This introduction will take you through the setup and ongoing management of running phishing simulation and security awareness training campaigns. Before setting up your first campaign, we recommend you configure allowlisting on your email collaboration platform.
Table of Contents
-
1. Campaign types
-
2. Campaign functionality deep-dive
-
3. Campaign reporting
-
4. Campaign Actions
-
5. Frequently Asked Questions
1 Campaign types
CanIPhish support three types of campaigns:
- Simulated Phishing: Employees are sent simulated phishing content to identify those who fall for the phish.
- Security Awareness Training: Employees are sent training modules which contain a mixture of educational content and quiz questions. This campaign type will assign trainings to employees immediately after the campaign is saved.
- Simulated Phishing & Security Awareness Training: Employees are sent simulated phishing content, those who fall for the phish are auto-assigned training modules.
1.1. Simulated Phishing Payloads
CanIPhish support the following types of simulated attacks as part of its simulated phishing exercises:
Phishing Attachment | An attachment attack directs your users to open/execute an attachment. |
Credential Compromise | A credential compromise attack utilises a phishing link and directs your users to a landing page that looks like a login/data entry screen. We then attempt to trick your users into entering sensitive information. |
Reply-To | A reply-to attack entices the victim to provide a response. This type of attack is often more complex in nature and the victim is eventually enticed to perform an action that will ultimately benefit the attacker. |
1.2. Security Awareness Training Modules
Employees assigned training modules must achieve a passing score before the modules can be marked off as complete. Assignments become overdue after a period of 14 days and reminders are sent to the learner every 3-5 days over a period of 4 weeks. See our list of security awareness training topics.
2. Campaign functionality deep-dive
-
Campaign Page Options:
- New Campaign: A multi-tab interactive campaign creation tool. Designed to provide a walkthrough experience for campaign creation, providing recommendations during the creation process.
- View Campaign: Provides real-time campaign statistics and reporting options.
- Update Campaign: Provides the ability to view and update the back-end configuration used to create the initial campaign (e.g. targets, phishing profiles, schedule, etc.)
- Duplicate Campaign: Provides the ability to duplicate the campaign but give it a new name. The only configuration that isn't copied is the campaign schedule. Any duplicated campaigns will have their schedule set to "Schedule Later". You can then update the duplicated campaign and set your preferred delivery schedule.
- New Employee Sync: Provides the ability to seamlessly sync new employees to existing campaigns whenever a new employee is added to an employee list in-use by the campaign. If enabled, new employees will receive training or phishing within 1-2 minutes. This feature is only needed for campaigns that are already in-flight (e.g. the phishing/training material has already been delivered) and you would like to include the new employee after this initial send. For future-dated or recurring campaigns, new employee's will automatically be synced at the time of delivery (regardless of whether this feature is enabled or disabled). For examples of when this feature is/isn't required, please see Appendix - New Employee Sync.
- Delete Campaign: Provides the ability to delete a campaign entirely. Note that if a campaign was successfully completed or in-progress with atleast 1 email being delivered, the campaign statistics are retained and viewable in the 'Reporting' page.
-
Campaign Management
- Campaign Name: The name given to the campaign.
- Campaign Type: Type of campaign scheduled. Either a Simulated Phishing, Security Awareness Training or Simulated Phishing and Security Awareness Training campaign.
- Delivery Status: The current delivery status - 100% delivered indicates campaign completion.
- Scheduled Date: The 1-5 day date-range in which campaign emails will be delivered (e.g. Monday - Friday). Emails delivered over a date-range are prorated over the days (e.g. 500 emails scheduled over 5 days, will result in 100 email deliveries a day).
- Recurring Campaigns:
- Scheduled Time: The 24 hour time-range in which campaign emails will be delivered (e.g. 9am - 4pm). Emails delivered over a time-range are prorated over the day (e.g. 100 emails scheduled for a day over a 5 hour period, will result in 20 email deliveries an hour).
- Next Delivery: The minutes/hours/days until the next batch of emails will be delivered.
- Action: Provides options to Update or Delete an Active Campaign
-
Campaign Setup/Update
- Campaign Name: The name given to the campaign.
- Campaign Type: The type of campaign to be scheduled.
- Target Employee(s): The employee lists that will be phished as part of the campaign.
- Mail Server: The mail instance to be used for the campaign. By default this will be the native 'CanIPhish' mail instance, however this can be outsourced to a user provided mail instance.
- Campaign Tags: Optional field for tag-based campaign tracking. Useful for limiting access to users with the "Tenant Reporter" role. Simply type a word and hit enter or space to input it.
