How To Set Up Your Free Phish Test

by | Jul 30, 2019 | Guides

Jura Security’s Free Phishing Test helps you to test your employees’ security effectiveness by sending them simulated phishing emails. Phishing attacks delivered by email work by tricking users into believing an email is genuine. They convince users to click a link, which usually begins a malware download, or takes them to an unsafe webpage which could install malware or ask for account credentials or billing information.

To help you measure your team’s likelihood to fall for this type of attack, Jura Security offers a free Phish Test tool. This tool allows you to email out simulated phishing emails to employees, and then monitor how employees respond to the mock phishing email. If they click on a link within the simulated phishing attack, they fail the test. If they report it as phishing, they pass.

This free trial is delivered by setting up a trial account on IRONSCALES, a phishing simulator and phishing defence platform. IRONSCALES allows you to set up multiple email campaigns to your users, with reports to measure how well teams and individuals have been able to identify and report simulated phishing emails. If end users click the link in emails, they are told they have failed and asked to engage in security awareness training, which is included in the free trial. If they report a simulated email as a phishing attack, they are given a message of encouragement for passing the test.

This article will guide you through the process of setting up a simulated phishing test. Follow the steps below to get started.

Getting Deployed

The first step to setting up your free phishing test is to visit our Free Phishing Test page and filling in the accompanying form. Filling out this form generates an account with IRONSCALES, who provides the free phishing tool functionality. Once the form has been filled out, you will be emailed a link to the IRONSCALES admin dashboard, along with your account details and secure password.

To log in with the admin account details, visit members.ironscales.com.

Following this link will take you to the main admin panel page.  As shown above, once inside the admin console there are a range of options available to you. The circled area is the six products offered by IRONSCALES

Pressing the information icon on the IRONSCHOOL product, will take you to an internal set up document, which may be a useful reference alongside this article. 

Setting Up Your Admin Account

Before you go further you must configure your admin account. To manage your account, visit the settings area, which you can access from the ‘Settings’ button in the top right of the admin console.

In the Settings area you will find general management settings.

Within the User Profile tab, you can set up admin privileges. You can also change your account password from here from the one emailed to you by Jura Security. 

The General section tells you your primary Company Domain, allows you to define your time zone and working business days, and allows you to implement any security measures such as two-factor authentication.

The Users & Roles section shows the end users and the administrators of the system. From this page, you can control what level of access and control each user/administrator has for each of the different IRONSCALES modules.

The Whitelist section takes you through the admin controls for the phishing protection element, and is not needed for the Phishing Simulation tool.

Setting up the ‘Report Phish’ Button in O365

After integrating with Office 365 and whitelisting IRONSCALES, you may wish to enable the ‘Report Phish’ button within your users inboxes. This allows users to report any email they suspect is a phishing attack to IT admins. This is useful for phishing simulation, as it allows you to monitor which users are able to accurately spot that an email is a phishing attack, alongside identifying those who were tricked by a mock phishing email.

Installing the ‘Report Phishing’ Button

To install the ‘Report Phishing button, navigate to Advanced Threat Protection from the IronTraps Customization page.

If you are using Office 365 or GSuite, from this page you can generate an XML file, which you simply upload into Office 365.

To install the button using Exchange, please follow IRONSCALES’ own documentation.

 

The Awareness Centre

The Awareness Centre within settings is where you sent up the contact name and email for the Phishing Simulation. This is the main contact who will receive email reports and notifications concerning the phishing testing. 

Integrating Users  

Once you have set up your accounts and defined user roles, the next step is to integrate IRONSCALES with your email system.

Navigate to the Email Server/Services tab in the Integrations section of settings.

Once you are on this page, there are three processes depending on your existing email network. 

Office 365

If you are using O365, simply select the Office 365 button, and allow IRONSCALES to connect to your Office 365 account. IRONSCALES will then automatically upload all of the users within your email network using your domain with Office 365. This will update in real time when you add and remove a user from the system.

G-Suite

If you are using O365, select the Gsuite integration button, and allow IRONSCALES to integrate with your Gsuite account. When you login using Gmail, you must have admin level user privileges to import your users to IRONSCALES. Once you have logged in and given IRONSCALES access, your users will be automatically imported and updated in real time.

Exchange

IRONSCALES integrates with Exchange using LDAP, which identifies your users and bring them onto the system. Log in with your details on the IRONSCALES page, and you will need to open up your firewall within in your Exchange server.

Manually Adding Users 

If you are using Office 365 and GSuite and you do not wish to automatically synchronise all of your users with IRONSCALES, you also have the option to manually add specific users. To do this, navigate to the Protected Mailboxes tab.

From here, navigate to Upload/Sync on the left hand side of the page.

Using the drag and drop upload functionality you can manually upload your users using a CSV file. This is simply a template with the users first name, last name and email address and groups they are in.  

Alternatively, you can use the Active Directory connector, which is a piece of software that sits on your AD server. Larger companies can use AD to manage log-ins, which automatically syncs contacts.

