PhishMe

Phishing can be a serious problem for businesses, but IT administrators can fight back by incorporating software-as-a-service PhishMe (starting at $10,000 depending on users and service level) into their employee training program. Users are bombarded with malicious emails with specially crafted attachments or links to suspicious websites, and often have trouble recognizing them as being malicious. While administrators can beef up email security to prevent these messages from landing in user inboxes in the first place, they also need to teach users to recognize and not open those messages. It takes just one unsuspecting user to compromise a company, and PhishMe is designed to make employees more aware of the dangers.

PhishMe's training platform allows administrators to send out mail to employees that look like commonly seen phishing campaigns. If the employees click on the link in the message or open the accompanying attachment, they see a notification screen explaining they'd just opened a message sent to them as part of a training simulation. PhishMe provides information about the scam to give the user immediate feedback to help them recognize these types of messages later. The administrator can monitor overall performance and repeat offenders. Through the campaign management portal, administrators can track what employees are learning, and the types of scams they may be more susceptible to.

PhishMe takes a similar approach to Wombat Security's PhishGuru,? our Editors' Choice for antiphishing training, with multiple phishing templates and training documents. PhishMe has a richer interface and offers more in-depth training and reports, but there were several areas that felt a little rough. On their own, the problem spots wouldn't have been a big deal, but considering how well thought-out the rest of the platform was, the issues were jarring.

Pricing is for an annual license and can range from $10,000 to hundreds of thousands of dollars, depending on the number of unique recipients and included service and support.

Prepping the Phishing Hole
Like PhishGuru, PhishMe requires the test domain to be whitelisted to ensure the test messages can be delivered. Businesses planning on running PhishMe will need to work very closely with IT before attempting the project to work around spam filters and other email security products in place. It's also possible to set up the platform to test across multiple domains. For PhishMe, I used a simple mail server with no email or spam filters running.

Once my PhishMe account was created, I received an email asking me to log in and create a password for the platform. I liked the fact that the password had to be 12 or more characters long and be complex. It's a little thing, but considering how often we write about the importance of strong and complex passwords on online services, a service posting stronger requirements than what is considered the norm (6-8 characters appear to be the most common requirement) is always welcome.

Prepping the Bait
PhishMe splits the simulations into "scenarios" and "tests." The only difference between the two seems to be that tests are not tracked by the reporting engine, but it's not clearly explained within the interface. The test may allow administrators to craft simulations and step through the steps without having the results affecting the overall reports, but again, its purpose is not made clear at the onset.

In order to create a scenario, I picked from 30-or-so available templates. The selection is slightly overwhelming, as they cover a whole range of situations, including the generic package delivery notification, a virus outbreak alert, and a security update warning. They are organized in one of the three categories: tricking victims into handing over data, containing malicious links, and attached with malicious files.

The focus is on the template, giving administrators the ability to launch a mix of tests. Considering that many organizations are targeted with scams pretending to be from social-networking sites, I was surprised this wasn't highlighted in the selection. However, administrators can create templates from scratch using the custom builder.

I also thought it would have been nice to see some attention paid to use case scenarios to give administrators feedback on which ones are specifically targeting professional settings. The list of templates were overwhelming as there weren't any sub-categories focusing on the phishing type. In a way, PhishMe felt a little complicated and better designed for an organization with a large IT department that could put in the time and effort to develop and tweak comprehensive training campaigns rather than a smaller one.

I went through the workflow, selecting the type of email template to use and customizing it, choosing and customizing the training material to display, and scheduling when the messages will be sent. After I customized the email, I had the option to send a "test" message to the administrator's account to verify it looked correct.

PhishMe differs from PhishGuru in how the interface is laid out. Wombat took a very compartmentalized approach with PhishGuru, with separate sections for managing recipients, viewing existing simulations, creating new campaigns, running reports. PhishMe puts all the functions into a single workflow: Email, Site, Education, and Schedule. For example, instead of creating lists of users who would receive the test messages in a separate "user" area of the site, PhishMe prompts administrators to create the list as part of selecting and customizing the message.

Under PhishMe, administrators can upload the recipient list using Excel or comma-delimited (csv) files. However, it doesn't allow the user to open an existing list and edit it to create a new one. I was a little surprised at how rudimentary user management was.? If I upload a file and then later decide I want to use only a subset of the names, I have to re-upload a smaller list. If I edit that existing list, it overwrites the list entirely. It would have been nice to be able to modify lists, to be able to select existing recipients and group into other lists.

I selected a template, and found the editing tool allows for extensive customizations, including who it would be from, the subject line, and the actual contents of the message. After customizing the message, I could send myself a test. It took me a few seconds to do so, because I didn't realize I had to hit the + button to add a new field (which also saved the address I'd already entered) before the "send test message" button became active. This particular implementation felt surprisingly clunky in an otherwise snappy interface.

verlander justin verlander pepper spraying cop pepper spraying cop somaya reece juelz santana juelz santana