Recommendations for the Most Effective Baseline Phishing Test
Before you get started with training your users with our security awareness training modules, we strongly recommend that you conduct a blind baseline phishing test to all of your users.
This will show your organization’s initial phish-prone percentage. Consider this your starting point. Over time, you can use this initial phish-prone percentage to measure the success of using our integrated training and phishing platform.
Why Should the Test Be Blind?
We believe you will get the most accurate measure of your company’s vulnerability to phishing attacks by not announcing the baseline assessment to anyone other than your stakeholders. If this were a real phishing attack that made it through your email filters, you’ll see how many employees would actually fall for it. Brace yourselves, this can be a scary number sometimes!
To Prevent Help Desk Overload, Phish Your IT Team First!
Another option you may want to consider is to send two baseline assessments: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.
Recommended Settings for Baseline Test
You can set up your baseline phishing test beneath the Phishing tab of your console by clicking the "+Create Campaign" button. The recommended settings for an effective baseline test are below:
- Name: Baseline Test
- Deliver to: All Users
- Frequency: One time
- Start time: Select the day/time.
- Time should be when users are actively checking emails.
- Sending: Send all emails when the campaign starts.
- This ensures that users will not have time to warn each other that a phishing test is being conducted.
- Track Activity: Choose at least 3 days.
- Track Replies: This setting is optional. For more information about reply-to phishing, see our Reply-To Product Manual.
- Categories: IT --> select template 'Change of Password Required Immediately'
- Don’t want to use this template? Make sure you use a template that is generic and will apply to each employee within your organization. See more tips here.
- Phish Domain: messaging-security.comano.us, or another choice which looks "safe" to click on.
- Landing Page: You have several options here. Review this article (How to Choose a Landing Page) before selecting your landing page.
- Send email report: Checked
- An email report will be sent to the admins on your account once the test is completed.