OSPA 2017 Award Winning Think Before You Click Phishing Simulation Campaigns

Education and reinforcement is at the heart of 'Think Before You Click'® rather than punishment, as both the victim’s and attacker’s perspectives are highlighted to gain a well-rounded basic knowledge on the topic.

Think Before You Click can be broken down into three core elements;

Initial Communication - which develops a two-way dialogue between an organisation and its staff to establish the most effective path forward. Doing this ensures key learning points are embedded within staff culture and simple, yet practical changes are implemented into daily email routines.

Phishing Simulations - A series of tailored phishing simulation emails sent to all targeted staff that mirror realistic phishing attacks in a controlled environment.

Education - An educational module which makes use of humour, animation and dedicated landing pages that redirect victims to immediate training that is delivered at the point of attack.

TBYC Phishing Simulation Campaign Includes

  • Initial assessment to ascertain level of risk
  • Campaign communications to educate and engage employees
  • Spear phishing exercise of varying complexities
  • Elearning module targeted at susceptible employees
  • Comprehensive closure report and risk analysis

Campaign Benefits

  • Measure the level of risk within your organisation
  • Identify weak spots within your workforce
  • Strengthen a business case for ISA
  • Raise phishing awareness
  • Reduce complacency and risk
  • Track improvements and quantify campaign effectiveness

What are the Modules Covered?

Worried about having your details stolen? Malware installing itself on your computer? Wise up, and stay clear of being a victim of a phishing scam with Bob’s ‘Think Before You Click’® module. Learn about identifiable traits of a phishing scam and how to deal with them.

This module covers…

  • What a phishing scam is
  • How to identify one
  • What you should do if you come across one

There are Five stages to Bob

Stage 1 - Baseline Assessment

The initial baseline exercise will allow you to gauge the knowledge base of users, the level of threat phishing poses to your organisation, and enable you to see behavioural change through the statistics and reporting provided.

Stage 2 - Initial Awareness

A tailored Think Before You Click (TBYC) communication plan is provided to the client to generate initial campaign awareness and create momentum. Included within this resource pack are; videos recorded with subject matter experts in a variety of formats for internal display, real life case studies, banners, posters and other support materials to allow for a sustainable and engaging awareness campaign.

Stage 3 - Phishing Simulation

Tailored and targeted phishing emails will invite users to select links within the email. Templates of a variety in complexity will be generated for this phase of the campaign tailored to the customer's business profile, interests and requirements. Upon selecting the link they will be directed to an in-depth training module, complemented with creative content and visuals to reassure the user that the exercise is positive and no harm is done. 1

Stage 4 - Training Exercise

The 10-15 minute training module will provide an overview of phishing attacks, how to pick up on key characteristics and how to effectively mitigate the risk of falling foul to an attack. The training module contains a short animation featuring our signature mix of Bob’s Business characters, and is backed up with video case studies which ensure that the dangers of phishing attacks are illustrated to users in a way which is relevant to their work and homelife.

Key learning points:

● What is phishing and spear phishing
● How to identify a phishing attack
● How to effectively mitigate the risk of falling foul to an attack

Stage 5 - Reporting and Recommendations

There will be a number of reports provided throughout the simulated phishing aspect of the campaign:

● Weekly reports - Information provided will comprise of number of emails sent, delivered and clicked (including number of clicks).
● Final report - This comprehensive report will allow you to highlight specific areas in your organisation which would benefit from further training.

1 The only details which are stored are the vulnerability hotspots; your users credentials will not be
stored or processed. The report will provide comparisons of the information gleaned throughout the
campaign and will include conclusions and recommendations.

This campaign is an extension to the 'Think Before You Click'® campaign designed for clients who have seen the positive impact from the original campaign, but see the need to build on previous success, to further reduce vulnerability and threats. In a similar vein to the initial 'Think Before You Click'® campaign, TBYC+ is an engaging training exercise that couples the risk of phishing with key lessons around cyber security and the importance of protecting organisations data and spotting vulnerabilities.

Bob’s Business will develop a range of phishing simulation templates that can link seamlessly to additional training around password management, identity theft, social media, web protection, viruses and malware.

