I recently started our first phishing campaign in my organization, which has about 150 users. So far, we've only reached 30 of them, and out of those, 4 clicked on a link or attachment. A few opened the email but didn't take any action, while about 6 reported it. It seems like word has spread among the users who reported the phishing attempt, leading many to just report any suspicious email without taking the bait. Now, I'm struggling to understand who actually needs training and who doesn't. I'm wondering if there's a more effective approach for running these phishing campaigns, and if I could tweak the settings so that they're not immediately aware it's a simulated phishing attempt.
8 Answers
Unfortunately, as soon as one person realizes a phish is fake, word spreads. You're only effectively testing the first few users. But the tests still hold value in gauging training effectiveness, even if there are limits on real learning from it.
It’s helpful to follow up with a secondary email after each test that explains how to spot phishing attempts in the future. I know that even though Microsoft sends emails about these, my users tend to ignore any communication unless it comes from me directly.
Honestly, I’m confused about the "opened email" metric, since most email clients open incoming messages by default. It doesn’t really indicate anything meaningful on its own.
From my experience, some organizations enforce strict consequences for failing these tests. Where I worked, failing a phishing test meant mandatory online courses, which made some folks stop checking emails altogether. Instead, they would only take orders in person or via phone.
I have a guy at my old job who still hasn’t completed his phishing training for over 1,900 days. To be fair, he founded the company, so I guess he feels exempt!
In a way, the word of mouth is working! If users are alerting others about potential scams, they’re actually helping create a culture of awareness. So, it seems like you might be on the right track in training them, even if it looks discouraging at first!
It sounds like a common issue. The key here is that everyone should undergo phishing training regardless of the testing results. Use the campaign as a way to identify weaknesses in your training program instead of figuring out who needs training. That way, you improve everyone’s awareness overall.
What tools are you using for your campaign? We utilize KnowBe4 and schedule our tests to hit random users at staggered intervals over a few weeks. It helps to vary the emails significantly so people don’t just warn each other about the same message.
Right now, I’m using Infosec, and it sends a few emails per day for 60 days. But we’re limited to about six templates, so once someone reports one, it kind of leaks to everyone else.