How often do you do phishing campaigns?
I do agree with you Raphael.
On a weekly basis, we do phishing campaigns. A very large group of employees will receive an appealing email from:
- HR Department
- An SVP
- A well recognized vendor (Microsoft for example)
- A delivery company
Then, it either contain a link or a file to be opened. The employee has to click on a 'fish icon' in Outlook to submit the email to the security team.
If the email was 'fake', you will receive congratulations. If the email was really suspicious, it will get inspected and the result is sent back the employee (email has been destroyed or no, it is legitimate).
If the email was 'fake', and the employee read it but hasn't click on the fish icon, it counts as a bad usage of emails. Monthly, managers get reports with stats.
End of story, too many fake emails are received from the organization. Employees either got lazy of this and no longer follow the guidelines or the declare too many emails as potential risks because sometime it's very hard to tell.
we also do targeted training.