Accepting the role as the Phishing Education Rep for the top branded credit card company in the world was a dream job.  In this role I would get to send out simulated phishing emails to the enterprise to teach about the dangers of phishing.  Some would think it would be fun to trick all the employees, contractors and vendors into clicking links in the various scenarios.  Perhaps one of the reasons I was placed in this role is the fact that it did not give me joy to see others click links in our simulated scenarios.  It gave me a passion to figure out how  can we effectively educate our employees, contractors and vendors on how dangerous clicking the link could be to the company, their brand and to the future career of that individual, especially if they were responsible for the headline news of a security breach. 

I can tell you on phishing days, the fact that I had the power to make someone’s day, or ruin it was a huge responsibility and I took it very seriously.  When someone clicks a link, although we communicate that “it’s okay, it’s just a training exercise,” a fear still comes over the individual that they’ve done something wrong.   If during a scenario, someone I knew personally took a negative action and clicked a link, I would use the utmost discretion as I navigated around the work place and interacted with them.    In this role, it’s very important not to bring up the subject’s action, even in teasing fun.  It’s also very important not to discuss any details or results of upcoming scenarios or completed campaigns with anyone, with the exception of designated leadership. 

Although it is recommended that 90 day phishing cycles work the best to keep the enterprise engaged, I personally would recommend a monthly phish.  This will keep users regularly engaged and at the top of their game when they encounter links in emails.  Keep the phishes simple in the beginning.  Encourage outward communication among peers in groups and meetings.  As users become committed to keeping their company safe, they will engage and interact with other coworkers in the same behavior.  Whether people acknowledge it or not, they often do things to earn praise from friends and coworkers.


It is my recommendation to keep users Security Aware at all times:

  • Phishing the enterprise monthly
  • Post Security Slogans on posters throughout the work place
  • Post interactive videos on the company intra-net site
  • Email the monthly OUCH Newsletter from www.securingthehuman.org to user inboxes
  •  Encourage users to come up with their own creative solutions to promote Security Awareness and award material submissions.