The Rapid7 penetration testing team conducts a lot of phishing attack simulations, with the ultimate goal of helping companies better understand whether their employees can identify a phishing email and what they’ll do when they encounter one. Many factors can go into making a phishing engagement a success, so in this blog, we will share some tips for making sure your organization gets the most out of its upcoming engagement.
Phishing simulation goals
Any phishing engagement should start off by establishing the exact goals of the activity and what you want tested. It's typically assumed that phishing engagements are all about testing people and what they'll do when they receive a phishing email. Will they click on a link, submit their credentials, install software, or interact with the email in some way?
However, phishing engagements can also test non-human defenses. For instance, some companies have spam and phishing filters in place on their mail server and want to know whether their configuration settings can be bypassed. This can be a valid aspect to the assessment, but you do want to make sure that the mail ultimately makes it to your employees’ inboxes. Also, be aware of any flooding protections your mail server may have and let the testers know so they can stay under that threshold.
Before you begin, establish the engagement’s pretext (aka the story that will be used in the email your employees receive) with the tester. On some phishing engagements, our clients have given us an “anything goes” thumbs-up. This is pretty realistic, as there are no limitations to what true malicious actors send.
Then, on other engagements, we’ll be told that we can’t impersonate certain people at the company, such as the CEO or human resources, because the emails sound “too real” and may cause trust issues in the future if people can’t tell whether it’s a phishing email or a real email.
Think about how much leeway you want to give your testers. More freedom in this area may result in a more informative assessment.
It’s also important to take into account any past education efforts you’ve made around phishing, along with post-engagement trainings you have planned. Is this engagement meant to set a baseline before any training is done? If so, it’s easy to see why you might want to tone down the difficulty of the pretext.
On the other hand, if you require phishing training during your new hire orientation and at least annually thereafter, you might use this opportunity to see how much people have learned. You can even gradually increase or decrease the difficulty level of the pretexts used during an engagement. For example, you could start off with something really obvious, such as an email with misspellings and nothing that seems personal to the recipient. After all, if you start off with something too difficult right away, people may get discouraged and feel like there’s nothing they can do. By starting slow, you help them build confidence and start to spot phishing attacks from the beginning.
From there, you can move on to the typical types of emails that get sent around a company, such as an announcement about a lunch that requires a sign-up for head count or a notification about a new HR policy. For these types of phishing attempts, educated employees should know what to look for, such as where the link goes or whether anything is misspelled. Some might even know not to click on the link and instead type in a URL themselves.
Phishing engagements can also delve into spear-phishing, which is when testers will conduct some research on a specific target before engaging. Common targets of spear-phishing attempts are executives (such as the CEO or CFO) or employees who handle payroll. The email will seem real and include details that a true malicious phisher is unlikely to know (or at least wouldn’t know without research). Last year, the FBI released a report that showed that this exact type of phishing attack has cost businesses more than $12 billion over an 18-month span. A spear-phishing test could potentially save your company money, test company policies, and help your executives know what one could look like.
To get an idea of what these emails can look like, here are a couple of examples from phishing pretexts that have worked for me in the past. I always make sure that I set the “From:” address to someone within the company and someone who likely would have sent the email (yes, this may be something that a spam filter would look for, as it would have originated from outside the domain). Next, I’ll pick something that might be interesting or timely. One recent example was that I informed all employees that the recent W2 tax forms that were sent out had a typo in the Company Tax ID so the IRS had been rejecting tax returns. The email instructed people to click a link to download the correct version after logging in through a cloned (but authentic-looking) VPN page.
In another example, I once noticed that the company was located near a college with a prominent football team. Posing as the company’s benefits coordinator, I sent an email explaining that the company had recently obtained very valuable and sought-after season tickets for the college football team and would be raffling off two tickets to each home game. To sign up for the raffle, people would just need to go through the cloned and authentic-looking single sign-on page. I explained that the login was necessary to ensure people only signed up once. Interestingly enough, one employee actually signed up three times by using their credentials, a colleague’s credentials, and their spouse’s credentials! Let’s just say the CSO was not very thrilled to hear that news.
When your company has a phishing engagement planned, really think about what you want to test and the security maturity of the people you are testing. The goal of the engagement should be to increase awareness of social engineering and protect the company, while never making your employees fear failure. Use the engagement to show people what a true phishing attack would look like, and give them the resources to properly report it and give constructive feedback both during and after the engagement.
Another key to success has to do with company culture. We see the most success in companies that regularly do their own in-house testing, embrace security, and make it fun for people. Encourage people to feel empowered and supported to spot and report a phishing attack—and even more importantly, support them reporting a phishing attempt even after they may have clicked on a link or submitted information.