The Process of a Phishing Test

We offer a range of phishing tests tailored to meet the specific needs of your organization. Each phishing test is conducted in three distinct phases:

  1. The preparations
  2. The test itself
  3. The wrap-up

It is important to note that the details of each phase may vary depending on the type of phishing test you choose.

Phase 1: The preparations

The preparation phase focuses on selecting the right scenario and fine-tuning it to align with your organization’s style and requirements. In every type of phishing test, this phase aims to create a realistic and targeted simulation. However, the level of customization may differ. For example, in a semi-tailored test, the website used for the simulation is predetermined and cannot be changed. In a tailored test on the other hand, custom pages or websites are built specifically for your organization’s scenario.

During the preparation phase, the following steps are involved:

  1. We require a list of email addresses, names, and, if applicable, usernames. This ensures that all colleagues are included in the test.
  2. We schedule a meeting, either through phone or a virtual communication platform, to get to know each other, select the appropriate scenario, and address any questions or concerns. During this meeting, we also discuss which person from your organization will “supposedly” send the email and involve them in the preparations.
  3. We develop a concept scenario that can be tailored to meet your specific needs. We provide advice on the text to keep it as realistic as possible. In fully tailored tests, we create a website that closely resembles a genuine webpage of your company. To ensure a highly effective learning experience, the website is intentionally designed to have subtle clues that astute colleagues can identify as indicators of a phishing attempt
  4. Before commencing the test, we conduct a trial run involving all participants in the preparation phase. This ensures that all emails are successfully delivered and received during the real test. In some cases, we may request adding the email address used for the phishing email to the organization’s email whitelist, ensuring smooth delivery during the real test.
  5. We also prepare the person who will “send” the phishing email or the ICT department. We equip them with the necessary information on how to handle inquiries from colleagues who may contact them regarding the phishing email. This ensures a seamless and educational experience for all participants.
  6. After all of these steps are completed, we can choose a starting date and time.

Phase 2: The test itself

On the day of the phishing test, we make contact 30 minutes in advance to ensure that all parties involved are prepared. It is possible that individuals from the ICT department or the designated “sender” of the phishing email receive inquiries, so they need to be ready to document any contacts made. Once the test is started, we always send an email. Additionally, at the end of the day, we provide an initial interim report that provides insight into how individuals have responded to the phishing email. This report includes details such as who replied to the email, who clicked on the link and who has given a password.

Ideally, individuals who identify the phishing test will only reach out to the ICT department or the “sender” of the mail. During a real phishing attack, this would trigger an immediate notification throughout the ICT department. However, it is important to note that we cannot entirely prevent individuals from independently issuing warnings. The ICT department typically possesses more knowledge and can respond more effectively. Occasionally, individuals may still choose to issue warnings on their own accord. This occurrence does not imply a failure of the phishing test, as valuable information can still be obtained from the moment of the initial report. Specifically, this information measures the effectiveness of reading the notifications and whether everyone has been alerted. It is almost always the case that new data continues to be collected even after the initial report is made.

Phase 3: The wrap-up

After the test is initiated, new data often continues to be collected for several days. Consequently, it is essential to choose an appropriate end date for the test to have a good learning effect. We therefore closely monitor the incoming data and maintain constant communication with you to determine the optimal end date. This end date is based on the phishing test’s progression and the desired effect. 

Additionally, we provide a customizable form that can be shared with all employees of the organization. The primary purpose of this form is to create a positive learning experience and provide a comprehensive overview of the test. It includes information about the objectives, the reasons behind conducting the phishing test, and the valuable lessons learned. This form serves as an initial learning opportunity, but we strongly recommend complementing it with training, especially for the individuals who did not pass the test. 

We also provide a second interim report and a final report. The final report can be discussed within the company, as it does not contain any personal data. The personal data will be sent to you in a separate document. 

Upon completion of these steps, the test is fully concluded. To maintain vigilance among colleagues, we recommend conducting at least one phishing test per year, with two tests being optimal. If the test is well-received within the organization and if there is interest, we can schedule a follow-up meeting to discuss the possibility of a retest.