From here, you can also manage the auto-sync policies, which show how many accounts are being synced to the system. Contacts are synced automatically twice per day, and from this window you can also manually sync new accounts by pressing ‘SYNC NOW’.

Managing Mailboxes

Navigate into the Management tab on the left hand side of the screen. In this window you see a list of all of the mailboxes currently synced to the system, with a search function. You can also manually add specific individual mailboxes from this window. Next, navigate to the Segments tab on the right hand side of the screen.  

In the Segments page you can add different groups of users, if you are interested in training different departments.

Enabling Whitelisting

After setting up your account and integrating your users, you must enable whitelisting, so that your email provider or email security service do not block the simulated phishing emails from your users inboxes.

From the Home page, visit the Support button in the bottom right hand side of the screen. This takes you to the support documents available for each of the different IRONSCALES modules.

On the Getting Started tab, you will see documents about how to whitelist your users.  

Setting Up Your Phishing Simulation Campaign

Once you have imported your users and set up the whitelisting rules, you are now ready to set up your simulated phishing email campaign.

To do this you must go into the Awareness Center and set up a new campaign using the Campaign Wizard.

The Wizard gives you three options to start with. To set up your first simulation campaign, you are required to start with a Benchmark Campaign.  Once you have done your first campaign, you can then go back and do other, more specific campaigns.

Step One: Choose Your Language

The first step is to choose your language. You can set different languages for different campaigns, and you can add new languages from the language.

Step Two: Choose the Recipients

The next step is to choose the recipients for your email test. You can select the default or break down to specific user segments or departments to receive simulated phishing emails. Alternatively, you can select specific users, which some may wish to do for an initial test of the free tool before deploying it more widely.

Step Three: Choose Your Scenario

Next, you will see the different scenarios you can choose from for the simulated phishing emails. There are multiple scenarios that you can choose for your first campaign to test employees. We recommend choosing a scenario that fits well with the industry your organization works within, so that it appears more likely to be genuine to your users.

You also have the ability to edit and customize these scenarios.

To do so visit this section of this guide: How to Customize your Scenario

Step Four: Setting Up Your Landing Page 

The next step is to set up your landing page. If someone clicks the link within the mock phishing email that you selected during the last step, they will be taken to this online webpage. This landing page links to the IRONSCALES Security Awareness Training documents, that can help your employees to spot phishing attempts in future. If someone clicks the link and is taken to this landing page, the administrator will be notified in a report that the user in question has failed the phishing simulation test.

You can use any of the default landing page options, but they are also fully customizable.

Step Five: Setting a Launch Date

The next step is picking a date and time that the phishing simulation will be launched. You must set a start date and an end date, from which simulated phishing tests will be sent multiple times to the users you have selected for phishing simulation. From here you can also control how many emails are sent per day in the simulation period.

Step Six: Campaign Overview

The last step in setting up a phishing simulation is the Campaign Overview screen. This is where you can preview the campaign and see what it looks like. From here you can approve the campaign, which schedules the emails to be sent to your users.

Step 7: Getting Reports

Once your users have begun to receive and interact with your simulated phishing emails, you will need to gather reporting on how well your users have performed. You can see these from the Reporting Centre.

Customizing Your Campaigns

How To Customize Your Scenarios

From the Scenarios Management page in the Awareness Centre, you can customize your phishing scenarios. By clicking on one of the scenarios you can view the email as it would be sent to your users. You can customize all of this content, and test it, by sending it to your own email inbox to test how it will look

To edit the scenarios, create a copy of the scenario, which saves it, and then allows you to make any changes you need to. This allows you to lure your employees more effectively, by making your simulated phishing emails more relevant to the types of emails your organization commonly receives. 

From within the editor you can also select the subject line of the email, customize the sender address and of course change the language of the email.

Each scenario is also assigned a ‘Level’. IRONSCALES has different levels, which are applied to users to illustrate how aware they are of security issues. The more a user is able to spot a simulated phishing attack, the higher their level will become. When you apply a Level to a scenario, only users who have reached that level will receive that scenario.

MSPs and Resellers are able to create new scenarios that are available to all of their customers.

How to Customize Your Landing page 

To customize the landing page your users are taken to when they click the link in a simulated phishing email, visit the Landing Page Management portal. From here, you can copy the default landing pages that IRONSCALES provides, and fully customize them.

This means you can change or remove branding and any content on that page to be more specific to your organization.

More Help

For any further assistance, please do not hesitate to get in touch with Jura Security at https://www.jurasecurity.com/contact/ 

Related Articles
Instructions for Whitelisting IRONSCALES On Office 365
Instructions for Whitelisting IRONSCALES On Office 365

Whitelisiting IRONSCALES on Office 365 to allow you to send simulated phishing campaigns is a two stage process.  Stage One 1. Sign into Office 365: Go to https://portal.office.com and sign in.  2. Click on admin from your list of apps.  3. In the...

Read More