The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at

The Southern Fried Security Podcast - Episode 191 - Gone Phishin’


Phishing your employees - Does it make them aware or do they feel mistrusted?


  1. Intro - Phishing - what is it typically?
    1. Example - Emails from a Prince in Nigeria, phished on, etc
    1. What is it? An email designed to get employees to click on suspicious links or give their credentials
    2. Discuss what I designed as part of my phishing campaign - Partnered with trusted vendor
    3. Designed an email, google doc, supplied AD user list, launch
    4. Stats from our phishing campaign
    5. How GMail caught it and started dumping the emails into spam but some employees even went into spam and clicked (RSA breach!)
    6. Employees used Slack to warn others. Can you avoid neighbors leaning over the cube telling each other? Is this when “see something, say something?” becomes a good thing? How to get employees to follow it?
  2. What about when you phish your employees to improve security?
    1. How often?
    2. Do you target specific areas you know are susceptible (Ex - Marketing, Finance)
    3. What about Engineering? How do you trick them?
  3. What are the benefits of a targeted phishing campaign?
    1. Start with education first. Then to sanctions.
    2. Use to teach - not ridicule.
    3. C-Levels *have* to be part of it.
  4. How do you prevent employees from feeling that Security doesn’t trust them?
  5. People are still the weak link! Solutions and hardware can’t prevent that one user from clicking on a link that creates havoc for the company.
    1. We blow holes in security to allow Phish email through.  What if vendor gets compromised?
  6. Downsides?

Direct download: SFS_Podcast_-_Episode_191.mp3
Category:general -- posted at: 6:55pm EDT