We want to run a controlled social engineering simulation to test our staff's awareness of phishing and pretexting. What are some ethical ways to conduct these tests without destroying employee morale or trust? I am looking for platforms or methodologies that provide educational feedback to the users who "fail" the test so they can learn from their mistakes in real-time.
3 answers
The key is to "train, don't trap." Use a platform like KnowBe4 or GoPhish to send realistic but harmless phishing emails. If an employee clicks the link, instead of a reprimand, redirect them to a brief, engaging 2-minute video explaining what red flags they missed. It is also crucial to get buy-in from leadership and HR beforehand. Make it a gamified experience where departments can compete for the "Most Secure" title. This builds a culture of collective defense rather than a culture of fear, which is far more effective for long-term behavioral change.
Have you thought about including physical social engineering, like tailgating or leaving "lost" USB drives around, or are you strictly focusing on digital communication methods for now?
Focus heavily on the "Pretexting" aspect. If the email looks like it’s from a trusted internal source like HR, employees are much more likely to fall for it.
Great point, Thomas. Using internal themes like "New Benefits Policy" is highly effective for testing, as it mimics the high-urgency tactics real-world hackers use to bypass critical thinking.
Joseph, we are starting with digital phishing because that is our highest risk area, but we do plan to move toward physical testing next year. I am a bit worried about the "lost" USB test because of the potential for actual malware to be introduced if a real attacker swaps our test drives. Do you have any tips for making the physical tests safe while still maintaining a high level of realism for the staff?