Top 5 Phishing Do's & Don'ts

KnowBe4 Team | Oct 5, 2022

James McQuiggan KnowBe4Here's the Top 5 Do’s and Don'ts for your phishing simulation exercises

  1. First, conduct your baseline phishing simulation to get an idea of where your organization stands compared to others in your industry or size of organization.
  2. After that, let your users know about what you are doing. Make sure that your users are aware of the phishing simulation plan. Of course, after this you have to provide them security awareness training.
  3. Make sure they know why the phishing program is going on and include it in your onboarding of any new staff as well as briefing existing employees. Do not cut them off in communications to the InfoSec or IT teams when they discover a phishing email, legitimate or not. Ensure they have some form of communication method back to you, like a phishing alert button.
  4. Consider your organization's culture when determining the need to use financial incentives in a phishing simulation email. While this may get easy clicks, there have been negative repercussions and you will need to be sensitive to your employees. In the middle of layoff, it may  be viewed as cruel. Use caution and sensitivity when launching such a campaign. More importantly, explain to your users how they would receive updates regarding salary updates or changes with their salary and whether the organization would use those financial incentive phishing emails.
  5. Finally, remind your users that phishing simulation emails are a training tool and exercise, not a “gotcha” exercise. It is essential to educate your users and avoid making them think this is a way you are going to trick them into falling for a phishing attack. Make sure that your users know this is to educate them and help them spot the real phishing emails in their inboxes so they stay safe at the office but also keep their family safe at home. 

DID YOU KNOW?: When creating a phishing campaign, you have a brand-new AI option to automatically select the templates used in your campaign called AIDA Selected Phishing Templates.

This feature uses data from KnowBe4’s Artificial Intelligence Driven Agent (AIDA) to select the most relevant and challenging template for each user. AIDA Selected templates are chosen based on a user’s training history, phishing events, and performance metrics, such as their Phish-prone percentage and Security Awareness Proficiency Assessment (SAPA) results. The more data AIDA has, the better it works, so we recommend using these templates for users who have some prior training or phishing history. Learn more on our support site.

 

Level-Up Your Security Culture for Cybersecurity Awareness Month

Only a well-equipped digital workforce can stand up against today's accelerating social engineering threats. Take your users on an 8-bit arcade journey with our free Cybersecurity Awareness Month resource kit, packed with a full campaign's worth of award-winning training modules, weekly planners, and multilingual assets designed to build lasting defenses.

Get Your Free Cyber Awareness Month Kit

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.