Who recognizes phishing emails and knows how to follow reporting processes correctly?
Most phishing tests only revolve around one thing, recognizing a phishing email and then whether or not you fall for it. It focuses primarily on right and wrong and is still too often used as a measurement tool. In the end, you achieve absolutely nothing with this form of phishing testing, except a few wounded egos and misleading numbers about internal cybersecurity awareness.
The Phishing Reporting Competition Explained
Through a gamified experience, employees are confronted with different phishing emails for four weeks. The course is kicked off with an informational email that clearly explains phishing and the internal reporting process. Then we send a few (usually 3) phishing emails that become increasingly complex over time. With each email, it is intended to be reported. In the beginning we still draw attention to the reporting process but later we want employees to start the reporting process themselves. Thus, for four weeks, employees actively scan their mailboxes for phishing, learn to recognize phishing, and indeed, go through the internal reporting process four times. Nothing no right or wrong, but a thorough learning process, in which the desired behavior (recognizing and reporting) becomes in time, intuitive.
By actively scanning the mailbox and going through the notification process repeatedly, the safe and therefore desired behavior wears in. Unlike the classic phishing test, which often sends out unexpected occasional emails, the phishing train brings about lasting behavioral change. The absolute added value of the phishing training, then, is that every employee will know how to recognize phishing emails after the event; will know exactly how the reporting process works and will use it for suspicious emails.
Specifically, what do you get?
Experimental learning about recognizing and reporting phishing in a competition.
- Intake workshop
- Drafting phishing emails with specific how-to videos
- Communication around campaign
- Reporting of results
THE GAME ASPECT
In addition, we also incorporated a game aspect. This creates a playful form of competition where at the end of the month we see which department has reported the most. This provides that extra bit of extrinsic motivation where the employee wants to win a cake or team outing (and incredibly high praise, of course!) with his or her department and thus will participate. No dry or arid texts on phishing dangers and how to report them through the weekly newsletter, but challenging and experimental learning.