• United States




5 phishing tests to run inside your organization

Dec 18, 20174 mins
Data and Information SecurityIT LeadershipIT Skills

phishing hack scam malware binary code
Credit: Thinkstock

Last month, I talked about minimizing phishing attacks. Now, I am going to talk about some sample phishing scenarios that you can use to help increase awareness and alertness within your organization. These are based around events that occur in the United States, so you may need to refocus if these timelines or events are not applicable to your geographic location. I like to refer to these as “Phishing Flavors of the Month”

1. January: W-2 forms

By law, employers must mail IRS Form W-2 to employees for the previous calendar year by January 31. Attaching a malicious Word or PDF document to an email claiming to be a W-2 (especially early in the month) or sending them to a site to download such a file can net a high click rate. The document-based method hinges on how you send the email (internally or externally) and if you have email filtering. Your malware protection may also block this method, so carefully test it before deployment. If you decide to use a link, you can double down and attempt to capture credentials in addition to deploying a payload.

2. February: Who is YOUR Secret Admirer

Valentine’s Day, the holiday of love is February 14. It is not uncommon for people to admit their interest in people on or around this date. People will also send gifts and other flattery as a secret admirer. In this ruse, victims receive an email advising them that they have a secret admirer then direct them to a page that prompts them to either enter their existing credentials or create an account. In creating an account, we can assume that they reuse passwords and we can also solicit them for password reset questions. Cautionary note: This specific scenario will not work everywhere. This specific scenario may be inappropriate for your organization. Ensure you get buy-in from Human Resources (HR) before attempting this scenario.

3. April: US Tax Deadline

April 15 is a fearful date for many Americans due to it being the deadline for filing annual income taxes. A simple email stating something to the tune of “Your tax filing has been rejected” or “We still have not received your tax filing” may yield good responses. Be cautious to not impersonate the IRS, that is against the law. It may be better to pose as a tax preparer, CPA, or your HR document provider. Once you have the details of “who” you’re going to be, determine what you want to collect and how you’ll protect it. Since you’re not posing as the company, people will expect to enter the Social Security Numbers. You have an ethical obligation to protect any PII that you collect and store, including SSNs. I recommend asking for the last 4 of a social, but not storing it, only collect whether they enter anything.

4. November: Free Turkey

Who doesn’t love free stuff? Exactly. Many companies give away free turkey or ham in the holiday season. You can pose as the company and require employees to login to the company portal to get the voucher (potentially infecting the “voucher” with a Microsoft Office macro) to receive the porcine or poultry delicacy. Another route to go is to claim that it is from Oprah. She is known for giving things away. In any instance, get this one out around the middle of the month up until the Monday before Thanksgiving.

5. November through January: Insurance Open Enrollment

The period between November and January is typically when companies do open enrollment for the next year’s insurance plan. Capitalizing off this can yield impressive results. Knowing who the insurance carrier is and if you use an HRIS like ADP or UltiPro will work to your advantage. You can prompt the employee to login using their email address and Active Directory password. If you use multi factor authentication, you can even ask for the one-time code, but not use it. You can also take this numerous directions, but heed the advice that I provided for April with regards to collecting and storing PII.


There are numerous factors that play into how well a phish will work. While we know that training and technical controls have varying levels of influence that are often dependent upon organization maturity, implementation of tools, and configuration of tools, what is happening in the world around us is just as important. An attacker may use a typo squatted Amazon or Delta ruse. They may use a UPS, FedEx, or Postal Service ploy. They all vary. The more lifelike the campaigns are, the more value you’ll get out of them.


Joe Gray joined the U.S. Navy directly out of high school and served for seven years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security.

In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe contributes to AlienVault, ITSP Magazine, CSO Online and Dark Reading.

The opinions expressed in this blog are those of Joe Gray and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.