Phish Friday

Posted by Michael Barrett—Senior Consultant •


Here in the Upper-Midwest, having a fish fry on Friday is a long standing tradition. Pretty much anywhere you go on a Friday that serves food will offer one. One of our customers wanted to tie this into their security awareness program, using a play on words changing Fish Fry into Phish Fry.

Before the exercise the company sent out a notice that the following Friday everyone would be getting a simulated phishing email. Users were encouraged to use the regular reporting methods and asked to share how they spotted the phish. Users were given a week to submit their reports. Each user who reported properly received a point for their department.

After the week was up the number of points were tabulated and divided by the number of people in the department to come up with the percentage of reporters. The top three departments won a prize. For the first place winners a cake was brought in and a trophy was presented.

The program was a big success and the awareness group received many reports and positive feedback from management.  The organization has decided to make this an annual exercise and the trophy will travel each year to the winner department.

Making security awareness fun can go a long way in gaining acceptance for the program.  Too often security is perceived as the bad guy trying to catch people doing the wrong thing. This approach turns the tables on the process and can help promote good will and understanding in an organization. Most people want to do the right thing but often don’t know how to go about it.

Related posts