How do employees react to phishing attempts?
This is important to know. Phishing is a preferred method by all types of criminals to gain access to organizations.
Curious how your employees respond? In this article we explain how to start a general phishing test.
See step 7-2 to learn how to create a custom phishing test.
Go to step 7-3 to learn more about reporting on phishing campaigns.
You can use Lupasafe to run a phishing campaign. It’s under ' Employees' – ‘Phishing’. Then, follow the next foursteps:
1. Whitelist
Whitelist the following three email addresses to make sure the email reaches your employees' inbox:
phtest1@luminarywebtech.com
phtest2@luminarywebtech.com
phtest1@crestfallenconsulting.com
phtest2@crestfallenconsulting.com
Whitelist also our domain: IP 45.82.191.25.
You could make a message rule that forces spam status always on "not spam" , this way you ensure that our emails gets right into the inboxes of your employees (and not in the spam folder).
Whitelist also the sender, if you do use a sender outside your own company, for example: ´security@hubspot.com´
If the phishing still lands into spam, please click here for our detailed guide on how to deliver phishing messages into the inbox.
2. Inform your colleagues
The whole idea of a phishing test is that employees can recognize and avoid phishing in the future. The training is therefore not about catching people making a mistake (no “us versus them”), but about creating a learning moment for employees. In our experience, this works best when employees are informed in advance. They often forget this after one day, but it leads to employees not feeling 'tricked in' afterwards.
Use the following templates to inform your employees:
Template email for colleagues (English)
Template email for colleagues (Dutch)
Important: do you use an external brand or person for the phishing? Communicate this with stakeholders to avoid unpleasant situations or unexpected phonecalls from worried or upset partners.
3 Create a campaign
Go to ´Phishing´. Here you can select two options: Instant Campaign or Plan a campaign.
3.1 Send an instant campaign.
Select ´instant campaign´ for a direct phishing action.
Select a template you want to use. Currently Lupasafe offers English (en) and Dutch (nl) templates. You can also create your own custom template. Custom templates will appear on top of the list of standard templates.
Click here to learn how to create a custom phishing campaign.
Step 1: Select a template and press add. If you pick multiple templates, employees will receive multiple phishing emails (random).
:
Below this page, you can also filter the phishing templates on language or type (e.g. accountants, notaries, government, healthcare etc.).
Click NEXT to move to the next step.
Step 2: Select employees
Here you can select the employees to include in the campaign.
Here you can also filter the employees by different categories like medium awareness or category they score low on:
Add the required employees or all and press NEXT to go to the summary.
Step 3: Select a sender.
You can use the defined sender you already set up in the template, let Lupasafe choose a random name or choose the name yourself. If you want to type a name yourself, set both boxes on ´off´.
3.1 Schedule a campaign.
Lupasafe can schedule phishing attempts based on your preference. First, select the frequency:
You can also DISABLE the current phishing campaign.
The rest of the steps is similar to the previous paragraph.
4 Summary and send the campaign
Lupasafe will give you a summary of the phishing before sending. You can review the information and press GO if everything is in order.
You are now taken back to the main page and can see the status of the phishing attempts. It might take a few minutes before all phishing emails are sent.
Note: if you launch a phishing campaign 'now' - the emails are send in small groups with a delay of 2 minutes to avoid alerting all colleagues.