Clear communication with your IT/Help Desk Team is essential when conducting a phishing campaign, to ensure the smooth execution of the test and the accurate evaluation of your organisation's cybersecurity readiness. We have created a customisable email template below for you to send to your IT/Help Desk team before running your initial baseline test campaign.
The email will introduce the idea of the test and explain how your team should address the simulated phishing emails, along with any queries from recipients. While the email is tailored towards a baseline test, it can be easily adapted to suit any type of test.
We are excited to announce that on [DATE], the [IT/Security] team will be conducting a simulated phishing test for all [ORGANISATION NAME] staff. This is a blind test and users should not be made aware of the test at any stage until an official announcement has been made by the management team.
To maintain the integrity of the test, please refrain from clicking any links on behalf of users as all emails are specific to each user, therefore any clicks will register as a failure for that user.
If a user forwards the email: Reply, letting them know you have received it and will research it further and that the user need take no further action. This approach will reduce the chance of users learning about the ongoing test and warning others.
If a user calls about the email: Thank the user for reporting and instruct them to forward the email to [firstname.lastname@example.org] or use the Phish Hook® button. Assure them that no further action is needed on their part.
If a user calls regarding the landing pages: The user has clicked on the simulated phishing link and is now on the landing page, which may be asking for their login credentials. If they ask you what to do at that point, let them know not to enter their credentials. Instruct them to forward the email or use the Phish Hook® button, providing either the URL or a screenshot of the landing page.
If you received a full copy of the message with headers included, you can scan the headers using an email header scanning tool and see the Message-ID will contain "tacklephishing.com".
Thank you for your cooperation, at [ORGANISATION NAME] we are working hard to build a global cyber security awareness program.