Email Security

    Getting The Most from Your Anti-Phishing Campaigns

    Talking to employees about their experiences with phishing simulations can challenge your assumptions and level up your security awareness game.

    by Dr. Matthew Canham

    Key Points

    • Anti-phishing campaign post-mortems offer an opportunity to learn more about employee security behavior than simple click rates.
    • Understanding why people do not click is as important as understanding why they do.
    • Having a deliberate purpose and design for each anti-phishing campaign maximizes its ROI.

    As a security consultant, I have seen several security teams fall into the trap of putting their anti-phishing campaigns on autopilot. They buy a phishing simulation platform and call it a day, letting the system do all the work of selecting the phishing templates and running them at prescheduled intervals. 

    That approach may accomplish some of the basics of employee education, such as ticking another box on a security training checklist for compliance. But training on autopilot deprives your security team of a valuable opportunity to better understand the state of your company’s human security posture.

    Each simulated phishing campaign offers a chance to peer into the minds of employees and comprehend their decision-making and behaviors. For this reason, every anti-phishing campaign should have a deliberate purpose and be designed with the goal of educating not just a company’s employees but its security teams as well. To get the most from your anti-phishing campaigns, consider the steps outlined below in tandem with a program such as Mimecast Awareness Training.

    Understanding the Non-Clickers

    There are all sorts of reasons someone might click on a link in a phishing email — they were fooled by the phishing lures, they weren’t paying attention, they were overconfident of their phishing radar. There is a bias toward focusing on these folks when analyzing the results of phishing simulations. Indeed, the most common metric for understanding employee susceptibility to phishing is the click rate, the percentage of employees who clicked on the URL in a malicious email.

    But the click rate tells only half the story. One of the best ways to bolster security education and training over the long term is to understand those users who did not click on the link. 

    Suppose, for example, that you run an anti-phishing campaign that results in a 20% click rate. If you dig further to discover that only half of those who didn’t click even looked at the message, that paints quite a different picture. Of the 80% of users who did not click, some may have deleted the message without looking at it, while others didn’t open it because they were on vacation or overwhelmed by work. Suddenly, your actual click rate jumps from 20% (20/100) to 33% (20/60). Without making the effort to follow up with employees who don’t click, it is impossible to know an organization’s true susceptibility to phishing.

    Digging Deeper

    The two most common approaches to eliciting insights from the employees who don’t click are surveys and interviews. In my experience, the best approach is to conduct a few employee interviews first (six to 10 is an optimal set) and later follow up with a broader employee survey. Those one-on-one interviews produce rich insights that can inform the creation of the survey questions.

    The interviews can be surprising; you never know what employees might tell you. In one interview, an employee confided that if she received a suspicious email to her personal account, she forwarded it to her work email account and then opened the email in the office “because the security is stronger at work.” Understanding this employee’s security mentality helped me to develop survey questions like this one: “Is opening a suspicious email more secure at home or at work?” I also created scenario questions such as this: “You receive a suspicious email to your personal account during non-working hours, how do you handle that email?” Fortunately, that particular employee’s idea of cyber hygiene was not widespread, but she was not alone in her thinking. And I would never have thought to ask about it if I hadn’t interviewed her.

    The intelligence gathered from the combination of one-on-one interviews and broader surveys can be a powerful and dynamic tool for tracking and reporting on security awareness program efficacy and employee performance. When integrated with dynamic predictive risk scoring, these insights can offer a fuller assessment of a company’s overall security posture.

    Repeating these explorations a few times will provide context for the quantitative metrics being tracked. The insights that result enable organizations to better diagnose their unique vulnerabilities to social engineering attacks and develop explicit learning objectives for future campaigns. If a company finds that its employees are particularly susceptible to a specific phishing technique that attackers are currently using, it could use Mimecast’s de-weaponized simulation capabilities to bolster employees’ resistance to those tactics. 

    There are free tools that can help, such as the NIST Phish Scale (NPS). Companies can use the NPS to fine-tune their phishing campaigns and develop messages of varying difficulty for different groups of employees according to their phish detection abilities.

    Books also delve into the why behind employee choices during phishing simulations. One titled “The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing” includes a short assessment to test the level of suspicion that an employee had about a particular phish (regardless of whether they clicked it), and it explores their reasoning for that degree of suspicion.[1]

    Security Professionals Are People, Too

    It’s also important to consider who directs the phishing simulations. Security professionals have habits and biases just like everyone else, and these can influence how they design their simulated phishing campaigns. Perhaps one person has an affinity toward using gift card scams for simulations while another is inclined toward leveraging loss aversion tactics using the pretext of account lockout. 

    This becomes a problem when a particular tactic is used so often during anti-phishing campaigns that employees become accustomed to certain specific phishing “styles” and learn to avoid those in simulations. The resulting click rates will decline over time, but they offer a false sense of security as these employees remain vulnerable to other types of phishing attacks that fall outside of their experience. Thus, it’s good practice to occasionally change up the people designing phishing campaigns or be more intentional about alternating tactics in simulations so that users don’t get used to only certain phishing styles.  

    The Bottom Line 

    Anti-phishing campaigns are a great learning opportunity, not just for employees but for security teams. Designing anti-phishing campaigns and engaging with employees afterward to better understanding their mindsets and behaviors increases the ROI of these efforts. The resulting insights can also help you improve anti-phishing campaigns. Read on to learn more about Mimecast’s security awareness training.


    [1]The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing,” MIT Press

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top