Skip to main content
All CollectionsPHISHInitial setup
Tutorial: The CybSafe way to PHISH
Tutorial: The CybSafe way to PHISH

Our recommended approach to running your phishing simulations

Sam Hopwell avatar
Written by Sam Hopwell
Updated over 4 months ago

Introduction

This tutorial will empower you to design, run, and analyse effective phishing simulations, the CybSafe way.


Pre-requisites


Step-by-step guide

Step 1: Blind baselining

We recommend sending out a Phish campaign to a wide audience to get a baseline for your users. This can then be used to identify any risk areas in your organisation (see Guide best practice).

Baseline Phish recommendations:

  • Select maximum 4 emails

  • Rate of 1 email per week over 4 weeks. This prevents users becoming overwhelmed.

  • Consider whether you would like this to be blind (ie. not publicise the phishing campaign). This will give you a good read on Phish behabiours across your organisation. Either way, we recommend letting relevant teams know (to ensure your SOC teams are not overwhelmed)

Use our guide here to set up your Phishing campaign.

Notify affected teams ahead of baseline

  • Identify who needs to be notified: Communications teams, senior leaders, and security teams (who will experience an increase in phish reports) will all need a heads up.


Step 2: Communicate with your organisation

Following the baseline test, let your organisation know about the Phishing campaigns to come.

  • Secure buy-in: Gain support from any required internal stakeholders who need visibility to ensure your campaign rollout will go smoothly when you launch.

    Example email:


    Dear <team>

    We’re writing to let you know that we’re soon going to launch a simulated phishing campaign using our partner CybSafe!

    CybSafe PHISH is an effective tool at helping people learn about new threats, and helps with a measurable increase on phishing report rates.

    Simulations will be delivered by email, at random times. You can find more information on PHISH here: https://help.cybsafe.com/en/collections/4894067-phish

    Thanks,

  • Inform employees about the campaign and its purpose: you're not trying to catch people out. Repeat this communication for maximum awareness. Need inspiration for these comms? Check out this template below.

    • At CybSafe, our research indicates you’ll get a much better result from your people when they are invited to be a part of the solution rather than broadcasting warnings that create fear of punishment.

  • “Silent” phishing campaigns are fine and necessary to understand baseline risk, but we don’t advise it as a long-term solution as it can impact dimensions of Trust & Fear & Punishment (as measured in GUIDE+ Culture survey). This is because some people feel “tricked” and are more likely to fear the security team.

  • By inviting people, you create engagement touchpoints and you are reinforcing trust in the security team. See at the bottom a suggestion of our invitation template.

  • Our research shows it’s most impactful if you can get leadership or senior folks to announce it with you. You might want to tie it in with any security awareness weeks you might be holding.

Phishing simulation announcement wording

Dear <team>

We're excited to announce the launch of a new program designed to strengthen our company's overall cybersecurity posture: phishing simulations! Fear not, these are not designed to catch you out, they are to help us understand how to help and protect you.

Why do we run phishing simulations?

  • Phishing simulations raise awareness of common phishing tactics so you can easily identify them in the future and help you develop stronger reflexes for handling suspicious emails.

If you think you have spotted a suspicious email, the most important thing is to report it. If you’re unsure how to report a suspected phishing email, we’re here to help.

How to report a suspicious email: [Tweak this based on your organisations process]

  • <provide guidance for reporting process in your organisation>

We'll be providing additional resources and information about phishing scams throughout the program.

Best wishes

<Team Name>


Step 3: Decide on Phishing approach and prepping for it

Following the baseline test, you might have an idea on where the risk areas are or how you might like to apporach Phishing across your organisation. If not, consider the following:

  • Do you have any regulatory requirements to meet (eg number of annual phishing campaigns)?

  • Do you have target groups?

    • High risk clickers?

    • Certain departments?

    • New employees

  • Is there a department that “always” interacts with phishing simulations that include:

    • Authority bias?

    • Reciprocity (tech dept asking for help), scarcity (only available for a short time)

    • Consistency (information backs up something you know, or have been seen to act upon previously)

    • Liking (more likely to be influenced by someone that you like)

    • Consensus social proof - (your colleagues have signed up…)?

    • Do they think that colleagues are more likely to react emotionally to emails that make them angry, pique their interest, make them happy or excited, surprise, or frighten, or because it’s something they selfishly desire?


Step 4: Create and send out your Phishing campaign(s)

See our guide here to help configure your campaigns.


Step 5: Monitoring and analysis

  • Monitor the reports available to you in CybSafe PHISH in the campaigns first week.

    • You’ll quickly get a sense of open, click & report rates

    • Over time, you’ll be able to study any particular trends in susceptibility techniques

    • You might want to look at the reporting of users that:

      • reported Phishing

      • did not report Phishing

      • interacted with the Phish by entering data, and then reported it and the next ones they received.

      • Interacted with the phish, and did not report.

  • Consider reaching out to the first few high risk individuals to seek understanding on the early phishing experience, looking to uncover any unknown frictions or pressures. Why did they click? What was their experience? Why didn’t they know to report?

  • Consider using Respond to enter users that submitted data into Workflows- enrolling them in specific learning modules or sending nudges.


Additional resources:


Did this answer your question?