Introduction to Risk-Based Phishing

In this guide, we’ll cover the essentials of risk-based phishing and walk you through the steps to set it up. This innovative approach allows you to tailor phishing campaigns to your users' ability to detect phishing attempts, making your training more relevant and effective.

What Is Risk-Based Phishing?

Risk-based phishing is powered by machine learning, which assigns each user a 'Phish Risk' score. The scores range from 0 to 100, where:

• 100 indicates the highest risk,
• 0 indicates the lowest risk.

Each time you run a phishing simulation, users have the opportunity to either avoid the phishing attempt, thereby reducing their risk score, or fall for the phish, increasing their score. Over time, this creates a profile for each user based on their interaction with phishing simulations. More information about how Phish Risk is calculated can be found here.

Dynamic Employee Lists

CanIPhish utilizes dynamic employee lists to facilitate risk based phishing. These lists automatically update daily, categorizing employees into Low, Medium, and High Risk based on their interactions with phishing simulations.

Before you perform risk-based phishing, it’s essential to run some baseline phishing tests. These provide the machine learning algorithm with enough data to build accurate user profiles.

Step-by-Step Setup

1. Create Low, Medium and High-Risk Dynamic User Lists

   • Navigate to the Employees tab and click on New Employee List.
   • Name your list something meaningful, such as "Low Risk Employees."
   • Select Dynamic Employee List, and choose Low/Medium/High for the risk score.
   • Select your employee list which the dynamic list will be calling to (e.g., "All Employees") to include the users for your risk-based campaigns.
     
   • Optional but recommended: click Sync Dynamic Target List to pull in your low-risk users.
     Note: If there are no users, there will be an error. However, this can be safely ignored, as users will fall in and out of these lists as they risk/de-risk themselves.

2. Create Relevant Campaigns And Attach Your Dynamics Lists To These Campaigns

   • Creating a Risk-Based Campaign is the exact same as creating a regular campaign. If you want to read more about campaign setup, head to this dedicated article. The key step  is in "Initial Setup & Employee Selection." Ensure to select your Dynamic Employee List in the "Select Employees" Section:
     
   • Recommendation: Risk-based phishing is designed to be conducted with recurring campaigns. The reason for this is that your dynamic employee lists will continue to update as users interact with the platform. When that campaign rolls round, it will be sent to all users within the Dynamic Employee list attached to the campaign.

Our Suggested Setup

We recommend running three concurrent campaigns: one for low-risk users, one for medium-risk users, and one for high-risk users.

Low-risk users should be targeted on a quarterly basis with the most challenging phishing simulations. This will help keep them engaged without overwhelming them with frequent exercises, as they've already demonstrated proficiency in spotting phishing attempts.

Medium-risk users should receive monthly campaigns featuring content of moderate difficulty.

For your high-risk users, we suggest weekly campaigns with easier-to-spot phishing attempts. This will give them the chance to gradually build up their skills and address the most pressing security risks to your organization.

Each time a campaign runs, users have the opportunity to reduce their risk scores, so those in the weekly campaigns shouldn't remain there for too long. The goal is for all users to eventually move into the low-risk, quarterly campaigns.

When setting up these recurring campaigns, they will run for one year. Remember to check back after a year to set them up again.