There are Four stages to Bob

Stage 1 - Phishing Simulation

Tailored and targeted phishing emails which have been constructed around specific topic areas will be issued to users inviting users to take various actions depending on the topic area covered within the email. The only details which are stored are the vulnerability hotspots; user credentials will not be stored or processed.

Stage 2 - Template Analysis

At this stage users will be directed to a landing page customised to reflect client branding and style. This landing page will demonstrate the identifying markers within the phishing email, which will provide the users with an analytical view on what caused them to fall foul of the malicious email and what to look out for next time.

Stage 3 - Training Exercise

The training exercise will provide an overview of phishing attacks, and drill down further into the risks associated with phishing. i.e. theft of login details, download of malware, siphoning of information to steal identities. Please see suggested topic areas below.

Stage 4 - Reporting

Bob's Business will provide comprehensive reporting which allows the client to highlight specific areas in the organisation which would benefit from further training.

Perfect Passwords
Tailored phishing templates will primarily focus on information disclosure through login credentials and will invite users to divulge sensitive information. Users will learn that fraudsters often use data gathered in this manner for gaining access to sensitive information and accounts, why they should be protected and how to use these security keys to their best advantage.

Key Learning Points of training module:

● The importance of keeping the keys to systems secure
● The dangers associated with divulging details
● Tips on how to store and create passwords

Email Etiquette

A template built to raise awareness of the importance of adhering to company email guidelines; an internal email will be constructed with a number of email addresses in the ‘To’ field containing sensitive information relating to payroll which will be deployed to users. This training exercise will educate users on how the information gained by fraudsters can be used for spamming; as well as this, users will learn how to identify fake email signatures appearing to be that of reputable organisations.

Key Learning Points of training module:

● The dangers of using ‘Reply to all’
● The importance of a legal disclaimer
● How to behave appropriately when using corporate email

Identity Theft
Criminals only need a few pieces of critical information to assume the digital identity of another person or organisation. The Identity Theft centred phishing email will invite your staff to not only divulge sensitive account information, but also to give away the answers to security questions. In the associated training module users will learn the importance of keeping the answers to their security questions secret, not to disclose this information via social media and how to identify a phishing email.

Key Learning Points of training module:

● The importance of keeping security details a secret
● How to use social media security settings to ensure the answers to your security questions aren’t made public
● Understanding what personal details could enable an incident of Identify Theft to occur

Virus Vigilance

The Virus and Malware focussed phishing email entices users to download an executable file which could cause a considerable amount of damage to your business systems and reputation if the download was authentic. This training exercise is designed to ensure that users are aware of the dangers that accompany the downloading of unknown files and clicking on links in emails from
unknown senders.

Key Learning Points of training module:

● The dangers of clicking on attachments in emails
● How to identify a malicious email and attachment
● The importance of security software

Web Woes

The Online Threats phishing email entices users to click on a questionable web link, which will take them to a site mimicking a well known and reputable organisation, with a faulty HTTPS certificate. This exercise will educate users on how to spot links within emails which appear to be going to a legitimate and familiar site, but are actually redirected. Users will also become aware of how to properly identify websites with a HTTPS certificate.

Key Learning Points of training module:

● How to check web links to ensure that they don’t redirect to a malicious site
● What is HTTPS and the importance of not submitting information to unsecured sites

Social Media

The social media focussed phishing campaign will arrive in the form of an email from a reputable social networking platform, such as Linkedin. This exercise will invite your users to update settings such as: birthday, phone number, email address. Information of this level is often misconstrued as non damaging, this training module will educate your users on how this kind of data can be used for fraudulent purposes, what constitutes sensitive information and the importance of maintaining the security of this data.

Key Learning Points of training module:

● How to use privacy settings effectively
● How social media can cause a leakage of valuable business information
● What information should and shouldn’t be readily available on social media accounts


Bob's Business Copyright Statement

IS Know How is a Silver Partner of Bob's Business and as such, has agreement to make use of the various content and materials during the course of ISKH's business. All materials, including content, graphics including 'Bob' themed images, code text and design are controlled by Bob’s Business Ltd. 2011 - All rights reserved, except where otherwise indicated. All requests for use from external parties should be directed to Bob's Business.