top of page

Best Practices for Effective Phishing Campaigns

10 Things You Can Do To Improve Your Phishing Campaigns

1. Employ Just-In-Time Education Options

After interaction with a simulated phishing attack you have a limited period of time in which the lessons that can be learned from training will have the most impact. This is what educators refer to as a “golden moment” in which you should provide engaging and effective content to make a lasting impression. Associating real-world dangers with particular employee behaviors is a key component. Individuals who experience just-in-time education better retain critical information.

2. Adjust the Content

Grouping employees according to technical ability, role risks, and other demographics can help your training become adaptive. Difficulty level is one parameter, but the best solutions adapt future experiences based on individual behavior is critical. It’s also beneficial to adapt content to address the particular challenges of a scenario. An example is a password or data request, realistically tailored to an individual’s department or role. If your solution adapts to individuals’ responses and also particular attack vectors will fine-tune individuals’ abilities.

3. Unpredictability

Training should not be predictable. Catching individuals when they are unprepared is important for retention. This practice also helps your users stay vigilant in between campaigns. If people receive infrequent simulations they are, understandably, more likely to make simple errors—in part because attacks methodologies change relatively quickly in the modern age.

4. Time Segments for Training

Surprising users is important, but a training program should not be completely random. The best practice is to use phishing campaigns intervals, with training delivered randomly inside set windows of time. Setting a schedule also enables security leaders to create a general baseline for overall employee performance and regular reporting. Without regularity of testing, it’s difficult to accurately report on individual employee’s performance.

5. Adaptive Difficulty

The basics are what you want all team members to master eventually, but there are more advanced threats in play and those require more advanced skillsets for proper awareness. Your solution should start with a low difficulty level but continually help your users progress toward full mastery. A best practice is for your security team members to maintain constant awareness of trends in attacks and adjust the phishing campaigns to address new attack methods and/or attacks that are currently the most common types.

6. Total workforce training

The latest research indicates the most effective approach for phishing simulation when it comes to education is to train your entire user population each and every month. Anything less than 100% workforce training inevitably results in security ‘holes’ in your defenses. Also, without full-scope training you cannot be sure where personnel stand in their education journeys.

Anything less than 100% workforce training inevitably results in security ‘holes’ in your defenses

7. Globalization

If your organization includes personnel for whom English is not their first language, it’s a good idea to tailor campaigns to use individual-specific language for the content. This will, in most cases, greatly improve learning retention. Especially for multinational organizations, it’s always important to tailor security training material to the languages and cultures which are primary for your team members. Also, depending on location you could have various legal requirements for email compliance standards, and if you are able to use local references in simulations (e.g., national holidays, major news outlets, the most popular social media platforms, etc.) you’ll increase the believability of your phishes.

8. More Comprehensive Reporting

Reports should give you insights into your organization’s security “health” and should help you accurately identify weaknesses. The reports available in your solution will ideally provide monitoring of real-time key performance indicators (KPIs) and additional business intelligence that helps you drill down to region, department, and sub-group levels without compromising individuals’ privacy (i.e., the reports should redact personally identifiable information). Reporting capabilities should ensure key stakeholders receive timely reports, summaries, and reviews containing actionable data. This type of communication will improve the long-term impact of your training program.

9. Identify Groups for Analysis

Some personnel are what is known as ‘serial clickers.’ These individuals have developed a knee-jerk reaction that they should click on links and open attachments. Managing a continually updated list of serial clickers will require the consistent monitoring of users’ performance, as mentioned above, but this is not the only group you should keep an eye on. It can be important to monitor executive leadership, new hires, and the most veteran personnel differently and for different potential threats. This will help you build custom campaigns that address the weakness specific to those groups—creating a “risk treatment” solution.

10. Customized Frequency

The most phishing-educated individuals are unlikely to fall for the same tricks twice, and yet

serial clickers likely will; the cadence of your campaigns should be adaptable (and preferably auto-adapting) and personalized using risk calculations across the learning curve based on your data. For example, those in a high-risk group may need

to receive two targeted training emails per campaign at first to familiarize them with training content more quickly and to encourage changes in their behavior.

Whatever program you adopt, the Webcheck Aware phishing campaign solution is a great option for your organization. Contact us today for more information and a free discussion about your organization’s specific needs.

82 views0 comments


bottom of page