Starting a phishing program
While it’s possible to run a phishing campaign across a company with no warning, we’d recommend against that. You want to build engagement and trust with your employees and not come across as antagonistic and vindictive. Here’s the steps we recommend when starting a progam:
Ensure that the appropriate executives are aware of and/or have approved the testing. You’ll need them to have talking points if their teams ask about these tests.
Company Heads Up
Give the entire company forewarning. Be clear that it’s an exercise to help everyone learn and not meant to trick or punish people. A template is available here.
Response Team Heads Up
If employees begin reporting an email as phishing, who’s responding? Give them notice about the tests and how to respond (ideally prior to each campaign). A template is available here.