Employee Cyber Security Testing -- fake Phishing emails

I want to start doing yearly
Employee Cyber Security Testing
by sending fake Phishing emails to
everyone, then tracking which employees
failed to pick which ones were Phishing scams.

Below are some options.

Do you have any other recommendations ?

http://www.securingthehuman.org/phishing
https://www.opendns.com/phishing-quiz
http://www.phishingbox.com
finance_teacherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Hire somebody outside. I assume you can create mail from director with official stationery to hook 99% of people.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
yap red teaming and penetration from external and can be insider scenario. Dumpster diving (e.g. dig through his client’s trash; many hacks and identity thefts come from information left in dumpsters), or even fake badge gatecrashing, putting  "innocent looking" thumbdrive in the carpark which has been "tainted"...these can be the bypasses but in any case, the management and rule of engagement must be concurred. Tester will always have to remain friendly and respectful and best for pentesting there is actual neutral party to sanction the action to be done as a "bad guys" to good folks in organisation...

In addition, the traditional way of validating awareness via the count of seminar attendance and how many workshop conducted internally may not be good indicator or metric to measure the level of vigilance. Those should already be part of the regime of the security awareness program running internally - however, if those are "lacking" then the evaluation is not comprehensive with the foundation ding first thing right. Maybe I suggest below to do a sanity check where you are in the regime covering domains of natures touching the
 
(a) preventive with regular updates cum competency build up on security enforcement/governance (e.g. with Acceptable Use policy / Security committee in place)

(b)  detective cum respond framework with validation of the vigilance level and effectiveness of measure enforced (e.g. early indicator of anomalous activities detected / respond to anomalies and deviated behavior by user and third party etc)

though you may already know too, I though no harm highlighting the specific one below that can be useful in your planning

(c) SANS Security Awareness Roadmap poster (since you already has their resource link) - in specific focus on the Deliverables and Metric (this link is just a snapshot picture http://blogs.sans.org/securingthehuman/files/2012/12/STH-SecurityAwarenessRoadmap-Email.jpg)

(d) On top of (a), have online training which I find Knowbe4 may be useful principles
http://www.knowbe4.com/resources/six-steps-to-successful-security-awareness-training/

(e) To verify with campaign testing in augmenting (a) and (b), as shared have continued testing with a simulated phishing attack in regular fashion even to once a week for more vigilance and targeted user with potential higher risk e.g. higher mgmt., front desk staff and Finance/HRD staff. See this maturity growth in the "training" http://www.knowbe4.com/the-five-generations-of-security-awareness-training/
1
btanExec ConsultantCommented:
thanks separately, I written an article in aspect of phishing for your information
http://www.experts-exchange.com/articles/17548/Stop-Think-Decide-THEN-Click.html
Other candidate besides knowbe4 is PhishMe Simulator and reporter (note that PhishLab is different as it is more of a services to protect against spear phishing rather than "education")
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.