Regroove
Our client is a mission-driven nonprofit organization with a distributed workforce that relies heavily on email and cloud-based collaboration tools. Like many nonprofits, they must protect sensitive data while operating with limited resources, making proactive cybersecurity measures especially critical.
Background & Challenge
Earlier this year, the organization encountered multiple phishing emails targeting staff members. These incidents were contained quickly, with no indication of a serious breach. However, the attempts underscored a growing concern: phishing attacks are becoming increasingly sophisticated, often leveraging social engineering and impersonation tactics that are difficult to detect.
Prior to this event, we had ongoing discussions with the client about implementing Attack Simulation Training as a preventative measure. After the most recent incident, leadership agreed to move forward with a structured phishing simulation program to better understand user risk and improve security awareness.
Approach & Implementation
We worked with the client to review all user accounts to determine eligibility for the simulation. Each participating user was required to have Microsoft Defender for Office Plan 2 enabled. Based on best practices, we recommended including only accounts associated with real human users. All staff already had individual accounts, so we advised excluding shared or service accounts and including only each user’s primary account, even if they had access to shared inboxes.
Next, we collaborated on the design of the phishing simulations themselves. The client explicitly requested a high-difficulty exercise, with no obvious red flags, typos, or poorly designed graphics. The goal was realism.
To meet this objective, we proposed two separate phishing simulations:
- Email A: A realistic phishing email from an external sender
- Email B: A more advanced phishing attempt impersonating organizational leadership
Both simulations were designed to closely mirror real-world attack techniques. The campaign ran for 25 days, capturing user behaviors such as opens, clicks, credential submissions, reporting actions, forwarding, and deletions.
Results & Key Findings
After the campaign concluded, we reviewed the results:
Email A (External Sender):
- Click rate: 12.5%
- Credential compromises: 0
- Reporting rate: 18.75%
Although two users clicked, no credentials were compromised. The reporting rate exceeded the click rate, indicating cautious behavior and awareness among many users.
Email B (Leadership Impersonation):
- Credential compromise rate: 22.22%
- Faster time-to-click and faster reporting
- Two instances of email forwarding
Email B posed a significantly higher risk. Impersonation of leadership led to increased trust, faster engagement, and credential compromise. The forwarding behavior further elevated risk by increasing the potential for internal propagation.
These results highlight a notable vulnerability to impersonation-based phishing attacks and reinforce the need for continuous awareness training.
Recommendations and Best Practices
- Training Follow-Up:
Users who clicked or compromised credentials have already been assigned targeted training modules. It is recommended to follow up with users who have not yet completed the required training to reinforce key learning objectives.
- Verification Practices:
Continue reinforcing habits related to sender and domain verification to reduce the risk of internal impersonation attacks.
- Positive Reinforcement:
Acknowledge and promote positive behaviors from users who report suspicious emails. Aim to increase the reporting rate above 25% for A-type phishing scenarios and maintain a rate above 40% for B-type pretexts.
- Follow-Up Simulation:
Conduct a follow-up phishing simulation using a different internal pretext to measure improvement in user response and reduce time-to-click.
- Email Forwarding Protocol:
Remind users never to forward suspicious emails, as this can unintentionally spread threats or expose sensitive content. Instead, encourage users to take a screenshot of the message when reporting or seeking support.
- Safe Link Practices:
Reinforce the habit of hovering over links before clicking to confirm the destination is legitimate and aligns with the expected source.
Conclusion
This engagement provided actionable insight into how users respond to different phishing tactics. The findings equip the organization with a clear path forward to strengthen awareness, reduce risk, and build long-term resilience against increasingly sophisticated email-based threats.
Is your organization prepared for today’s phishing threats?
Proactive phishing simulations and targeted awareness training can significantly reduce risk before a real attack occurs. Contact us to schedule a phishing risk assessment or to design a customized Attack Simulation Training program tailored to your organization’s unique threat landscape.