Feeding The Phish - Part III - it’s all about communication. Yeah, really? I choose to close the series on phishing on this topic because it is the most complicated and a non technical. A few things came to mind during the last campaigns. First of all announcing the campaign with an E-Mail is often recommended. However I could not find any difference comparing the click- and reporting rates with an up-front E-Mail or without. This may vary from company to company - in my opinion it is overrated. If you experience it differently - talk to me :)

However, communication is never overrated when it comes to management. Keep on talking, talking and talking to them. Those guys need to be kept up to date and are often interested in the current status, click rates and so on. However, you need to be careful as well - they can act very quickly and more often than expected in a way that you did not want them to go. It basically boils down to: Don’t tell them everything, but do not lie either. Keep them on a short enough leash to avoid possible harm.

The technical staff - being your firewall guys, the call-center staff, the anti-malware guys - they need to be treated with care, respect and chocolate. Having an extra smile for them when they adjust the firewall rules to prevent further harm to the company in the beginning of the campaign without realizing that they are fighting your E-Mails. Hey - they are doing their job correctly - in a real attack, they would have saved your … - praise them :)

What I found most stressful were those moments, where you get asked by colleagues if this suspicious mail is really a phish or not and how they should react. In this moment I felt torn between helping them to do the right thing in a real attack and letting them go and hopefully learn from a mistake. Finally I decided to suggest reporting the phish appropriately.

An other delicate situation you may encounter are those moments, when you get asked by colleagues about the current click rate and even worse those water cooler questions like: “You know Mike from accounting - did he click?” Yeah, that seems to be unavoidable, but that’s the way people are. So relax and find a gentle way to say: “sorry - not your business”.

To conclude the phishing series - go, do it. It is fun! Be prepared to receive some shouts and some positive feedback. Bear in mind, it is quite some work and it is never easy to estimate how people will react once they receive the phish. Most of all - you need to be cool and relaxed day in and day out. So - let me know how your campaign turned out.

Cheers - and don’t click a link in your E-Mails :)