Ease of Use
As an IT professional, I'm always ready to face the challenge of learning and configuring a new solution. However, there was little challenge in setting up Phishme. It is so simple, anyone can run tests, even with no technical skills. As long as you use the sample phishing pages and graphics, there is nothing to program, no HTML to write.
Figure 1 shows the Phishme scenarios page. This is the initial window, which appears immediately after login. A scenario is a test configured with a specific purpose, a list of employee email addresses, and one or more training pages. In this example, there are a couple of test scenarios listed my team was playing with. Let's step through creating a new scenario.
Once you invoke the creation process, the first step is selecting the kind of test to run. Four predefined scenarios are included along with a user definition template, as depicted in Figure 2. I selected Password Survey, entered a title and description, and clicked Continue.
My next stop was the setup window. The header is shown in Figure 3. This is where I entered the email message subject and from address. I also selected one of my predefined recipient groups. Recipient groups contain lists of email addresses to which you send the training email. These addresses can be loaded from email server export files, so you don't have to manual enter them.
The lower section of the setup window displays the format of the email message. The default message body for this scenario is shown in Figure 4. I added the company name, Erudio Security LLC, to make it look like this came from my security training company. The PasswordCheck link leads to a Phishme predefined page that asks for the user's password. Click Here allows you to define your own training page to deliver your company's message, including Phishme-supplied cartoon graphics, about why clicking on the link was a bad idea.
When I finished with the message body, I quickly stepped through the rest of the setup, including modifying the default password collection page (Figure 5) and deciding whether to include the special touch of adding one of the "bait" icons shown in Figure 6. I could have also used any Web page on the Internet by using Phishme to retrieve the desired page format from the target site. This enables me to use the actual Web page of any bank, financial institution, retailer, or other online enterprise to simulate phishing.
Finally, I was asked to schedule the test. I selected to run the test immediately, and clicked Save/Done. Within a few minutes, I received a confirmation message that the test was launched. I also received the test email, since I was in the Recipient Group. To make sure the user experience was what I expected, I opened the email, and clicked on the PasswordCheck link. The password collection Web page appeared, and I entered my user ID and password as shown in Figure 7.
If this was a real phishing attack, clicking on Log In would likely send my user ID and password to the phisher's server. However, something different happens in Phishme, as shown in Figure 8. This message can be modified.
The fact the link was clicked was recorded for later reporting, but who clicked was not saved. Also, neither the account ID nor the password were recorded.