Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £35.99 £24.99. New subscribers only T&Cs apply

Find out more

Running a Phishing Campaign: Considerations

This video explains why you would run a phishing campaign to test your network security and important considerations to make before doing so.
In this video, we’re going to be talking about running a phishing campaign. So by now, we know how bad phishing can actually be. But why would we ever want to run our own phishing campaign? Well, running a phishing campaign might be done for a few different reasons. One, it can help give us insight into our overall security posture. We could use it to build a baseline on click rates - how many times people click on these phishing emails that we’re sending out. We could see what type of phishing emails are most successful so we know essentially how to train our users what to look out for. We could use this as a training exercise for employees.
We could use this to help with our overall phishing attacks. In other words, this is what you’re looking for. This is how you need to avoid clicking on these phishing attacks. And also, it can help us give our users a better awareness. Again, if they’re going through a phishing campaign, they stop a phishing attack, or they click on it, either way, success or failure can actually help the employee learn that, well, I should look out for this. I got caught by this last time, but I’m going to be smarter about this next time thanks to this training. So I know, avoid this. This is what I’m looking for.
So before you ever start a phishing campaign, always get written authorization before starting. Phishing campaigns could get really messy legally or even with your own corporate rules. So you do want to make sure you have written authorization from someone with authority or someone in charge that’s able to grant that permission for you to do this. And also, you want to make sure that you have the scope of work written out and what not. So some considerations when you’re considering a phishing campaign. What is the goal going to be? What’s the ultimate reason why you want to run a phishing campaign? What are the expectations? What do you expect to get out of running this phishing campaign?
Is there going to be, well, I expect people to be able to identify these phishing emails? I expect people to learn from this to report these phishing emails or whatnot? Who’s going to be part of this exercise? Is it going to be a department? Is it going to be the entire corporation? Are you going to exclude people? You need to figure out when the phishing campaign is going to start. And when does it end? What type of exclusions are there? Are you going to avoid the, say, CTO, for example, that you’re not going to try to get payroll during this time? Who’s the point of contact going to be for the phishing campaign?
Who do you need to talk to or report to when you’re running these campaigns? What type of phishing email are you sending? Is it going to be a click bait-type email? Is it going to be a downloadable payload or et cetera? Is it going to be a one-off campaign, meaning, are you going to run the campaign once, or is it going to be something that’s going to be running over time? Now, the advantage of running over time is the first one could be - you send the first phishing campaign out, it runs a baseline.
You’d start another one, say, a month later, well, then you could take a look at the first one and then take a look at the second one and see, well, did people improve? We did some training. Is training paying off? Are the same people clicking these emails? And then from there, you can keep going on and on and seeing if people are getting better or worse. Are the getting lax? Are there certain seasons that people are more susceptible to clicking on these emails, things like, well, if I’m running a campaign towards December - right around Christmas, well, people’s minds are on vacation - are they clicking on this more? Are they letting their guards down more or things like that?
What type of training are you going to offer? Is it going to be during the phishing campaign? Is it going to be after? Is it going to be before? How’s the training going to be offered? And who’s going to be around? Who is going to address any sort of questions or issues prior to the campaign, during, and after?

This video explains why you would run a phishing campaign to test your network security and important considerations to make before doing so.

A good way to test if your network users are adequately educated to protect themselves from phishing attacks, and to see if your reporting processes are working, is to run your own phishing campaign. There are considerations you need to make before you set up a campaign, and then how to do so safely to test your network. Remember that you need to get permission from your organization before you do this!

Reflect and share: For your company, how often do you think you should run a phishing campaign? What would you consider when making this decision? Share your comments in the section below.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now