Information Security
5 Things To Know Before Phishing Your Employees

5 Things To Know Before Phishing Your Employees

Before rolling out a security awareness campaign, I would want some data about my population and how susceptible they are to phishing attacks. Conducting a baseline phishing test will give me some data to work on. Data is king, especially in security.

However there are some things to consider before hitting send on a phishing test. This article is a simple guide on what to understand to ensure your phishing campaign is successful.

1. Be Empathetic and Wise

If you’re going phish about topics that include pay, bonus, or any other salary related information, you may want to check with your HR team. They will have some insights you may be privy to regarding attitudes towards pay and compensation. Getting a fake phishing test is sometimes humiliating in and of itself, but if you’re teasing someone about pay and bonus, then it might make them really upset. Upsetting our users is not our goal, teaching them is.

Utilizing just a little empathy will go a long way in gaining our users trust and support. They may be hourly staff or working their butts off to hit company deadlines. Having a negative impact could lower morale or put security in the penalty box, which could result in future messaging to fall on deaf ears. Our job is to build a security culture, not be annoying or out to get people.

2. Culture Variations

Culture can vary across nations and even across states.

What’s the culture and demographics of your company? Are they a sophisticated culture that may be less susceptible to phishing, or not? These are factors that will determine the difficulty level of your test. Make the test too difficult or easy, and your data may not reflect reality. Take a look at some actual phishing campaigns you may have received lately and mimic those.

Again, your goal is to ultimately teach your users about phishing and gain accurate data, not win a game.

3. Technology

This may be obvious, but if you’re users are GSuite users, a password reset email from Microsoft or O365 might not work for you. Be cognizant of the technology at your company.

On the other hand, you may want to do exactly that to gauge the engagement of your audience.

4. Location and Timing

Is your company in just one office or one continent, or is the company global? While it may be 11am in New York, it will be 7pm in London and Midnight in Mumbai! To increase the chances of the email being opened or even seen, you will want to send the phishing email in the local timezone.

This may require you to create different campaigns based on region or general timezone, if your software doesn’t support it. Remember you are trying to create a baseline, so anything that will affect the baseline, could corrupt your data.

5. Executive Sponsorship

Regardless, some people are going to be annoyed and/or bothered by your phishing tests. It’s just the reality of things. As with almost anything security that is impacting lots of users, make sure you have executive sponsorship before moving forward. They have your best interest in mind and want security to be successful at the company, so keep them informed. They will also let you know if any issues have been brought up at the exec level and be able to remedy them before it gets out of hand.

Upsetting our users is not our goal, teaching them is.”


In the end, you want to have tested your entire user population with just one phishing email. You’re not aiming necessarily to get them to open all the emails, but you do want to make the emails realistic and practical. You may make mistakes along the way but by utilizing the above, your mistakes will have less impact.

Leave a Reply