To Phish or Not to Phish, that is the question!

Organisations are always faced with the challenge of how to implement a suitable User Awareness / Education programme that covers all the latest threats and tactics that potential attackers may use to entice them to click or give away information.

The hardest part of educating your employees is to make the content relevant to them and also to make sure its not boring. One of the best methods for training is to show how the impact would not just affect the organisation but how it could have a personal impact to the individual.

Employees tend to pay more attention to something that could actually directly impact them in there personal lives, for example if they use the same password then maybe the attacker could take over their social media, which in turn could give them access to all their online friends and family.

One of the top methods that organisations use is Phishing Simulation. This is where the organisation or a 3rd party sends in crafted phishing emails to see if staff will interact with the content. Some simulations also target staff on social media and also via Smishing (SMS Message Phishing) or even Vishing (Calling up and asking for information).


There are quite a few different vendors out there offering this service:

There are also a number of Open Source projects which can be built internally for an organisation to design and run their own campaigns:

Targeted v Non-Targeted

There are lots of different options if you are thinking about running your own phishing tests. One of the key questions you should ask is what is the goal or outcome you are trying to achieve. In some cases you have already conducted a training session and you are running this to test that people were paying attention. Alternatively you could be running an assessment to get a baseline for where you need to target training.


Having the process to allow users to report potential phishing emails is a must for an organisation. Setting up a “Report Phishing” button in your email client or letting staff know they can report the email to phishing@ for example. If using an email address make sure that staff know to start a new email and attach the suspected Emil as an attachment. This is to preserve the email headers which will allow further investigation.

A slight word of warning for this is you may get users reporting spam as well which in larger organisations could very quickly become a very large volume. Ensuring that the correct method and solution is tailored to the business are resources available is key.


There are many organisations who choose not to use phishing to target their staff. Some organisations have internal programmes that educate through joint learning experiences or workshops, where staff talk about their own experiences and different types of phishing emails they have received. This can be very powerful and help with the combined culture of the organisation.

Ultimately the decision is yours and different methods work for different organisations. Make sure you have a clear strategy of what you are trying to achieve and then see which methods will work the best for you. Remember sometimes getting staff to create them get them engaged and learning as well!!

Related Posts