- New Employee Sync: Provides the ability to seamlessly sync new employees to existing campaigns whenever a new employee is added to an employee list in-use by the campaign. If enabled, new employees will receive training or phishing within 1-2 minutes. This feature is only needed for campaigns that are already in-flight (e.g. the phishing/training material has already been delivered) and you would like to include the new employee after this initial send. For future-dated or recurring campaigns, new employee's will automatically be synced at the time of delivery (regardless of whether this feature is enabled or disabled). For examples of when this feature is/isn't required, please see Appendix - New Employee Sync.
- Phishing Material: Multiple phishing bundles can be associated to a single campaign. If multiple bundles are specified, users will at random receive one of the specified bundles.
- Sender Profile: The sender profile includes the Email From (e.g. support@attacker.com) and Email Display Name (e.g. Cloud Support) that a target will receive the phishing material from.
- Phishing Email: The phishing email includes the email body (e.g. all the content you normally see in an email) and any email attachments.
- Phishing Website: The phishing website includes the landing page that a user is directed to if they click a phishing link.
- Training Module(s): Multiple Training Modules can be selected as part of a campaign. Trainings can be assigned under two configurations:
- Intelligently assign one of the selected trainings: CanIPhish will assign the training that best suits the learner based on their skill level (i.e. Security IQ), trainings already assigned, and trainings completed in the prior 12 months. An order of preference is used to determine the most applicable training:
- CanIPhish will avoid assigning any training the employee completed in the past 12 months and already has assigned. Of the remaining trainings, CanIPhish will attempt to select a training that has the same skill level has the employee, if none are available, then another skill level is used.
- If no trainings are found using the first assignment criteria, then CanIPhish will remove the filter to exclude trainings recently completed by the employee.
- If no trainings are found using the second assignment criteria, then CanIPhish removes all filters and simply assigns a training that is the same or of a similar skill level.
- Assign all of the selected trainings at once: CanIPhish will assign all selected trainings to all employee.
- Intelligently assign one of the selected trainings: CanIPhish will assign the training that best suits the learner based on their skill level (i.e. Security IQ), trainings already assigned, and trainings completed in the prior 12 months. An order of preference is used to determine the most applicable training:
- Delivery Schedule: A future date-range by which a phishing campaign should start and end.
- Schedule (Between Days): The 1-5 day date-range in which campaign emails will be delivered.
- Schedule (Between Times): The 24 hour time-range in which campaign emails will be delivered.
- Schedule (Time Zone): The timezone to use for campaign delivery dates and times.
- Campaign Frequency: Campaigns can be scheduled to send one-off, monthly or quarterly. If campaigns are scheduled to recur, it's highly recommended that multiple template bundles are used to avoid users receiving the same material every month/quarter.
- Send Test Email: A test phishing email is sent to a specified email.
3. Campaign reporting
The status of a campaign can be viewed by clicking the 'View Campaign' hyperlinks within the 'Campaign Name' table column. Viewing a campaign provides you with all necessary information as to which employees have been targetted to-date and whether emails have been delivered or trainings assigned
3.1. Simulated Phishing Campaign Reporting
If email delivery has been successful, you then get a full picture on the overall success of the phishing material delivered - with indicators around who has viewed an email, clicked the relevant link and/or been compromised by either entering their credentials in a phishing website or executing a potentially malicious file.
Viewing a campaign, provides you with the following information and reporting capabilities:
-
Campaign Statistics:
- Email Address: The email address targetted
- Email Delivery: The status of email delivery. Email delivery is either "Success" or "Failure"
- Email Delivery Date/TIme: The date and time that the phishing email was delivered
- Email Viewed: The "True" or "False" status of whether the phishing email was viewed/opened.
- Email View Date/Time: The date and time that the phishing email was viewed/opened.
- Email Clicked: The "True" or "False" status of whether the phishing link was clicked.
- Email Click Date/Time: The date and time that the phishing link was clicked.
- Target Compromised: The "True" or "False" status of whether the target has been compromised. Either through the entry of data in a phishing website or execution of an email attachment.
- Compromise Date/Time: The date and time that the target was compromised.
- Sender Profile: The sender profile name used to deliver the phishing material.
- Email Template: The email template name used to deliver the phishing material.
- Website Template: The website template name used to deliver the phishing material.
-
Reporting:
- Print: Print the campaign statistics in a table format.
- PDF: Display the campaign statistics in a PDF with table formating.
- Excel: Downloads the campaign statistics in a excel document.
- CSV: Downloads the campaign statistics in a csv document.
- Copy: Copies the campaign statistics into the clipboard with tabular formating.
3.2 Security Awareness Training Campaign Reporting
If employees are assigned trainings, you will then get a full picture as to how they're tracking with module completion - with indicators on when the module was assigned, what their best score has been, and how many attempts they've had among other statistics.
