On this page, we explain step by step how a phishing test at BSM works. This way, you know exactly what to expect when you take a phishing test with us. At BSM, we distinguish three phases in every phishing test: preparation, execution of the phishing test, and completion.
Below, we go deeper into what happens in each phase and what is expected of you. This way, you are as well-prepared as possible.
During the kick-off meeting, we discuss which phishing scenario best suits your organization. We provide expert guidance, but the final choice remains yours. You can choose to propose a scenario that we further develop, or select one of our semi-custom scenarios. We also review the timeline together: what is the optimal moment to launch the phishing test? Finally, we identify key stakeholders within your organization. We can involve these colleagues in the preparation phase and prepare them for the phishing test itself.
Before we can initiate the phishing test, we require certain information from you. To test all your colleagues effectively, we request a participant list with the individuals who will take part in the test. It’s also possible to segment the phishing test into different groups. For example, the IT department could receive a different phishing email than the finance department.
The participant list should contain the following information: the first and last names of the participants, their corresponding email addresses, and optionally the departments where they work.
The final step in the preparation phase is the approval of the scenario.
We send you a test email to verify that the phishing email is delivered correctly. Often, whitelisting is chosen, for which we provide clear instructions. This ensures that all emails are properly delivered to the participants.
Once the test email has been delivered correctly, you can review the phishing email. If adjustments are necessary, we can still implement them. Additionally, you can click on the link in the email to view the phishing website. Here, you can enter a “test” password to verify that everything functions properly. Once all this is completed, we’re ready for the next phase: the phishing test itself. We agree on a date and time for this, and we always contact you 30 minutes before the test begins.
As soon as the phishing test has commenced, you receive an email from us with all relevant information. The phishing emails are delivered gradually to circumvent potential spam filters.
It’s important to understand that when a colleague engages with the phishing email, no complete data is stored. Each entered password is stripped both on the client-side and server-side. This means we can only see the length of the password and the first two characters, without being able to determine the full content.
Once the phishing test has started, various reactions may occur within your organization. Colleagues might warn each other or contact the IT department. To ensure the phishing test proceeds optimally, we thoroughly prepare all involved parties and ensure they know how to respond appropriately.
During the test, you’ll receive interim reporting from us with information about who clicked on the link in the phishing email and who entered a password. It’s important to remember that this is not a reason for concern or anger. The purpose of the phishing test is to learn and increase awareness. By viewing this as a learning opportunity, you enhance the educational effect and improve security within your organization.
Although some participants recognized they received a phishing email, this is not the case for everyone. Moreover, those who did recognize it might not have acted appropriately. Doing nothing with a phishing email is insufficient; the best action is to report the phishing email to the appropriate department within the organization.
After each phishing test, we provide a template that you can customize and share with your organization. In this communication, we explain what occurred, why the phishing test was conducted, and what the correct course of action would have been. This forms an effective learning moment since it is shared shortly after the test when the phishing email is still fresh in the participants’ memory.
Additionally, it’s possible to receive awareness training that incorporates the results of the phishing test. The training is customized to be as effectively aligned with your organization’s needs as possible. We focus specifically on the areas where issues arose during the phishing test. The training is completely anonymous: no personal data is shared, ensuring all employees feel comfortable and the training is both accessible and valuable for everyone.
The findings of the phishing simulation are summarized in a comprehensive report. This report can serve as a reference for future phishing tests, allowing the results of new tests to be compared with previous ones. This way, we can not only assess whether employees have become more alert but also whether other types of phishing tests might be more effective.
Each phishing test simultaneously serves as a learning opportunity. The reports we produce can also be used for certifications such as ISO 27001 and NEN 7510, as evidence that your personnel is actively being trained.
Following the phishing test, we offer the opportunity to participate in a customized awareness training. In this training, we incorporate the results of the test and focus specifically on the areas where issues occurred within your organization. By tailoring the training to your employees’ needs, we ensure the content is as effective as possible.
The training is completely anonymous; no personal data is shared, ensuring all employees feel free to participate. This guarantees that the training is not only accessible but also valuable for everyone. The goal is to increase awareness around phishing and online security, so your employees are better prepared in the future to recognize and report phishing attempts.
It’s possible to provide training for your entire organization or specifically for ‘high-risk’ groups, such as managers and employees with access to sensitive information. This targeted approach ensures that precisely the individuals who face greater risk receive extra attention and training to effectively recognize and report phishing attempts.
To keep your colleagues vigilant about phishing, it’s important to repeat phishing simulations regularly. The awareness that a test may occur periodically motivates employees to evaluate each email with extra attention. A retest doesn’t always need to contain a complex scenario. Many of our clients choose to conduct two phishing tests per year: one semi-custom scenario and one fully custom scenario.
By retesting regularly, awareness around phishing remains at a high level, and we can effectively monitor any improvements in your employees’ alertness.
Should you have any questions, please don’t hesitate to contact us. We’re ready to assist you.
© All rights reserved
Website door wwXL
© All rights reserved
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.