We have a phish test environment, made available by our cybersecurity underwriter. Some of their templates seem dated (and the LinkedIn one was simply unbelievable), so I want to assemble messages that resemble legitimate messages as they currently arrive at our doorstep.
But I'm new at this, so I'm wondering if anything in phishing fair game? If I were to grab legitimate emails from vendors and partners out of the spam filter, and use their visual elements in the phish template builder to create similar-looking bait messages, is that cool? Or is that preying on the trust our employees might have in select transmissions?
Or is it okay, as long as I include the legitimate signature, misspell a word or two, and make a totally bizarre, unbelievable email address?
How do you concoct phish campaigns? Or do you always use the available templates?
--- I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
I say it is fair game as long as you don't use it as a "gotcha" moment. I once worked with a CISO who purposely set up management above him with phishes and then berated them when they clicked on it. I see phishing awareness as two-fold, to decrease the likelihood of an employee falling for a phish as well as, if not the most important aspect of phishing tests, understanding WHY the person clicked on it. If you do not understand the behavior, you will have a hard time changing it.
I had users who clicked on the fake invoices phishes, so I went to them and asked why they clicked on it. "Well it was an invoice, so I HAD to open it. I didn't want the company to get in trouble for not paying it!" But the person involved had nothing to do with paying invoices. I told them that is what the bad guys wanted them to do, feel a sense of urgency or duty to open it and then end up infecting the computer or network. They could then understand that they didn't need to open up invoices or other matters that did not pertain to their job.
Another reason, "It was addressed to me so since they knew my email address, it must be legitimate." No it is not. I showed them the percentage of spam vs legit email and they were shocked. Then I explained how easy it was get email addresses and then showed them the HaveIBeenPwned? website and had them check some of their personal email addresses and sure enough, some of them had been compromised.
You have to pair phishing with other methods. I used to go through the spam filter/quarantine folder to see what was being flagged or caught in there to see how people were misusing company email addresses. I found dating sites, shopping sites, not-safe-for-work sites, etc. I then was able to send out emails to the company reminding them of appropriate use of their company account.
What is your goal for the phishing awareness campaign? Knowing that can help you determine how to proceed.