It’s easy to think that an email phishing attack wouldn’t fool us. Or that our friends and coworkers know how to identify a suspicious email.

But like a lot of our work at Atlantic BT, we don’t really know how well we’re prepared until we run some tests. So, how do you test the human side of IT security? You run your own phishing scam on your coworkers and record the results.

How I Ran My Phishing Test

Before you call the police, no, this blog post is not a confession that I’ve turned to a life of crime. I used a free tool from PhishMe. Then, I was able to conduct a convincing phishing test. My targets? Every one of my coworkers at ABT, including the CEO and President.

PhishMe Free allows you to send a fake phishing email to as many as 500 users by importing a list of emails. You can design your phishing email using 18 different templates. Afterwards, you can then schedule when you want to send it. The app will measure how many recipients open the mail and how many click the phishing link inside it. For my test, I sent two different emails more than a month apart. The results were very different.

The first test sent an email in the middle of the workday. It notified the recipient that their inbox was “over the limit”. The phishing link inside the email was threatening. “Click here to increase your mailbox size or you will lose your account within 24 hours.” Results of this test were encouraging. 65% of my colleagues opened the email, but no one clicked the phishing link. This particular phishing attack wasn’t fooling anyone.

The second test delivered less positive results. This email arrived at the start of the workday. It referenced a suspicious credit card charge. The email also offered to let the recipient trace the progress of a package, as it made its way to its destination. 67% of my coworkers opened this email, and 21% actually clicked the phishing link. Had this been a real attack, our company could have been in trouble.

What I Learned from Phishing

Our main lesson here was that even a tech-savvy company, like ABT, is vulnerable to phishing. Without testing, you won’t know how susceptible you are to a phishing attack until it already happens.

Here are some other observations from this test:

Timing could matter: The first test took place in the middle of the day. But, the second test began before people were arriving for the day and checking their email. The more successful test was a part of all the other morning emails employees deal with first. The lesson here is about timing. It’s especially important to watch our for suspicious emails at peak communication times. Then you can judge each email’s impact and risk on an individual basis.

Content matters: This means that the content of the phishing email is a critical clue. It can determine how susceptible your employees are to the scam. The worry over an unauthorized credit card charge struck a deeper nerve. The lesson? Teach your coworkers how phishers target their victims. Manipulating emotions, curiosities, and worries are all part of their attack strategy.

Response plans are important: A few users notified IT when they suspected an email attack was underway. But, they were unsure how to proceed after. It’s important to be able to find weak spots in training and policies. Education and regular testing helps us to find those vulnerable points. It also helps to remind employees to be vigilant. It’s a good idea to have protocols for how to respond to this kind of suspicious activity.

Cybersecurity is necessary in our hacker dwelling world. Being prepared and aware makes all the difference. Our team of experts are ready to help you with the knowledge and experience they’ve gained in the real world and with phishing tricksters, like me.