We published an article with 10 tips to train your teams against phishing through phishing simulations. There were a lot of comments and we were often asked two questions regarding frequency and timing:

  • How many simulations per year for each user? After which point can progress be noted?
  • Can you run a simulation for all your teams, at the same time and in the same way?

In order to answer these questions, we relied on our data team and the history of phishing simulation campaigns we have.

The goal of this article: to deliver insight so you can improve your cybersecurity training and awareness programs in order to protect your teams against phishing.

What is the right frequency for your phishing simulations?

What can neurosciences tell us?

In order to understand what the right frequency is for phishing simulation, we can have a look at the field of neurosciences.

From a biological standpoint, learning implies the physical remodeling of our brain.

Learning something new creates a connexion between neurones. To illustrate, it's like creating a connexion between neuron A and neuron B. 

The more you practice, the more this path becomes clear, effective. It transforms from a little path in the woods to a highway (this is for example the case with an athlete’s “muscle memory”).

Conversely, if the path is not used, the road can fade and even disappear. Exactly the same way the paths of a forest that is not traveled or maintained will be eroded by plants and trees. Our brain is simply shifting to favor what’s of use to it.

Consequently, if the goal of your phishing simulation program is to develop a “reflex” email analysis and threat evaluation muscle among your teams, this effort must be maintained frequently enough through regular simulations.

What can the data tell us?

From a data perspective, at Mantra we notice that a frequency of one simulation a month leads to results rapidly.

The figure below shows the click rate on Mantra’s phishing simulations based on how many simulations each person at that company has received (someone who just joined the company will only have received one or two, whereas someone’s who’s been there for a while will have received about one simulation per month).

We can see that the click rate, which is a good indicator of how teams analyze email threats, decreases significantly (-63% on average) based on the number of simulations received.

Click rate based on number of phishing simulations received for 4 companies
"I create eight laws of learning — namely explanation, demonstration, imitation, repetition, repetition, repetition, repetition, and repetition.” to quote the great basketball coach John Wooden.

One email per month isn’t a frequency that’s too heavy for your teams: if we consider that someone received 100 emails per day, one phishing simulation per month only represents 0.05% of emails received in a month…

What’s the best timing for your phishing simulation campaigns?

Sending them at the same time?

This is another question we are often asked regarding phishing simulations: can one simply send the same simulation email at the same time to all employees?

This question is perfectly understandable and legitimate, given that a number of tools (ones that require manual selection of simulation emails and of targets) do not truly allow for an alternative.

And it’s already a step in the right direction, one that provides some information on the performance of your teams.

But for us it’s not enough: this isn’t what hackers would do in spear-phishing campaigns and therefore isn’t truly effective to train your teams.

Indeed, hackers proceed with a much more sophisticated targeting:

  • Tom, from accounting, will receive a phishing from the Payfit software he uses, with the name of the company’s CFO
  • Lisa, from IT, will receive a phishing from Microsoft Azure or a Sentry alert
  • And Alex, from sales, will receive a fake request for proposals from a fake potential client

Some groups of Initial Access Brokers like Exotic Lily even go as far as creating fake LinkedIn profiles… And they rely massively on publicly available information to personalize their phishing and spear-phishing attacks (OSINT).

A case study

On top of these theoretical elements, we noticed that sending the same simulation to everyone at the same time simply didn’t work as well during phishing tests.

A client who was running the mass sending of one scenario for his 1,500 employees saw the compromission rate (credential harvest) during the first few minutes of the phishing tes) before this rate plateaued:

Cumulative number of compromising actions after mass sending of a phishing simulation: after 1 day, the effect of surprise is lost

Indeed, when they received the phishing simulation (and when they fell for it - or detected it correctly), users naturally discussed it among themselves: in the office, at the coffee machine, on Slack or Teams… The effect of surprise couldn’t be maintained for long.

And all those who were “warned” couldn’t benefit from the simulation.

It’s therefore better - if possible - to send different simulations, at different times, to each individual employee.

Conclusion

These are the reasons that led Mantra to choose and create an automated tool that automatically sends different phishing simulations every month.

The simulations are personalized with the tools the teams use, the people of the C-suite, the company’s customers… in order to replicate the spear-phishing techniques hackers would used based on OSINT.

They’re sent at different times (and with different scenarios) to all the employees and vary the payloads in order to train your teams effectively.

Over 100 heads of IT and CISOs trust us for their phishing simulations, click here to create an account and set up your first phishing campaign.