Recommendations for the Most Effective Baseline Phishing Test
Before you get started with training your users with our security awareness training modules, we strongly recommend that you conduct a blind baseline phishing test to all of your users.
This will show your organization’s initial phish-prone percentage. Consider this your starting point. Over time, you can use this initial phish-prone percentage to measure the success of using our integrated training and phishing platform.
After the test, your users, especially those that failed the test, may be confused or concerned. You can follow up with an optional email explaining the test that took place or even sharing your Phish-prone Percentage. To learn more, see: What Can I Send to My Users After the Baseline Phishing Test is Completed?.
Important:Before you conduct your baseline test, please ensure you've whitelisted KnowBe4's IP addresses or domains in your email environment. Use our Whitelisting Wizard or review our Whitelisting Guide to learn how to whitelist your email client and spam filters.
Why Should the Test Be Blind?
We believe you will get the most accurate measure of your organization’s vulnerability to phishing attacks by not announcing the baseline assessment to anyone other than your stakeholders. If this were a real phishing attack that made it through your email filters, you’ll see how many employees would actually fall for it. Brace yourselves, this can be a scary number sometimes!
Tip:After you have whitelisted and before you create a baseline phishing campaign, we recommend running at least one test campaign that is limited to a small group of users. To learn more, see the Preliminary Test Campaign section of our Quickstart Implementation Guide.
To Prevent Help Desk Overload, Phish Your IT Team First!
Another option you may want to consider is to send two baseline phishing tests: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.
Recommended Settings for Baseline Test
You can set up your baseline phishing test beneath the Phishing tab of your console by clicking the + Create Phishing Campaign button. The recommended settings for an effective baseline test are below:
- Campaign Name: Baseline Test
- Send to: All Users
- Frequency: One time
- Start Time: Select the day/time.
- Time should be when users are actively checking emails.
- Sending Period: Send all emails when the campaign starts.
- This ensures that users will not have time to warn each other that a phishing test is being conducted.
- Track Activity: Track phishing test failures for at least three days.
- Track Replies to Phishing Emails: This setting is optional. For more information about reply-to phishing, see our Reply-To Product Manual.
- Template Categories: Select the IT category from the drop-down menu on the left-hand side. Then, from the drop-down menu on the right-hand side, select the Change of Password Required Immediately template.
- Don’t want to use this template? Make sure you use a template that is generic and will apply to each employee within your organization. See more tips for selecting your baseline template here.
- Phish Link Domain: Choose a domain that appears "safe" to click on. This is what your users see when they hover over the phishing link.
- Landing Page: You have several options here. Review this article (How to Choose a Landing Page) before selecting your landing page.
- Send an email report to account admins after each phishing test: Checked
- An email report will be sent to the admins on your account once the test is completed.
After Your Baseline
Immediately following the baseline test, your users, especially those that failed the test, may be confused or concerned. You can follow up with an optional email explaining the test that took place or even sharing your organization's Phish-prone Percentage. This will let them know how important participating in security awareness training is.
Click here to see a sample template that can get you started with following up with your users after your baseline.
Soon after your initial phishing test, you'll want to enroll all users in Security Awareness Training. Once that is complete, continue with ongoing phishing tests so they can practice the skills they've learned as part of training.