Skip to content

If You're Not Phishing Your Employees, You Should Be: Here's How

Austin Whipple

June 9, 2016

4 minute read

phishing own employees1

This post was originally published on

Phishing attacks continue to rise with an average of 156 million emails sent out daily and more than 80,000 people falling victim to their tricks, resulting in stolen identities, financial loss and credit card fraud. The sophistication of these attacks is constantly improving, with elaborately cloned sites, detailed information and savvy hackers leveraging anything they can to lure in their prey.

Preparing for such attacks at a corporate level can help protect valuable intellectual property (IP), increase employee awareness and increase the overall security posture of your organisation. So how can you prepare? As the saying goes, “if you can’t beat ‘em, join ‘em.”

Yes, I’m recommending that you deploy a phishing campaign against your own employees.

Training your coworkers through real-world phishing exercises is a vitally important exercise for organisations of any size. At BetterCloud, we recently ran a phishing exercise that surprised many of our colleagues, who pride themselves on their security intelligence and wherewithal.

Third-party services that will run targeted phishing attacks for your organisation do exist, but a moderately experienced internal security practitioner can achieve the same results at no cost.

While details and the level of sophistication may vary across organisations, the steps of the process should remain the same. Here’s how we did it.

Step 1: Get executive signoff

Running this exercise will affect the entire organisation to some degree, so make sure you obtain buy-in from the appropriate person(s). I recommend positioning the exercise as an inexpensive, proactive, and relatively painless way to increase the security of the organisation – something most can get on board with.

This approach will provide cover and help with future discussions over security needs should any glaring vulnerabilities present themselves. It is important not to tell too many people you are running this exercise, as you want it to be as authentic as possible. Pro tip: It’s often helpful to keep as much of the executive team out of the loop as you can to help increase their security awareness, too.

Step 2: Find your trojan horse

This step is entirely dependent on the way your organisation does business or communicates. Whatever your campaign vehicle, make sure it is a program that allows you to set alerts and observe individual user behaviour. For instance, if the attack prompts employees to log in and out of an application, make sure you’re notified of these occurrences. Email is the most common form but look for opportunities outside of email as a way to catch many off-guard.

Step 3: Embrace your inner cybercriminal

For security professionals who always play by the rules, this can be the most fun and liberating step. Arrange everything that you’ll need to fool your targets once they receive the initial communication. This may include setting up dummy web and mail services, obtaining SSL certificates for fake web sites or designing clone sites to mimic the login for Gmail, Slack, and other sites. Tools such as the Social Engineering Toolkit (SET) and services like LetsEncrypt or StartSSL can make this process easy. When registering a domain to launch this attack, choose one that offers email services to avoid your emails being marked as spam. The little touches, such as DNS and SSL verification will add a great deal to your fake site’s credibility.

Step 4: Set your trap

Come up with a compelling lure to bait your colleagues. You might send a company-wide email from a C-level executive or director announcing a switch in health insurance which requires updating personal information, a change in 401k plans, an invitation to a professional event, or a fake shared document on your company’s document sharing platform. Take advantage of communications you know are sure to provoke broad interest and participation. These emails should have a link to a fake login page to harvest credentials.

Step 5: Attack and gather metrics

With your cloned site (or whatever you choose to go with), an SSL certificate, and a fake login page, make sure you have your metrics in place. Send your email (or link), and start watching. Begin compiling information on items such as who opens the email, link clicks, how long it took for the first person to flag the email as suspicious to IT, and, if applicable, how many passwords were entered.

Step 6: Bring everyone into the fold

Within hours of the attack, send a company-wide email coming clean about the scam and share initial results. Focus on the positive aspects of the drill, particularly if few or no people were compromised in the attack. Let everyone know the exercise was for the betterment of the company and that it will be an ongoing process. It’s also important to include tips for spotting phishing emails and how to discern fake sites and other traps.

Present the results of the attack and encourage your colleagues to send any questionable emails to the appropriate parties going forward.

Step 7: Rinse and repeat

Chances are good that the exercise will encourage all employees to be extra vigilant for the immediate term – but as any IT professional knows, security is an ongoing and volatile battle that requires continuous reexamination and repetition. Look to leverage new mediums and take advantage of opportunities to conduct additional attacks when appropriate.

Any time is the right time to remind your office about the importance of proper security habits. Exercises that hit home and feel personalised, like internal phishing scams, will have a much greater effect than routine reminders or best practices sent over email or shared at a company meeting.