How to Test Employees on Phishing Vulnerabilities


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Thursday, January 7, 2021

Running a phishing email test for employees can help prepare them for the real thing and know which telltale signs to look out for.

Article 4 Minutes
How to Test Employees on Phishing Vulnerabilities

Employees are the weakest link in most organizations’ cybersecurity arsenal, but mitigating that risk isn’t an insurmountable task. Phishing is among the most prevalent problems and is on the rise, with half of companies being targeted by ransomware and one in eight employees sharing information to phishing sites.

Why do phishing tests?

Many companies make staff aware of the risks posed by phishing scams by training them or sending out a phishing awareness email. These approaches aren’t as effective as carrying out a simulated phishing test, which can more than double the amount of information staff retain versus traditional training techniques.

Sending phishing email tests to employees

Make sure you don’t let your team know you’re about to send out phishing test emails. This will ensure you get a true reflection of how vigilant they are and offer maximum impact in educating your employees on the risks.

Decide whether to send out a battery (a group of phishing emails that are all sent at once) or a campaign made up of multiple batteries spread out over time. Then put your hacker head on to design the simulated phishing attacks.

What to include in a phishing email test

There’s a certain art to creating a phishing email test that makes it believable and most likely to teach your employees the most. A common technique used by scammers is applying a sense of urgency, which requests the recipient to act straight away, otherwise they’ll lose their opportunity to rectify whatever situation is being put forward. Include red flags like typos, misspellings or incorrect grammar to help differentiate fake messages from legitimate emails.

Make your email relevant in context of the current climate, as scammers are constantly updating their points of reference. Prior to the Coronavirus outbreak, it’d be unlikely for a phishing email to impersonate the World Health Organization or Zoom, but these are now commonplace.

A screenshot of a phishing test email sent to an employee to test their knowledge

Write a phishing simulation report

To get the most out of your phishing simulation exercise, it’s important to collect feedback and data into a report. This will help evaluate employees’ behavior and presenting it to staff can educate them further. The report should include:

  • The number of times the phishing email was opened
  • How many clicks the link received
  • The total number of attachment opens
  • The ratio of staff that reported the email to the IT department

As phishing simulation tests should be done regularly, you can compare reports over time and see how successful the cumulative effect of these exercises is. Then, use the data to adjust and modify your approach to improve the training going forward. The reports are also a useful resource to have when demonstrating to stakeholders or outside parties your commitment to cybersecurity.

Shortfalls of phishing simulations

While phishing simulations can be an important tool in your cybersecurity armory, there are various factors that can mitigate their usefulness. As the approaches used by scammers are constantly changing, it’s impossible to prepare your colleagues for every possible permutation that could come their way. In fact, trying to do so and sending large numbers of phishing tests is more likely to have a negative impact.

You must find the sweet spot with enough tests to make them aware, but not so many that it reduces productivity and affects morale within the company. Employees mustn’t be made to feel embarrassed or ostracized because they fell for a test phishing email. All feedback should be anonymized and presented as lessons for everyone, not just the few.

Examples of simulated phishing tests

Simulated phishing tests come in all shapes and sizes, but there are a number of approaches that come up time and again. Being savvy to these common types of phishing scam can help your staff to recognize fake emails going forward:

  • We won’t pay this - often sent to invoicing departments, these emails will have an angry tone and sense of urgency to encourage staff to click on links or download attachments. Teach employees to check the sent address to see if they recognize it before doing anything with it.
  • Get something for free - these tempting messages often purport to be part of a scheme your company has signed up to and offer desirable gadgets to those who respond. An extra incentive to get in quickly is often included to stop employees from hovering over the link to check its authenticity.
  • Topical news - tapping into large news events in a bid to arouse interest and incite clicks.
  • Popular trends - emails suggesting a link with the latest trend to capture everyone’s imagination. Checking the from address is always a good strategy.

Telltale signs of phishing emails

The key takeaways your employees should be aware of after your email phishing test should be:

  • Be wary of threatening or urgent language
  • Look beyond the display name to the sender’s email address
  • Be alert to incorrect spelling or grammar
  • Be suspicious of unprofessional formatting
  • Hovering over a hyperlink will allow you to see the URL without clicking on it
  • Confidential personal or company information should never be given out by email
  • Report any suspicions to the IT department
  • Any potential breaches should be reported to IT as soon as they're known

Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...