Phishing Campaigns: Tips for MSPs
Month #1
It is recommended that your first phishing campaign be a blind baseline test. You'll send this without notifying your recipients first, which will enable you to get a controlled, unbiased set of data around the phishing susceptibility of your organization. You can then run it again in six months or a year, which will enable you to compare the results and see where improvements have been made. Results can be analyzed based on region, language, department, time of employment, and so on.
You can set this up by going to your SafeTitan MSP Dashboard, selecting Phishing Campaigns > Create New Campaign. Follow the instructions in the SafeTitan MSP Setup guide for help in navigating the MSP Admin Dashboard. Whether you decide to set up a standard campaign or create an automated one, the following are some tips to observe for your first campaign:
The template you select contains a lure, which can be based on various themes. It's designed to attract a recipient's attention so that they engage with the email in some way — by opening it, clicking on a link, entering data, and so on. Fraudsters use lures to convince people to share sensitive information; you'll create phishing campaigns to help your people become more vigilant against this. Therefore, start with less complex lures in order to give users a chance to become familiar with what is being asked of them. These lures are generic and every customer can use them — regardless of their region or working sector. It is also easier to identify mistakes before moving to more sophisticated lures. So consider using a template that is Low Complexity.
Select a template that can be applied across the organization on a theme, such as credential theft. Everyone uses a password and credential theft is a common scam. The template Microsoft Outlook - Password Expired is an example you could consider using.
For your first campaign, there is no need to add an attachment. Attachments are intended to be used with specific types of emails; for example where you would include a DocuSign attachment. In your first few campaigns, you will want to offer fewer options to your recipients, so that you can focus on specific interactions with the phishing email. Further information about this is in the Analyzing Results section.
When you select your training recipients, consider selecting a random number across the whole organization.
Important
If you have assessed your organization, then you may be aware that a particular department has already experienced a phishing scam. At a later stage, you may want to create a campaign that targets that specific department.
When you're scheduling your campaign, it's recommended that the duration be between eight days and two weeks. This is to enable anyone who has been out of the office to react to the email. Also, consider the times of the day that you set your campaigns to start. It's advisable not to start campaigns on a Monday morning at 9am or send them out monthly at the same time. People are quick to see patterns, so send out campaigns on a random basis.
You can modify the template, such as changing the content in the Subject line to reflect language that the organization might use. You can also change the email address, which is important when it comes to training your recipients. If they suspect they are being phished, comparing the email address with the From name is a useful habit to encourage.
As an MSP, it's important to preview the phishing email before sending it to your recipients. Review the subject line and the contents of the email. Ensure that the formatting, fonts, and images are aligned correctly. Once you're satisfied with the details, you can create your campaign.
Month #2
In the second month, you can run your first official phishing campaign. If you ran your baseline test on credential theft — which you'll repeat later in the year — you might want to run this campaign on a theme such as Data Privacy or Safe Internet. The templates, Mail Service — Privacy Compromise or Paypal — Target Inc., are suitable choices.
Here are some additional points to keep in mind:
Send the campaign to everyone this time, as you want to encourage people to realize the importance cyber security and engage on a regular basis with training. When you did the random baseline phishing campaign, you obtained a sense of where the organization could be in terms of security awareness. But to drive the organization to where it should be in terms of awareness, training for everyone is recommended.
Like the baseline campaign you did in Month #1, keep the complexity and sophistication low. You're doing this because you want to accurately determine how your recipients are engaging with the campaign. It's also important to reinforce the learning and encourage behavioral change, ensuring all individuals are "climbing the learning ladder" in tandem. Moving too quickly to a more sophisticated campaign might not be the most beneficial choice if the level of cyber security awareness in an organization was low to begin with.
Remember the importance of how to schedule your campaign as well as previewing the email before creating the campaign, which were highlighted in Month #One.
As You Continue to Roll Out Your Phishing Campaigns...
You could consider increasing the complexity and sophistication of your phishing campaigns for your fourth or fifth campaign, but keep it simple again for your third campaign. You are building a learning ladder for your customers, but it's important to help them proceed along that ladder together, so frequent bursts of phishing campaigns followed by training reinforces the learning.
For help with planning additional Phishing and Training Campaigns, please refer to the Twelve-Month Campaign Planner for suggestions.