Implementing a Phishing game campaign in your company

Written by Kevin L MabryTech News


PHISHING Alert concept - white letters and triangle with exclamation mark

One of the most important pieces of security you can have is a great training program. Your employees can be the strongest and the weakest link. To better protect your company’s assets you will need to teach your employees how to look out for and handle Phishing attacks. Now mostly these attacks can be easy to spot, but attackers are starting to get better and it is becoming harder to detect these attacks by the everyday person receiving them. Introducing the phishing game into your everyday training is a fun, interactive way to effectively teach email security.

The whole idea behind this game is to reward the people that report phishing attacks. You will be the one generating this attacks from a false email address or a spoofed phishing tool. Now you can also give rewards for any attacks that they find that are legit as well but that is up to you. You want to pick a set number of attacks you are going to dish out. Then divide the testing groups evenly into 4 groups. So if there are 200 people participating in your company, then there would be 50 people per group. Send out 1 or 2 email phishing attempts to the first group. Space out the attacks to different groups over a month period.

Now of course you will have the people that catch all of the emails and turn them in for a prize, so to ensure that you get some useful information out of this game, integrate a recording function into the emails. If someone does click on the email link, it’s recorded. If someone goes further and fills out the personal information on the link, then that’s the person you may need to have a conversation with. It is very important to keep track of the number of people who click on links and also not only click, but proceed to fill out the emails fake form (make this something convening like a bank, app store login or a social media).

Make sure the prizes are worth people’s wild, candy and pencils won’t cut it. Try gift cards, free coffee, food or maybe some office swag. At the end of the game send out one really good email to everyone at once to see who can catch it and report it first. Do this without telling anyone you sent it out. The first person who sends it in wins a bigger prize. This will force your employee’s to play for something of value which in turn with increase their overall email phishing awareness.

After the game has been completed send out a recap with the results and create incentives to beat these results next time around. Integrating this with your security training program will boost your overall company awareness without the employees even knowing it. After one or two sessions you should see a decrease in the amount of phishing email clicked and an increase in the amount of emails submitted to your security distro. Now there are many ways you can go with this game. You can set up the rules or prizes however you like.

The idea of gamification helps adults learn without knowing it and also gives the information that they learned a sense of meaning when it is actually encountered in real life situations. They will feel compelled to share it with you because they want to prove that they did learn something and can contribute to the company’s overall security. Remember that you are not going to stop all phishing attempts, but stressing to your company that “going with your gut feeling” is usually the safest bet when dealing with a phishing attack.

[contentblock id=74 img=gcb.png]


CEO, Author of the #1 Risk to Small Businesses

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}