What should I send my IT/Help Desk Team during a baseline test?
We have created below a customisable email template for you to send to your IT/Help Desk Team while running your initial baseline test campaign. The email will introduce the idea of the test and explains how and why your team should handle the simulated phishing email and any recipient/user questions.
On [DATE], the [IT/Security] team will be performing a simulated phishing test to all [ORGANISATION NAME] staff. This is a blind test and users should not be made aware of the test at any stage until an official announcement has been made by the management team.
To preserve the validity of the data, it is important not to click on the link on behalf of the user as all emails are specific to each user, therefore any clicks will register as a fail for that user.
If a user forwards the email: Reply, letting them know you have received it and will research it further and that the user need take no further action. This will reduce the chance of users learning there is a test underway and warning others.
If a user calls about the email: Thank the user, tell them to forward the email to [firstname.lastname@example.org] for further research, and that they need take no further action.
If a user calls regarding the landing pages: The user has clicked on the simulated phishing link and is on the landing page, which may be asking for their login credentials. If they ask you what to do at that point, let them know not to enter their credentials, and to forward the email and either the URL or a screenshot of the landing page.
Examples of the email and two subsequent landing pages are attached below.
If you receive an email with headers instead of forwarded, the simulated phihsing email will contain the Message Header "X-PhishingTackle".
Thank you for your cooperation, at [ORGANISATION NAME] we are working hard to build a global cybersecurity awareness program.