Running an effective phishing test at work can be the difference between an employee who clicks on malicious links or attachments and one who reports them.

In fact, real-time phishing simulations have proven to double employee awareness retention rates, and yield a near 40% ROI, versus more traditional cybersecurity training tactics, according to a study conducted by the Ponemon Institute.

[Read: Every phishing statistic you need to know to prepare your organization.]

But taking your organization’s weakest cybersecurity link—its employees—and turning them into a point of strength isn’t easy and won’t happen overnight. You’ll need to have patience, perseverance, and a willingness to teach instead of tell. A phishing test (or phishing simulation) is great way to increase employee engagement with security initiatives—and provide employees with a tangible, real-life scenario to improve their security behavior.

What Is a Phishing Test?

A phishing test is used by security and IT professionals to create mock phishing emails and/or webpages that are then sent to employees. These fake attacks help employees understand the different forms a phishing attack can take, identifying features, and to avoid clicking malicious links or leaking sensitive data in malicious forms.

For IT and security professionals, a phishing test boosts employee cybersecurity awareness in a meaningful, controlled environment. Additionally, because phishing tests are controlled, IT can build a baseline metric—what percentage of the organization was successfully “phished”—that they can work with employees to improve over time.

Employees get real-life experience without any of the risk. They’re also given a chance to improve their security behavior in a meaningful way with feedback from IT when necessary.

In this short guide, we’ll go over what you can do before and after a phishing test to ensure maximum participation and effectiveness.

[Read: Not familiar with phishing? Learn five common methods used by criminals.]

What to Do Before a Phishing Test

What to do before a phishing test

First things first, you need to find a phishing test tool that can help you accomplish your goals.

Depending on your budget, experience, and comfort-level, there are a number of phishing tool options—both free and paid—that should work for you.

Once you’ve chosen a phishing test tool, you can begin planning.

Train and Notify Employees

The whole point of a phishing test is to educate employees so they can spot and avoid phishing emails in the future—to try to catch them in a mistake without training and informing them in advance would put IT in an “us vs. them” scenario which will prevent you from ever accomplishing your employee security awareness goals. Providing training and notification is an important first step because it establishes your test as more than a “Gotcha!” for negligent employees.

Present a short training to establish what is or isn’t a phishing email, or a few tips on what to look out for (e.g. examine the ‘from’ address, urgent requests that require money transfer, etc.), and then notify employees that you will be running phishing tests to help prepare employees for an attack in a controlled setting.

You should also create a specific company email address (e.g. phishing@yourcompany.com) and inform your employees to forward suspicious emails to this address for IT review. Additionally, you can download a report phishing button to embed into each employee’s inbox.

It’s good to encourage open communication when employees discover fishy emails. If they’re worried that it may affect other employees, they should post a warning using company communication tools (e.g. Slack).

Employees will feel more comfortable after training if they can simply flip fishy emails or report them directly to IT without too much of a disruption to their daily work.

Engage Relevant Departments or Managers

Phishing alone is a powerful tool for hackers. But phishing combined with social engineering is the ultimate extraction tool. “Social engineering” is a euphemistic term that basically means tricking or manipulating people by exploiting their social context, and it’s exactly what real hackers will attempt to do.

People trust what’s familiar, so if a hacker can tailor a phishing email to a specific target using known names, companies, dates, or websites, the more likely it is that the target will be phished. This means that when you run your phishing test, you should be emailing specific people or groups of people in each test, using social engineering tactics to truly measure their ability to resist a malicious email.

Use social engineering to truly measure the ability of employees to spot a malicious email.

Imagine if you got an email asking for your server credentials from someone you’ve never heard of. Now imagine if you got that same email from your CEO. The  second email is more likely to elicit a response, right?

Create a Phishing Alias and/or Deploy an Embedded Report Button

In your training, you can alert employees to a specific company email address (ex. phishing@yourcompany.com) to forward suspicious emails so IT can review them. Additionally, you can download a report phishing button that is embedded into each employee’s inbox.

It’s good to encourage open communication when employees discover fishy emails. If they’re worried that it may affect other employees, they should post a warning using the company communication tool (ex. Slack).

Employees will feel more comfortable in training if they now they can simply flip fishy emails or report them directly to IT without too much of an investigation.

Planning a Phishing Test

There are a few rules you should adhere to in order to ensure your phishing test achieves maximum effectiveness and improves employee cybersecurity behavior long-term.

Timing

A test should be constructed as a series of phishing simulations—a campaign—delivered each month or each quarter. That’s the only way to gauge success and improvement.