-
Campaign Statistics:
- Email Address: The email address of the targetted employee
- Training Module: The name of the training module assigned to the employee.
- Date Assigned: The date that the training module was assigned to the employee
- Attempts: Number of attempts taken so far to complete the training module
- Score: Best score achieved by the employee for this training assignment
- Score Date: Date of the best score achieved by the employee for this training assignment
- Passing Score: Minimum score required before the assignment can be marked as complete.
- Status: Can either be "Complete", "Not Attempted", "Error - Domain Not Verified", "Error - Quota Limit Exceeded", "Not Passed" or "Overdue"
4. Campaign Actions
CanIPhish supports various employee-by-employee campaign modifications that can be made to active campaigns. These include:
- Phishing Campaigns
- Delete Employees: Perhaps an employee is no longer with the business or was accidentally included. You can now remove them without issue.
- Resend Emails: There may have been a temporary delivery error, such as a domain not being verified, quota being reached, etc. By resending the email, the user will be reintroduced to the campaign.
- Mark False Positive Phish Clicks: Perhaps an employee self-reports that they used a sandboxing service to open a phishing link, instead of directly clicking it themselves. This can be verified through the use of click evidence.
- Training Campaigns
- Delete Employees: Perhaps an employee is no longer with the business or was accidentally included. You can now remove them without issue. This will remove the training assignment for the employee.
- Reassign Training: There may have been a temporary assignment error, such as a domain not being verified, quota being reached, etc. By reassigning the training, the user will be reintroduced to the campaign.
- Auto-Complete Training: Perhaps an employee has a legitimate reason for not needing to complete a training and should be marked as complete with a 100% passing score.
5. Frequently Asked Questions
- If I select multiple phishing emails, will each employee receive multiple emails? No. At the time of delivery, we randomly select one of the phishing emails specified during campaign setup. We then deliver each employee a random email. This helps ensure that no two employees receive the same email and warn their colleagues of the upcoming phishing test.
- If I assign the same training module to the same employee back-to-back twice, will they need to complete that training module twice? No. We have built-in functionality which checks if an employee already has an active training assignment for a given training module. If this occurs, we won't re-assign the training, we'll instead track the status of the already assigned training across multiple campaigns.
- How do employees access their training modules to complete them? At the time of assignment, we will send employees an email which contains all the information they need. We'll send across their username, an access token, login URL (https://learn.caniphish.com/Platform/Login) and an overview of which training modules have been assigned.
- How long do employees have to complete a training module? All modules must be completed within 14 days of assignment. If a module isn't completed, we'll mark the assignment as Overdue until the employee obtains a passing score.
- Are employees sent reminders of which training modules they have assigned and when they are due? Yes. We will send reminders to employees on days 6, 10, 14, 16, 18, 20, 22, 26, 30, 35, 40, 48 and 60. If an employee doesn't complete a training module after Day 60, we will stop sending reminders.
- What address will reminder emails come from and do I need to setup email allowlisting? Emails will appear to come from noreply@learn.caniphish.com (unless you have setup white-labelling and your own domain is in-use). We do recommend that these emails are allowlisted as they will likely end up in employee Junk/Spam folders if not.
Phishing is one aspect of promoting a culture of cyber awareness. Don't forget to run periodic training campaigns, along with other forms of employee awareness exercises.
Appendix - New Employee Sync
Below are a couple example use-cases demonstrating when new employee syncing is/isn't required.
Example 1: Annually Recurring Security Awareness Training Campaign
For annually recurring security awareness training campaigns, we recommend enabling new employee syncing.
Why? Without New Employee Syncing enabled, new employees would only receive the necessary training at the next occurence of the campaign - which could be 1 year away! This would leave new employees vulnerable and potentially go against your compliance or regulatory requirements.
Example 2: Monthly Recurring Security Awareness Training Campaign
For monthly recurring security awareness training campaigns, employee syncing is not required.
Why? Without New Employee Syncing enabled, new employees would at most need to wait 1 month to receive the training. Regardless of new employee syncing being enabled/disabled, we will always sync new employees for future occurences of a campaign - the sync option only impacts the currently in-flight occurence of a campaign.
Best Practice Approach: Create a separate campaign for new employees called "New-Employee-Training" which is a one-off campaign that has New Employee Syncing enabled. Why? In many cases, monthly campaigns are used to maintain existing employees' level of knowledge (e.g., assigning 1 training every month). However, new employees need to rapidly upskill! By creating a separate dedicated campaign just for new employees, you can bulk assign multiple trainings so they can be rapidly brought up to speed. Then they can maintain this knowledge by seamless inclusion into the next occurence of the monthly campaign.
Comments
0 comments
Please sign in to leave a comment.