestions about when to inform the company that you’re going to run a phishing training program, but the truth is this: You could send an email out to your company saying you’re going to run a phishing training program and two hours later send the email and people would still interact with it. It’s crucial to make sure everyone knows that everyone is participating, that you can’t fail a training program, and that the whole point is to help everyone do their jobs better and avoid phishing hacks.
Embrace the Learning Curve
Don’t think of repeat responders as repeat offenders—they’re not offending anyone, they’re just responding to training. The beauty of these employees is that you don’t need to do anything with them; accept that there is a learning curve and acknowledge that the average user needs to engage with at least four campaigns before you can label them a “repeat responder.” Jason says there is this magic moment between the third and fourth campaign where responses should drop into the single digits—and this is when you create an outreach program to deliver the tools and support repeat responders actually need. The lesson? Give repeat responders a chance! Not sold? Jason shares some hard stats in this webinar that will convince you.
Q&A: Helpful Hints
In addition to providing an outline for an action plan, the webinar gives practical advice. Some tips from the Q&A:
Can we mimic IRS scams or use official brand logos?
Although it’s tempting, you don’t need a logo. Keep in mind that when you send a phishing training program email, it still has to go through email security systems, which means it’s public on the internet and you can get a DMCA takedown notice. Jason has experience with this with the IRS. Don’t be like Jason.
How do you find balance so the email doesn’t look too suspicious?
The point isn’t to trick the infosec team—you’re not winning an award for that. The kind of emails Jason likes? The ones that look like they’re sent from a mobile device.
How long should you run a campaign?
With a real phishing campaign, inboxes should be secured as quickly as possible. So:
Run it for a few days—it shouldn’t last forever, because that’s not how the real world works.
If you have seasonal employees or people in different time zones worldwide, consider separating groups out for future campaigns.
Use URL shorteners for specific subgroups.
Watch the webinar here. Don't forget to download the notes with a template for a detailed action plan!