An entire phishing simulation industry has emerged to combat the dangers of phishing attacks on...
Don't Attack your Employees. Support them.
Phishing simulations can provide effective practical training, but they can also end up doing more harm than good. CyberCoach trains and supports employees holistically in safety and security, also against phishing attacks. How are you doing phishing simulations, and have you considered alternatives?
Elements of an Effective Phishing Campaign
✅ Timing: Constant flooding your employees' inboxes diminishes effectiveness. Run campaigns occasionally and for limited time only.
✅ Transparency: Let your employees know a phishing simulation campaign is coming, and offer training for those that feel like they need it. People learn best through positive reinforcement, not failure. Give them training first and let them succeed.
✅ No punishments: Don't make additional training into a punishment people get if they fail the phishing test. Too often people that fail are forced to take additional training, which discourages them further.
Elements of Harmful Phishing Simulations
❌ Constant and/or unrealistically clever simulations.
❌ Limited or no training on how to verify before phishing tests. "Don't click" is not only poor advice, it's impractical. You don't want employees that are terrified to open messages and click on links, you want employees that know when to trust and how to verify if something seems phishy.
❌ Unhealthy gamification. Are employees forced to compete on leader boards? Can new joiners ever reach the level of their peers? What happens when you make a mistake? Gamification can work wonders for certain individuals, but it can trigger unhealthy behaviors, stress and anxiety in others. Pro tip: Consult with a DE&I professional to get an understanding of how inclusive and psychologically safe your phishing platform or campaign is.