How useful are phishing tests?


We recently have had a discussion in our department about the usefulness of sending out fake phishing emails. We are just beginning our SAT and figure we have plenty of teachable moments with the actual phishing emails that employees receive already. What real benefit is there to sending out fake ones?


(Ron Steffens) #2

I felt bad about doing this at first, but it is surprising that we continue to have people fall for them. This is even after they have gone thru the training. I would rather have someone click on a fake one than a real one. Hopefully they learn something when this happens.

(Sharon Guillory) #3

I too would rather those teachable moments happen in a controlled environment. I think the simulated attacks are similar to learning self defense by taking classes rather than walking down an alley at night. Users learn what to look for and eventually can smell danger. They are able to do so in a lower stakes scenario where nobody is going to punch them in the face.
The possible drawback to frequent simulations is having users think that everything is a simulated attack so that they click on it to see what the trick was. Any simulation needs to be followed up by discussion of the encounter, either in person (seldom feasible) or by some contact from the IT / Security folks.

(Ryan Jensen) #4

It has certainly been helpful within our environment to have the test emails. I have it set to send out a test once a month to everyone and then specialized training/tests to those who need it. Our focus has been on helping people learn to recognize something that could be malicious instead of emphasizing failure if they clicked on a test email.

(Jeff Henderson) #5

Sending out phishing test keeps the conversation open on cyber security. I have had good teaching moments from tests even when they did not fall for them. When they do fail the tests I either make a visit and discuss it or I make them redo the training. The phishing tests have trained my users to be afraid of clicking on links or attachments so I feel the tests have worked perfectly. In some situations you don’t want to use fear to get things done, but in this case it is needed.

(Max Taul) #6

I’ve used the phishing test in our office, and it worked great. It’s surprising to see how many people fall for it. It gives me insight on how educated the employees are.

(Mike Stoykovich) #7

I love doing the tests. It gives you raw data of who isn’t following best practices. Provides a leg to stand on when pointing a finger to the guy/gal who claims they would never do that!

(Courtney McDowell) #8

Hmm. As a nonprofit, we don’t (yet) subscribe to KnowBe4, although I am considering speaking to my boss and our CEO about it. (I am IT staff, but as I’m one of only two IT – the other being my boss – I have a lot more flexibility than a lot of IT staff might.) I wonder how effective it might be though: in my ~250-employee agency, I’ve seen two people fall victim in my 3.5 years there. One actually got a cryptovirus into the file server (thank god for backups!), but the other seemed to only get phishing crapware installed off hers. Most of my users already call up the Helpdesk when they get a phishy-looking email and say, “Hey. This looks weird. Can you take a look at it?” This latter example has included at least one spear phishing email saying they’re from our CEO addressed to our Finance Director.

(Having said that, as an agency we’re going modern in the next couple of months and implementing electronic time cards, and one of our departments is about to ramp up employment again for an annual temp project; so I anticipate the potential for failure points to increase between now and the end of the calendar year, if not beyond that.)

(Brendan Mc Gauran Ccna, Security +) #9

We’d used it with good results a couple of times. However, one of our attorneys has gotten nailed every time. It’s embarrassing. Our CEO has requested that we leave her out when we do it again:grin:

(Gene Lubker) #10

In our DISA email environment, all links are disabled before the email gets to the user. You have to copy the URL out of the email, carefully excluding the WARNING message portions, and then paste it into a browser to go to the link. I think this inconvenience and forced attention is a good deterrent to mindless link-clicking. Of course it doesn’t completely eliminate the risk, but hopefully the user will pay some attention to the content of the URL after going to all the trouble of copy/paste.

Still, I look forward to phish-testing on our private cloud network, which doesn’t have the link-stripping feature. I will follow-up with results as soon as I have enough data to form an opinion of the usefulness of the testing.

(Kathy McDonald) #11

By sending out the phishing e-mails from KnowBe4, you will receive reports detailing clickers. After a few tests are sent, you will see a pattern in the consistent clickers. Phishing e-mails have proven to be very useful and expose who needs that extra bit of training.

(Krista Moran) #12

As a federally regulated financial institution a yearly phishing test is required. Our regulators loved the fact that we took this in house and are testing quarterly.

(Alan Wegener) #13

I too work for a non-profit. @Ashlayne - we are in the same boat. However, we have not yet sent out a phishing test. I already know, from our current experiences we would get a ‘Strong’ response. But I have yet to convince them thi is a good idea. I think the issue is more of once you know about a problem, you have to do something about it. That costs money, and as a non-profit, we are already struggling to keep up- especially with technology and changes. Of course this shouldn’t be an excuse. And to be fair, the company is more open today then ever before. We are making significant changes- from having a 1 pge IT policy, to its own policy manual. Hopefully, in 2017, we will be able to start a process to give this a shot too.

(Jeff Cook) #14

We use KnowBe4’s phish tests and it has definitely helped in supplementing awareness training. However what we like most is that KnowBe4 tracks the phish-prone individuals and when they hit a certain threshold of failures in a 12 month period we force them to take extra training (also provided to us by KnowBe4).


We’ve done phishing tests and have the same issue. I honestly think some people cannot be taught as the offenders tend to be repeated.

(Brent Frampton) #16

We have increased levels training for repeat offenders.

Everyone who clicks gets assigned training. Those who fail 3 in a row or another threshold we decide on (like 4 of the past 6) get their manager notified and a different training.

We also do challenges company wide and report results on our intranet. This helps some management want to look good and they remind their employees to pause, ponder, and protect.

(Brad) #17

I too am part of a small IT department for a not-for-profit organization. We sent out the ‘blind’ no warnings test email to get our initial baseline a couple weeks ago and found 20% of our 112 users actually clicked on what I thought was a pretty easy to spot template with some supposed photos I shared using flikr… We two people get pretty upset with our department for ‘testing’ them, but it was an easily defended position with support from management. We are using that statistic to enforce all users complete the training. I’m sincerely hoping that it helps as 1 in 5 is pretty terrible for a simply phish!
I’ve found, after reviewing other companies that provide a similar offering, that KnowBe4 has a great price point and doesn’t leave me wanting for anything that any of the other vendors offer. Their interface is super easy, functional so I believe they’re a great place to start!

(Will Leuschen) #18

Being a small IT department we couldn’t justify the costs for the KnowB4 services, but in this day of highly sophisticated malware, ransomware and phishing no company should go without at least some level of testing and training. I did months of research initially, when ransomware started to show up in the media, and came across more and more frightening details about what is out there now.

As any email user in the past two decades might know, we have come from Nigerian princes asking for our bank accounts to the highly crafted emails decrying access violations, missed messages and other emergencies that require people to follow links or open attachments which lead to disaster.

The average user might think they wouldn’t get fooled, but all it takes is a single moment of inattention or carelessness. If they don’t know what to watch for, then they might as well be blind to the problem.

For those that cannot afford, like me, the KnowBe4 services. Whether they get them in the future or not, with a bit of research and some powershell, or VB script, it is not too difficult to put something together until a better alternative can be used.

Knowledge is a person’s greatest weapon in these high tech days of ours, where technology can change from day to day.

(Christopher Blizzard) #19

The tests are a nice baseline to use to see if the training is actually effective. The hardest part is implementing the training and testing within the organization’s culture.

(Zsia Poitier) #20

I have sent out training to the staff at my office and the same set of people are still clicking. And I also have some staff you would not attempt to even take the training.