SafeTitan

The template you select contains a lure, which can be based on various themes. It's designed to attract a recipient's attention so that they engage with the email in some way — by opening it, clicking on a link, entering data, and so on. Fraudsters use lures to convince people to share sensitive information; you'll create phishing campaigns to help your people become more vigilant against this. Therefore, start with less complex lures in order to give users a chance to become familiar with what is being asked of them. These lures are generic and every customer can use them — regardless of their region or working sector. It is also easier to identify mistakes before moving to more sophisticated lures. So consider using a template that is Low Complexity.

Select a template that can be applied across the organization on a theme, such as credential theft. Everyone uses a password and credential theft is a common scam. The template Microsoft Outlook - Password Expired is an example you could consider using.

For your first campaign, there is no need to add an attachment. Attachments are intended to be used with specific types of emails; for example where you would include a DocuSign attachment. In your first few campaigns, you will want to offer fewer options to your recipients, so that you can focus on specific interactions with the phishing email. Further information about this is in the Analyzing Results section.

When you select your training recipients, consider selecting a random number across the whole organization.

When you're scheduling your campaign, it's recommended that the duration be between eight days and two weeks. This is to enable anyone who has been out of the office to react to the email. Also, consider the times of the day that you set your campaigns to start. It's advisable not to start campaigns on a Monday morning at 9am or send them out monthly at the same time. People are quick to see patterns, so send out campaigns on a random basis.

You can modify the template, such as changing the content in the Subject line to reflect language that the organization might use. You can also change the email address, which is important when it comes to training your recipients. If they suspect they are being phished, comparing the email address with the From name is a useful habit to encourage.

As an MSP, it's important to preview the phishing email before sending it to your recipients. Review the subject line and the contents of the email. Ensure that the formatting, fonts, and images are aligned correctly. Once you're satisfied with the details, you can create your campaign.

Send the campaign to everyone this time, as you want to encourage people to realize the importance cyber security and engage on a regular basis with training. When you did the random baseline phishing campaign, you obtained a sense of where the organization could be in terms of security awareness. But to drive the organization to where it should be in terms of awareness, training for everyone is recommended.

Like the baseline campaign you did in Month #1, keep the complexity and sophistication low. You're doing this because you want to accurately determine how your recipients are engaging with the campaign. It's also important to reinforce the learning and encourage behavioral change, ensuring all individuals are "climbing the learning ladder" in tandem. Moving too quickly to a more sophisticated campaign might not be the most beneficial choice if the level of cyber security awareness in an organization was low to begin with.

Remember the importance of how to schedule your campaign as well as previewing the email before creating the campaign, which were highlighted in Month #One.