A Beginner’s Guide to Phishing Simulation Training for Employees

Unless you’ve been living under a rock, everyone knows what phishing is and most likely has received or even fallen for a phishing email themselves. So at this point, there should be no excuse, right? Wrong.

While it’s apparent we all know what we’re up against, the facts still show that we continue to fall victim to these attacks. Therefore, the only way you’ll be able to build up your defenses and mitigate against phishing attacks is through practice. That’s where phishing training comes in handy for you and your employees.

Starting your phishing simulation training program as a part of your security awareness routine is the first step to better protecting your organization. To help you get moving, we’ll walk you through the steps of how to run a phishing simulation and create an action plan based on the results you find with Huntress.

What is Phishing Training?

The purpose of a phishing simulation training program is to let employees experience a real-world phishing attack in a safe place. It helps regularly gauge where your organization lands in its risk of experiencing an attack.

As a result, phishing simulation training should educate and create a lasting impact on your employee’s ability to make better decisions when confronted with phishing emails. These decisions can create outcomes like not clicking links, reporting suspicious emails, taking a moment to pause instead of being manipulated by a sense of urgency, and being more transparent about security threats.

A far too common misconception of phishing training is to treat it as a way to scrutinize employees. And even more drastically docking pay or letting someone go because of it. More often than not it’s going to be less about the individual and more about the process that’s been set up to help people learn.

A phishing simulation test can be compared to taking a test in school. A test is not the same as an entire year of learning. Phishing tests alone are not the same as a training program, that’s like taking a test your first day of school which will determine your grade — that wouldn’t be very useful. But rather these phishing tests are a good temperature check to see what needs improving and a way to apply what you’ve learned to do better next time.

How phishing simulations work

The organization’s admin will have the option to pick from a number of real-life phishing scenarios to send out to their employees. It’s up to each employee to ignore it, report it, or click it. Once completed, the administrator will be able to analyze the results and access the severity of the organization’s risk for the phishing simulation test.

This process should be repeated frequently to continue to monitor results and get an accurate depiction of what your organization is up against in the real world. For all organizations, we recommend a minimum of monthly phishing testing with employees.

**It’s important to note that the employee phishing training program is not designed to test your technical infrastructure on how well it defends against phishing. That’s a different series of tests. A true phishing simulation test is designed to educate your employees on how well they defend against phishing emails. This is where the term whitelisting comes into play, which we will get to in our step-by-step guide.

Why make phishing training fun?

Despite the status quo, we don’t want phishing simulations to sound all doom and gloom. Our mission is to flip the script on how employees perceive and react to simulated phishing tests by making the experience fun. Before you start your first phishing simulation it’s important to understand what you’re up against as a team. If you haven’t been introduced to her yet, Curricula uses a fun persona, DeeDee, our 5-year old AI hacker phishing prodigy.

The intention behind DeeDee is to:

• Help get employees involved and build teamwork by creating one common goal to defeat her simulated tests.
• Disassociate the program admin as the ‘bad guy’ running the program and instead allow for an open line of communication to ask questions and work together.
• DeeDee is also the star of our phishing and social engineering training episodes. Since her character touches all aspects of your employee’s training, it helps bridge the narrative between training and these real-life phishing scenarios.

