It’s easy to think we wouldn’t be fooled by an email phishing attack. Or that our friends and coworkers know how to identify a suspicious email or not.
But like a lot of our work at ABT, we don’t really know how well we’ve prepared until we run some tests. So how do you test the human side of IT security? You run your own phishing scam on your coworkers and record the results.
How I Ran My Phishing Test
Before you call the police, no, this blog post is not a confession that I’ve turned to a life of crime. I simply used a free tool from PhishMe to conduct a convincing phishing test on my coworkers at Atlantic BT (including the CEO and President).
PhishMe Free allows you to send a fake phishing email to up to 500 users by importing a list of emails. You can design your phishing email using 18 different templates, then schedule when you want to send it. The app will measure how many recipients open the email and how many click the phishing link inside it. For my test, I sent two different emails more than a month apart—with significantly different results.
The first test sent an email in the middle of the workday notifying the recipient their inbox was “over the limit.” The phishing link inside the email invited the recipients to “click here to increase your mailbox size or you will lose your account within 24 hours.” Results of this test were encouraging: 65% of my colleagues opened the email, but no one clicked the phishing link. This suggests this particular phishing attack wasn’t fooling anyone.
The second test delivered less positive results. This email arrived at the start of the workday and referenced a suspicious credit card charge. The email also offered to let the recipient trace the progress of a package on the way to their physical location. 67% of recipients at Atlantic BT opened this email, and 21% actually clicked the phishing link. Had this been a real attack, our company could have been in trouble.
What I Learned from Phishing
Above all, our main lesson from these tests was even a technology-savvy company like Atlantic BT is vulnerable to phishing. Without testing, you won’t know how susceptible you are to a phishing attack until it already happens.
Here are some other observations from this test:
- Timing could matter: The first test was run during the middle of the day, while the second test was scheduled to begin just before people began arriving for the day and checking their email. This means that the more successful test email was included in the noise of slew of other morning emails that have to be dealt with. The lesson here is that it’s especially important to watch out for suspicious emails at peak communication times in order to judge each email’s impact and risk individually.
- Content matters: This means that the content of the phishing email is critical in determining the susceptibility of your employees to be phished. I also think that the worry over an authorized credit card charge in the second email may have struck a deeper nerve with the recipient. The lesson? Teach your coworkers how phishers will target their emotions, curiosities, and worries in an attack.
- Response plans are important: A few users notified IT or the IT Manager that they suspected an email attack was underway, but they were unsure how to proceed or move forward. Education and regular testing is required to gather information about weak spots in training and policies, and to remind employees to be vigilant. The lesson here is it’s a good idea to have protocols for how to respond to this kind of suspicious activity (e.g. notify an IT professional immediately, warn your colleagues, etc.).