Wednesday, January 17, 2018

Our 2017 "Phishing Contest"

As part of our annual Security Awareness Training during 2017, we decided to try doing a "phishing contest".  This contest invited our employees to submit the best phishing emails they could create for the chance to win prizes.

Doing this type of contest was something very new for us.  While we weren't the absolute first organization in the world to do this (the University of Chicago did one, as an example), we discovered that it had not been extensively done before.  Even members of the SANS Security Awareness community were interested in what we were doing for the same reason.

Here's a summary of how we marketed this contest to our users.

Attackers are getting better and better these days at creating really good phishing emails, and it's getting harder and harder to tell the difference between a legitimate email and a fake one.

How can we become better at determining what's real and what's not?  By learning how it's done!  I often encourage people to have some fun and pick a friend that they know well.  Look up as much information about that friend on the Internet that you can find, and think about how you could take that information to create a really good phishing email (targeted at them) that would fool them!

When folks think about it, they realize it really isn't that hard to do.  And by trying it, we learn more about how hackers think and how they socially engineer people effectively.  That knowledge, in turn, makes us more suspicious, and better able to identify phishing attempts when they come our way.

We invite you to participate in the 2017 Phishing Contest!  Participation is completely optional and open to employees only.  The challenge is to create the best phishing email that you can, one that will trick us into believing it's real and tempt us into falling for it.  You are encouraged to do research about me on the Internet and create a "targeted" phish, or you can submit something on a different topic.  You must send it using your work email address (so we can find you if you win =), and you must write "2017 Phishing Contest" at the bottom of the email (so we don't accidentally think it's a real phish and just delete it =).

The deadline for submission is the end of 2017.  The Security Team will review all of the submissions, and the individuals who submitted the top FIVE entries will win $50 Amazon gift cards!
A brief video that was used for this marketing is here: 

So, how did it go?  


We marketed to a good portion of our employee base of approximately 4,000 people (but not all, as some departments request that "optional" events such as these be filtered through them).  We received 32 submissions.  While this was a bit disappointing, we knew this was new to everyone and might take a couple of rounds before people caught on and felt more comfortable submitting something, or even realized how easy it is to do.  However, the ones we did receive were great.  It was a ton of fun receiving them, and reviewing them as a team in order to decide the winners was HARD!  Overall, the feedback from our users was very, very positive about the contest.  We received multiple positive comments, such as "You make security cool and fun!"   So we will do it again this year.

In the posts that follow this, I will share samples of the submissions in the form of educational emails sent out to our user community, using the winning entries (and some others too) to teach more about phishing awareness.

No comments:

Post a Comment