Your campaign should be progressive in terms of difficulty—your first test should be fairly simple to identify. After that, try various angles and different levels of subtlety in your tests, as outlines in the next section.  Employees need to be able to crawl before they walk!

Use Different Phishing Methods

Utilize different methods of phishing to give employees multiple opportunities to learn and keep them on their toes. While the first email should be a basic phishing template, subsequent emails should utilize social engineering tactics and more devious schemes to trick the employee as a hacker would.

Identify specific employees or specific groups within the organization to target with emails they normally get—say, an email from HR using the Head of HR as the ‘from’ address. You may ask them to update their password for their HR payroll software profile, for example.

(Remember: 1. You want them to believe it’s real! 2. If you use the Head of HR’s email address in a phishing test, they need to know about that in advance.)

Include Senior Management and Executives

It’s imperative that you include senior management and executives in your phishing test. They are gatekeepers to the most valuable assets in your business and are therefore the most likely to be targeted by hackers.

Include senior management and executives in your phishing test. They are gatekeepers to the most valuable assets in your business and will get targeted the most.

Aside from the fact that they’re targets, it’s important that other employees know executives are partaking in the training—it will increase employee engagement and provide the team with added motivation to improve their scores.

What to Do After a Phishing Test

What to do after a phishing test

The first phishing test in your phishing campaign has been sent out…now what?

Since your goal is to improve cybersecurity awareness among employees, your job has only just begun. Build a baseline, reward high-performers, educate low-performers, and start planning your next test!

Reporting Is Critical

There are three key metrics you want to be measuring:

  1. Link click rates
  2. Number of employees that leak sensitive data (i.e. provide a user/pass combination)
  3. Number of employees who reported a phishing email

Over time, you want #1 and #2 to go down, and the number of people who report a phishing email to go up. The only way to show progress is to make note of these metrics after each test. You should share results with the rest of the organization, but make sure you don’t single out any individual or group. All results should be in aggregate!

While org-wide results should be in aggregate, the only way to help individuals and teams improve is to show them (in a quiet, private setting) what they did wrong (or right) so they can succeed during the next simulation.

Reward High-Performers

Have an individual or group that performed extremely well? Show them some love!

You can write emails to people who were successful (i.e. didn’t click a link and/or didn’t leak sensitive data, and reported the email to IT) and let them know that they are doing a great job keeping the business safe from cyber-criminals. You can also email entire departments if their results are the best across the organization.

Want to take things to the next level? Create a contest across departments, so that the “winning” department (lowest click-through rate and highest rate of reporting phishing) at the end of each quarter gets a sponsored lunch or dinner.

Provide Additional Training for Low-Performers

This is probably the most important part of any phishing test—helping low-performers achieve success.

Whether it’s the CEO or an intern, there is no reason to be rude or patronizing when talking to an employee about their poor performance on a phishing test.

You want employees to feel comfortable talking with you about their struggles with cybersecurity and you want them to always choose to send you something fishy versus trying to navigate on their own. They will only do that if they trust that you respect them and appreciate their effort.

For first-time offenders, it’s OK to simply send an email that notifies them that they erred on the phishing test. You should reiterate the importance of cybersecurity and provide additional training materials on how to spot a phishing email—let them know that more phishing tests are on the way and they will have an opportunity to succeed if they are careful! Also, be sure to call out the “report phishing” button or the phishing@yourcompany.com email address that you set up.

Reiterate the importance of cybersecurity, and provide additional training materials on how to spot a phishing email.

If you have personal relationships with low-performing employees, you can also address them individually.

When individuals, or groups of individuals, have continued trouble spotting phishing emails, you need to intervene in a more proactive manner. Perhaps certain individuals or groups need to be given a short tutorial on spotting phishing emails, including popular examples and things that have happened to other businesses. It’s really important for them to recognize the legitimacy of the threat, and the likelihood that they will receive an actual phishing email at some point.

Next Steps

By following the guidance outlined here, you’ve laid the groundwork for what is sure to be a successful and rewarding program that helps limit the attack surface of your organization and keeps your employees safe from malicious outsiders.

What’s next? You guessed it: Start preparing for your next phishing test!

At the end of each quarter or each year, prepare a short recap that you can show to executives and the team at large to encourage continued improvement. Phishing awareness and continued testing is necessary as your company grows and as phishing methods evolve.

Phishing awareness and continued testing is necessary as your company grows and as phishing methods evolve.

The first step to eliminating a problem is understanding that it exists. You’ve taken the first step towards securing your organization. We hope this guide helps you accomplish peak employee cybersecurity awareness so you can rest easy knowing employees won’t be scammed into clicking on the next phishing link to come through their inbox.