Phishing assessments are a powerful way to not only measure the awareness of an organization, but to reinforce key learning objectives.  Nothing is more powerful then when people click on a link and then get instant feedback they just fell victim to a test, and then learn more about what phishing is and how they could have detected this was an attack.  There are now a number of commercial and open source tools out there to help you run your own phishing assessment, which are listed as part of the STH Phishing Assessment Planning Kit.  However today I wanted to cover a simpler approach to awareness assessments, one that has the advantage of being both anonymous and free. Last week I was teaching the SANS MGT 433 course on building high-impact awareness programs.  One student brought up a challenge they had with awareness assessments, both legal and unions were blocking the assessments as they could violate employees' privacy.  They did not want management to know the names of who fell victim, nor did they want peoples' career impacted.  One of the solutions we discussed is using a URL shortener for your awareness program, such as http://goo.gl.   The idea is when creating your phishing email, you use a shortened link in the email (click on image to see what I'm talking about).  There are some advantages here.

  1. URL shorteners track and report how many people clicked on the link.  They are pretty intelligent on how they do the tracking.  So if you click on the link ten times from the same computer, it only counts as one unique hit.  As such, the results are pretty accurate.
  2. If your organization is concerned about privacy issues, then this approach addresses those issues as you cannot track who the victims were, only the number.  Privacy / anonymity is protected.
  3. You can't beat the price, its free.
  4. If you do use a URL shortener, make sure you use one that protects the privacy of the results, you do not want the URL history publicly available.

Obviously there are disadvantages.  For example, you will not be able to track who clicked on the link, or even which department.  In addition professional phishing software often provides more in-depth details, such as OS/Email/Browser version of every victim, and perhaps if they have any vulnerabilities.  Finally you do not have more advanced attack options, such as tracking open attachments.  However, even with all these limitations in mind, if you need a solution that is simple, anonymous, and/or free I recommend you consider this option.

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.