KnowBe4 offering a free phishing attack simulation

You can test how susceptible your staff are to phishing

Here’s an interesting exercise: Phish your company's staff. Why? Because it’s a really good idea to test your organization’s immunity to one of the most prevalent social engineering tricks used by the bad guys to gain information and or money.

Like the idea? You’ll like it even more because until midnight tomorrow KnowBe4 is offering a free simulated eBay phishing attack. Here’s how to take advantage of the offer:

  1. Create a free account here: http://training.knowbe4.com/signup
  2. Whitelist our email server, simple and fast: http://www.knowbe4.com/resources/frequently-asked-questions/ 
  3. Upload your users' email addresses, flat file, one line per address.
  4. Click submit and a few minutes later it will be sent. In a couple of hours you will know the Phish-prone percentage of your users and your highest-risk employees. 

This is what your victims, er, users, will see:

From: CustomerService@eBay.Compromised.com

Subject: You Need To Change Your eBay Password Immediately 

Body:

Recently, hackers penetrated our network and stole 145 million user names and passwords. Yours was one of these. You need to change your eBay password immediately, so that your personal financial information will stay safe. Please click below to do that. 

It will only take a minute. Remember to use a Capital letter, a number and a minimum of 12 letters. 

Click here to Change your Password now (this will be a link) 

Sincerely, 

eBay Customer Service 

KnowBe4 argues, quite correctly, that the results will be: “Fabulous ammo to get more security budget, fun to do, AND you get to be proactive for a change!”

The reason for choosing eBay as the phishing subject is that after losing the account data for some 145 million customers at the end of February eBay actually did send out email messages to users that included a link to the password reset page. This was, of course, completely and utterly the wrong thing to do (as was waiting for a couple of months before telling users their accounts had been compromised but that’s a topic for another rant).

I really like the idea of testing your users’ gullibility and naiveté but be careful of how you follow up after the exercise; this should be a teaching opportunity, not a disciplinary exercise.

If you try this please let me know what you find (if you’d rather not publicly post below send a message to gearhead@gibbs.com). After that follow me on TwitterApp.net, and Facebook.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.