Recommendations for the Most Effective Baseline Phishing Test
Before you get started with training your users with our security awareness training modules, we strongly recommend that you conduct a blind baseline phishing test to all of your users.
This will show your organization’s initial phish-prone percentage. Consider this your starting point. Over time, you can use this initial phish-prone percentage to measure the success of using our integrated training and phishing platform.
After the test, your users, especially those that failed the test, may be confused or concerned. You can follow up with an optional email explaining the test that took place or even sharing your Phish-prone Percentage.
Why Should the Test Be Blind?
We believe you will get the most accurate measure of your organization’s vulnerability to phishing attacks by not announcing the baseline assessment to anyone other than your stakeholders. If this were a real phishing attack that made it through your email filters, you’ll see how many employees would actually fall for it. Brace yourselves, this can be a scary number sometimes!
To Prevent Help Desk Overload, Phish Your IT Team First!
Another option you may want to consider is to send two baseline assessments: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.
Recommended Settings for Baseline Test
You can set up your baseline phishing test beneath the Phishing tab of your console by clicking the + Create Campaign button. The recommended settings for an effective baseline test are below:
- Name: Baseline Test
- Deliver to: All Users
- Frequency: One time
- Start time: Select the day/time.
- Time should be when users are actively checking emails.
- Sending: Send all emails when the campaign starts.
- This ensures that users will not have time to warn each other that a phishing test is being conducted.
- Track Activity: Track phishing test failures for at least three days.
- Track Replies: This setting is optional. For more information about reply-to phishing, see our Reply-To Product Manual.
- Categories: Select template IT > Change of Password Required Immediately
- Don’t want to use this template? Make sure you use a template that is generic and will apply to each employee within your organization. See more tips for selecting your baseline template here.
- Phish Domain: Choose a domain that appears "safe" to click on. This is what your users see when they hover over the phishing link.
- Landing Page: You have several options here. Review this article (How to Choose a Landing Page) before selecting your landing page.
- Send email report: Checked
- An email report will be sent to the admins on your account once the test is completed.
After Your Baseline
Immediately following the baseline test, your users, especially those that failed the test, may be confused or concerned. You can follow up with an optional email explaining the test that took place or even sharing your organization's Phish-prone Percentage. This will let them know how important participating in security awareness training is.
Click here to see a sample template that can get you started with following up with your users after your baseline.
Soon after your initial phishing test, you'll want to enroll all users in Security Awareness Training. Once that is complete, continue with ongoing phishing tests so they can practice the skills they've learned as part of training.