Feeding The Phish? Have you ever conducted a phishing campaign at your company or workplace? It is an interesting exercise. After a few campaigns I decided to reflect on them and share what went good and what went wrong.

First of all: When you want to feed the phish you need to talk, talk and talk again. Not only is it important to collect every management buying that you can think of - you need as well inform and convince many people about your endeavour. Nothing kills your efforts faster than a firewall admin that feels left out. To ensure that communication works an reaches all important places you need to build a team, which includes at least someone from:

• Sales / Marketing
• Firewall and E-Mail administration
• IT Support or the Call Center

Why? Let marketing pick the words for selling your campaign. The IT administration will pave the way for your phishs and the clicks. Finally the Call Center / IT Support Team will take the hard punch, when everybody calls them panicking because they clicked your phishing email. But on the other hand you should keep this team small and keep the talk low not to spoil everything before the first email has arrived.

When you start, start simple. You will be surprised what a plain text email can do. Especially if you’ve chosen the right topic. And here we are at one of the most important points. Why are you doing this campaign? It is not to scare people, because everybody will fall for a phishing email. This is just a matter of how well it is prepared and tailored to the victim. So, the goal should be to help your colleges to get a teachable moment and learn a little bit. Stay away from inhouse topics and make sure that you do not touch on or slightly abuse the efforts of other departments or even management with the context of your phishing campaign. Good examples are coupon codes that are handed out by the work council or an invitation to the departmental Christmas party. These are things that should not get burned in a phishing campaign. Also there exist some consulting companies suggesting exactly that. Always bear in mind: You will still be at your company when those consultants have left :)

Anyhow, once you have chosen an appropriate context, get ready to spend some time on the phone ensuring that everything works as planned, when the first emails arrive. If you are lucky, your company has special procedures in case of a phishing attack, like tuning firewalls and mail filters, isolating the victims PC after the click has been reported and so on. Things like this will happen. On the one hand it is very satisfying to see that what you trained people to do works. On the other hand you need to stop those actions fast and quietly to ensure that all phishing emails are send and delivered correctly.

So far we covered the campaign team, the context of the phish and the moment when the first emails arrive. In the next blog post we will look at feedback from the victims and what to do when the campaign is running. So stay tuned - don’t go anywhere.

Cheers :)