The Southern Fried Security Podcast - Episode 191 - Gone Phishin’

Phishing your employees - Does it make them aware or do they feel mistrusted?

1. Intro - Phishing - what is it typically?
2. 1. Example - Emails from a Prince in Nigeria, phished on Match.com, etc
   1. What is it? An email designed to get employees to click on suspicious links or give their credentials
   2. Discuss what I designed as part of my phishing campaign - Partnered with trusted vendor
   3. Designed an email, google doc, supplied AD user list, launch
   4. Stats from our phishing campaign
   5. How GMail caught it and started dumping the emails into spam but some employees even went into spam and clicked (RSA breach!)
   6. Employees used Slack to warn others. Can you avoid neighbors leaning over the cube telling each other? Is this when “see something, say something?” becomes a good thing? How to get employees to follow it?
3. What about when you phish your employees to improve security?
   1. How often?
   2. Do you target specific areas you know are susceptible (Ex - Marketing, Finance)
   3. What about Engineering? How do you trick them?
4. What are the benefits of a targeted phishing campaign?
   1. Start with education first. Then to sanctions.
   2. Use to teach - not ridicule.
   3. C-Levels *have* to be part of it.
5. How do you prevent employees from feeling that Security doesn’t trust them?
6. People are still the weak link! Solutions and hardware can’t prevent that one user from clicking on a link that creates havoc for the company.
   1. We blow holes in security to allow Phish email through.  What if vendor gets compromised?
7. Downsides?