I talked about “strengthening human awareness cannot be overlooked”.
The easiest penetration into a corporate network is via phishing email. To validate workforce awareness and readiness withstanding phishing attacks, organizations start using simulated phishing emails to test who will take the bait: embedded document or hyperlink to track.
This is a good motive except other surrounding elements need to be considered.
- Nowadays, email service provider will mark external emails to draw attention they are coming from outside. There are also emails generated from application for information using SMTP connector which carries the same external marker. Unless the corporate email gateway whitelists these SMTP sources or else workforce will get confused what emails to trust.
- Mail headers in simulated emails – this will disclose the email is a phishing test exercise for “advanced” or “professional” email users who know how to check the SMTP mail headers. Phishing test results will be affected because real phishing emails do not carry such identification. We should focus more on the email contents, examples:
- You use your personal email to register with LinkedIn but suddenly your company email receives a LinkedIn message for offer with hyperlink. This is obvious fake.
- An event organizer emails you a conference and early bird registration will receive a free chain store coffee coupon. If you are interested with the event, you should check from the conference official web site for registration, and do not take the bait – free coffee coupon.