Hey! Welcome to part II of “Feeding The Phish”. Now your emails are arriving in the victims inbox? Great! People will be coming back to you and giving you feedback - even if you have not asked about it. Honestly, get ready to receive anything from questions for help to angry shouts. I was honestly surprised by the amount of positive emails and phone calls I received. Clearly, not every body was happy - but most found the “exercise” quite useful. In addition some colleges pointed out obvious mistakes, like sending the invitation to a competition which you should answer within two hours. Yeah, easy to do, if the email arrives in your email box around midnight. Others mentioned that the landing page, which they reached after the click, was too friendly. Take such impulses seriously and react on them. Over time, you will find the right way and the right words.

Equally important as the feedback is how you track the expected reaction of colleges. Have you set up an email list every one should send possible phishing emails to? Or is there any other procedure within your company how normal employees can inform the IT- and IT-Security staff about an ongoing attack? Monitor those channels closely. Count and analyse the feedback.

Is your detection rate high or too low? The highest correct response rate I received so far was about two thirds of all possible victims following the correct procedure. That was a really simple campaign. Maybe the phish was to simple. However rewarding such a result publicly is very important. Like Steve Jobs did it at Apple - celebrate such successes!!

This brings me to an other interesting question: How do you detect if a phish was to simple or if your colleges really got better in detecting the attack? There are several ways. Start by organising all victims in groups and measuring the click rate per group. This way, you see the hot spots for the upcoming awareness training. The ratio of clicks versus reported phishs is the metric to go for. All groups which have a higher or even click rate than reporting rate should be candidates for training. There is one more metric you should look out for: the group with the lowest detection rate at all. In my campaigns I could identify one group of about 20 employees, which did not react at all on the phishs. They neither reported them nor did the click on them. Strange, but seriously worth talking to them. As it turned out, they were very well organised internally. One employee spotted the phish and informed all other members of the group. What a dynamic and responsible action!

How people reported the phishing attack is also interesting. There will always be groups who run for the phone and need to call some one. Whom? Yes, IT Support / the Call Center. Keep that in mind when you select the groups for your campaign. Do not flood the poor support guys too hard.

In the final part of this blog post series I will discuss the communication aspects before and after each campaign. So - see you again in a two weeks.

Cheers!