How do employees react to phishing attempts?
This is important to know. Phishing is a preferred method by all types of criminals to gain access to organizations.
Curious how your employees respond? In this article we explain how to start a general phishing test.
See step 7-2 to learn how to create a custom phishing test.
Go to step 7-3 to learn more about reporting on phishing campaigns.
You can use Lupasafe to run a standard phishing campaign. It’s under ' Phishing' – ‘Start a Phishing’.
Then, follow the next four steps:
1. Choose whether you´d like to send out a one time phishing test, or a continuous test.
If you set up a continuous test, you can choose the frequency of the test (every 1, 3, 6 or 12 months).
Select the templates you would like to use.
If you select various templates, the system will randomly choose a template and send it out to your colleagues in the selected time-span.
Select the employees.
You can also filter the employees by tag (for example, filter on low cyber awareness score, or on the team they are in).
Select the sender
You can use the defined sender you already set up in the template, let Lupasafe choose a random name or choose the name yourself. If you want to type a name yourself, set both boxes on ´off´.
Do the checks:
Lupasafe will give you a summary of the phishing before sending. You can review the information and press GO if everything is in order.
You are now taken back to the main page and can see the status of the phishing attempts. It might take a few minutes before all phishing emails are sent.
Note: if you launch a phishing campaign 'now' - the emails are send in small groups with a delay of 2 minutes to avoid alerting all colleagues.
Important checks:
1. Whitelist before sending
Whitelist the following three email addresses to make sure the email reaches your employees' inbox:
phtest1@luminarywebtech.com
phtest2@luminarywebtech.com
phtest1@crestfallenconsulting.com
phtest2@crestfallenconsulting.com
Whitelist also our domain: IP 45.82.191.25.
You could make a message rule that forces spam status always on "not spam" , this way you ensure that our emails gets right into the inboxes of your employees (and not in the spam folder).
Whitelist also the sender, if you do use a sender outside your own company, for example: ´security@hubspot.com´
If the phishing still lands into spam, please click here for our detailed guide on how to deliver phishing messages into the inbox.
2. Test
Send out a test to yourself via the platform to see if the email arrives in your inbox and if all looks okay.
3. Inform your colleagues
The whole idea of a phishing test is that employees can recognize and avoid phishing in the future. The training is therefore not about catching people making a mistake (no “us versus them”), but about creating a learning moment for employees. In our experience, this works best when employees are informed in advance. They often forget this after one day, but it leads to employees not feeling 'tricked in' afterwards.
Use the following templates to inform your employees:
Template email for colleagues (English)
Template email for colleagues (Dutch)
4. Inform relevant parties
Do you use an external brand or person for the phishing? Communicate this with stakeholders to avoid unpleasant situations or unexpected phonecalls from worried or upset partners.
Do you use an internal colleague as sender? Make sure the colleague or department is informed.
5. Check if all links and portal pages work
Make sure there are no error messages showing.
6. Check the message of the landing page.
Remember the test is educational: we want to convey a clear message to the clicker.
7.How will you report?
Communicate to stakeholders how and when you will report. Lupasafe has reporting tools available. You can also download a report from the platform.
8. How will you follow up?
How will you follow up the phishing mail? We recommend performing between 2-4 phishing test each year, as well as starting a continuous training. Lupasafe can also offer inhouse or online training.