Step-by-step instructions to run your first phishing simulation

1. Start your Free Security Awareness Trial.  After activating your Huntress demo, you’ll be presented with a step-by-step walkthrough in the platform on how to get everything set up.
2. Import Your Learners. To start your phishing test, you’ll first need to import your employees into the platform. There are three (3) ways you can do this based on your preferences:
   • Manually type them in the platform.
   • Import a list of employees using our CSV import tool.
   • Recommended: Setup automatic sync using a directory such as Microsoft, Google, Okta, etc. The reason this is recommended is it will continue to sync any new employees you hire and deactivate employees who leave the organization automatically.
3. Whitelist the Phishing Simulator. Now it’s time to whitelist — told you it was going to come back.
   • Whitelisting allows our platform phishing simulation tests to land safely in your employees mailbox as a test without interference. If you don’t complete this step the phishing simulator won’t work! We have extra guides to walk you through this process and it only takes about 5 minutes.
4. Choose Your Phishing Scenario. After this, you’re ready to set up your phishing ploy! The first step is picking the email scenario. By default, you’ll have a few options available to send to your employees. These mimic real-world phishing threats that have been seen and converted into safe training exercises.
5. Choose Your Audience. Next, pick the audience you want to send it to. This can be separated out by department or specific individuals but for the most part, we recommend sending it to every employee to see how each person will react to the phishing test.
6. Choose Your Delivery. Once you select your audience, you can pick when you want to deliver it. By default, we suggest sending it immediately, but you’ll have other options to send it at a specific date or time.
7. Launch Your Test. Review your test and before you send, select the recovery method. Recovery training is an automated way to help those who clicked the email learn from their mistakes and defend themselves in the future. If this is your first test, we recommend turning this off so your employees don’t know you’re testing them, which we call a silent assessment. Anyone who clicks this test will be sent to a blank 404 error page.
8. Congrats! That’s it. Click send and congrats, you’ve just launched your first phishing test! 🎉

How to analyze your phishing test results

Now that the hard part is over, your next step is to look at the data that came from the phishing simulator. This is where you’ll be able to see employees’ click rates.

For most companies, the first click happens within less than a minute. So don’t freak out if you see clicks happen right away. As the program admin, you’ll receive regular updates from DeeDee on who’s failing for her phish.

Once your campaign fizzles out after a few days from activation, you’ll have the results you need to run your reports. It’s typical for new companies to see 30-40% of their employees click on the simulated test.

If your results come back at 0%, there’s a high chance that something went wrong and your employees most likely didn’t receive the emails — double-check you whitelisted. And if your results are 100%, we’re just glad you’re reading this and those numbers should go down once your employees complete their training and learn how to better identify phishing emails.

How to make an action plan

Depending on how your results came back will dictate what your next steps are.

If you aren’t sure what your results mean, use this phishing ‘report card’ to figure out where your company lies and what actions to take as a response:

• Less than 5%: You’re in good shape, keep it up! This is a great range to be in, especially for an organization that is new to phishing simulators. You’ll want to continue running phishing tests to ensure you stay consistent in this range.
• Between 5-15%: This is the average range companies who are actively using a security awareness program will receive — so your employees are already ahead of the curve! However, it’s important you continue to assess and train your employees to be aware of potential phishing attacks.
• Above 15%: This range indicates a high-risk phishing test. Don’t worry though, this range is entirely expected for a company that’s just starting out with phishing simulations. With training and frequent practice, you should continue to see a steady decrease in the click rate.

A common misconception is a goal that if you achieve a 0% click rate, you’re protected for life — wouldn’t that be nice. But in reality, the goal of phishing training is to put all employees into new uncomfortable situations so they’ll continue to learn and get better. Since phishing emails are constantly advancing, training has to as well. To gauge where you are from a more practical standpoint, you’ll want to see a steady decrease in click rates that then stay consistently in the bottom range. Never set a target for 0% click rate as a goal.

While there’s a lot to learn from each and every phishing test, in order to make the simulations worthwhile, you also have to focus on phishing training. Just like the school example from before, you need to teach first, then expect results. For phishing, if you teach your employees proactively what to look for and how to look you’re more likely to see lasting results.

Regardless of your phishing results, your next action step should be to begin our story-based security awareness training. Huntress comes with free basic training that includes phishing and a number of other cybersecurity topics to browse through. Together this will jumpstart not only your phishing simulation program but also your entire security program!

As your program matures, you’ll naturally want to send out more templates, create your own emails, etc. but this will get you started!

Takeaways

• If you haven’t filled out your FREE  Huntress Managed SAT Trial, do it now to access our phishing simulator and more free security training tools.
• Launch your first phishing test to see how at risk your company is to phishing attacks.
• Create an action plan on how to best train your employees based on that risk.
• In order to build a mature security awareness program, we recommend you run phishing tests and security awareness training every month, then analyze the results.
• Building a positive security culture is the goal. Using gamified phishing tests and fun training will help relate to employees and give them a better reason why to be safe at work.

Remember – phishing training isn’t about perfection, it’s about progress.

Enjoy learning.