SafeTitan

Assess your risk landscape and identify your assets. What are the threats and vulnerabilities faced by your clients and their industries? Different industries face different threats.

Assess your clients. How do they view security? Do they understand their roles, company policies and procedures? Consider running a survey to identify their level of security awareness.

Build a learning ladder. What priorities and security gaps have you identified? Create a list of targeted learnings for the year. You can intertwine important dates, and use the dates as a stepping stone to reinforce your learnings — such as Data Privacy Day, CSAM (Cyber Security Assessment and Management), Holiday Scams, and so on.

Combine learning goals with your phishing campaigns. Just a few of the risks associated with phishing include password safety, credential theft, finance risk, and BEC (business email compromise). Understand each risk and use them to teach your targeted lesson.

Apply follow-up training. After you've analyzed the results of a campaign, you can determine where vulnerability exists, and create training campaigns to raise awareness and mitigate risk.

The template you select contains a lure, which can be based on various themes. It's designed to attract a recipient's attention so that they engage with the email in some way — by opening it, clicking on a link, entering data, and so on. Fraudsters use lures to convince people to share sensitive information; you'll create phishing campaigns to help your people become more vigilant against this. Therefore, start with less complex lures in order to give users a chance to become familiar with what is being asked of them. These lures are generic and every customer can use them — regardless of their region or working sector. It is also easier to identify mistakes before moving to more sophisticated lures. So consider using a template that is Low Complexity.

Select a template that can be applied across the organization on a theme, such as credential theft. Everyone uses a password and credential theft is a common scam. The template Microsoft Outlook - Password Expired is an example you could consider using.

For your first campaign, there is no need to add an attachment. Attachments are intended to be used with specific types of emails; for example where you would include a DocuSign attachment. In your first few campaigns, you will want to offer fewer options to your recipients, so that you can focus on specific interactions with the phishing email. Further information about this is in the Analyzing Results section.

When you select your training recipients, consider selecting a random number across the whole organization.

When you're scheduling your campaign, it's recommended that the duration be between eight days and two weeks. This is to enable anyone who has been out of the office to react to the email. Also, consider the times of the day that you set your campaigns to start. It's advisable not to start campaigns on a Monday morning at 9am or send them out monthly at the same time. People are quick to see patterns, so send out campaigns on a random basis.

You can modify the template, such as changing the content in the Subject line to reflect language that the organization might use. You can also change the email address, which is important when it comes to training your recipients. If they suspect they are being phished, comparing the email address with the From name is a useful habit to encourage.

As an MSP, it's important to preview the phishing email before sending it to your recipients. Review the subject line and the contents of the email. Ensure that the formatting, fonts, and images are aligned correctly. Once you're satisfied with the details, you can create your campaign.