Before you begin your security awareness training program, we strongly recommend sending an unannounced simulated phishing test to all of your users. This test will help you establish a baseline for your organization.
The results of this baseline phishing test will show your organization's initial Phish-prone Percentage. The Phish-prone Percentage is the percentage of users who are likely to click on a phishing email. Consider this initial Phish-prone Percentage the baseline, or starting point, for your organization. Your organization's overall Phish-prone Percentage, or Account Average Phish-prone Percentage, is based on the Phish-prone Percentage of your active users who have received at least one Phishing Security Test. As you conduct ongoing phishing tests, compare your organization's Phish-prone Percentage with the initial Phish-prone Percentage to measure the success of your security awareness training plan.
See the sections below to learn about our recommendations for your baseline phishing campaign and what you should do after conducting your test.
Important: Before you conduct your baseline test, please ensure you've whitelisted KnowBe4's IP addresses or domains in your email environment. Use our Whitelisting Wizard or review our Whitelisting Guide to learn the best method for whitelisting your email client and spam filters.
Why Shouldn't I Announce the Test?
We recommend conducting an unannounced baseline phishing test in order to get the most accurate results. By not announcing the test, you can see how vulnerable your organization would be if a real phishing attack made it through your email filters. Having this insight can help you gain buy-in from your stakeholders. To learn more, please see: How Can I Engage My Stakeholders in My Security Awareness Training Plan?.
Recommended Settings for the Baseline Test Campaign
To create your baseline campaign, go to the Phishing tab of your console. Then, click the + Create Phishing Campaign button in the upper right-hand corner to open the New Phishing Campaign page.
Tip: After you've whitelisted and before you create a baseline phishing campaign, we recommend running at least one test campaign that is limited to a small group of users. To learn more, see the Preliminary Test Campaign section of our Quickstart Implementation Guide.
We recommend using the following settings for your baseline test campaign:
Campaign Name: Name your campaign something descriptive, such as "Baseline Test".
- Send to: Select All Users.
- Frequency: Select One-time.
- Start Time: From the drop-down menus, select the desired date and time for your baseline test. The time you select should be during your organization's business hours as that is when your users are actively checking their emails.
- Sending Period: Select Send all emails when the campaign starts. When this setting is selected, all of your users will receive the phishing email at the same time. Using this method ensures that your users will not be able to warn each other that a phishing test is being conducted and your test results will be more accurate.
- Track Activity: We recommend that you track phishing test failures for at least three days. For more information about sending and tracking periods, see our How to Monitor and Review Phishing Campaigns article.
- Track Replies to Phishing Emails: You can turn this setting on if you wish to track your users' replies to the phishing test emails. For more information about reply-to phishing, see our Reply-To Phishing article.
Template Categories: Select the Phishing for Sensitive Information category from the drop-down menu on the left-hand side.
- Then, from the drop-down menu on the right-hand side, search for and select the Password Check Required Immediately template.
- Phish Link Domain: Choose a domain to use for the phishing link. This is the domain that your users will see when they hover over the phishing link so choose one that looks "safe" to click on.
- Landing Page: Keep Default Landing Pages.
- Send an email report to account admins after each phishing test: Select this checkbox so that an email will be sent to all of your account administrators after the test is complete. This email report will be sent to administrators after the Track Activity time period has concluded.
After the Baseline Test
After the baseline phishing test, your users may be confused or concerned about the email that they received. To help with this confusion, we recommend that you send an email explaining what the phishing test was, and you can even share your organization's Phish-prone Percentage to emphasize the importance of security awareness training. We've provided a template that you can use for this email, please see: What Can I Send to My Users After the Baseline Phishing Test is Completed?.
We recommend enrolling your users in security awareness training shortly after conducting your baseline phishing test. To learn more, see Enrolling Your Employees in Security Awareness Training.
Once users have completed their initial security awareness training assignment, we recommend that you conduct ongoing phishing tests so that your users can practice the skills they've learned as part of their training. To learn more about ongoing phishing tests, see our Best Practices Guide.