Here’s an interesting exercise: Phish your company's staff. Why? Because it’s a really good idea to test your organization’s immunity to one of the most prevalent social engineering tricks used by the bad guys to gain information and or money.
Like the idea? You’ll like it even more because until midnight tomorrow KnowBe4 is offering a free simulated eBay phishing attack. Here’s how to take advantage of the offer:
- Create a free account here: http://training.knowbe4.com/signup
- Whitelist our email server, simple and fast: http://www.knowbe4.com/resources/frequently-asked-questions/
- Upload your users' email addresses, flat file, one line per address.
- Click submit and a few minutes later it will be sent. In a couple of hours you will know the Phish-prone percentage of your users and your highest-risk employees.
This is what your victims, er, users, will see:
Subject: You Need To Change Your eBay Password Immediately
Recently, hackers penetrated our network and stole 145 million user names and passwords. Yours was one of these. You need to change your eBay password immediately, so that your personal financial information will stay safe. Please click below to do that.
It will only take a minute. Remember to use a Capital letter, a number and a minimum of 12 letters.
Click here to Change your Password now (this will be a link)
eBay Customer Service
KnowBe4 argues, quite correctly, that the results will be: “Fabulous ammo to get more security budget, fun to do, AND you get to be proactive for a change!”
The reason for choosing eBay as the phishing subject is that after losing the account data for some 145 million customers at the end of February eBay actually did send out email messages to users that included a link to the password reset page. This was, of course, completely and utterly the wrong thing to do (as was waiting for a couple of months before telling users their accounts had been compromised but that’s a topic for another rant).
I really like the idea of testing your users’ gullibility and naiveté but be careful of how you follow up after the exercise; this should be a teaching opportunity, not a disciplinary exercise.