FAQ: Phishing Simulation
& Training Program Frequently

Phishing is one of the most common ways a cyber-attack may begin, and your ability to stop a phishing email attack may solely depend on your employees and their ability to identify the threat. It is a popular attack method because threat actors can automate the attacks and use various techniques to slip by email security tools and trick users into either clicking a malicious link, opening a file with malware, or sharing sensitive information.

To defend your agency from phishing attacks, and other types of social engineering attacks that are designed to trick and deceive your staff, training can be the most effective method of defense. Going beyond, to actually test that training with simulated phishing emails is they best way to know if your training is working and identify your weakest links.

Additionally, email security tools and other security practices can help reduce the risk of a phishing attack and hopefully keeps phishing emails out of the hands of users, but they are never 100% able to stop every email from getting through.

For help beyond training and phishing simulations, RLS Consulting has other resources and services available through Big I Illinois that can help your agency improve your security and data security compliance practices.

When it comes to security awareness training, aside from experiencing a cyber-attack, the only way to know if it is working or where more attention is needed is to simulate scenarios that may play out in a real attack.

When you better understand risks that are specific to your business, you can begin to make better decisions about where to focus your energy in mitigating your risks.

This phishing program works like most other phishing email simulation programs. The main difference is that it’s managed for you across all participating members of Big I Illinois.

After you enroll and complete the easy setup process, your users will receive one phishing email per month as part of our simulation. Emails are randomly selected from a pool of templates we use and are sent over a period of days to avoid situations where users alert others.

The emails will resemble common tactics used in today’s phishing strategies to help put their training and awareness to the test.

If someone clicks a link or enters their credentials as part of the simulation, they will receive notification that they failed. To provide in-the-moment education, they will be pointed to tips and other information around what to watch for in order to avoid interacting with a real phishing attack.

Each month, a report will be provided showing the status of that month’s campaign and how your staff performed.

The program is managed at the Big I Illinois level in partnership with RLS Consulting and is delivered through a phishing simulation platform called “Phishr”. Because the Big I Illinois is managing this, there is very little for each agency to do to maintain the program after the initial setup.

Through the Big I Illinois program, you will be able to set your staff up to receive monthly phishing email simulations. Members also will receive a monthly status report to see how staff performed.

The Big I Illinois has also requested monthly training content be included. This will come through the same platform and deliver a training video by email for your staff to watch. These trainings will cover topics related to campaigns and other general security awareness tips and educational content.

If you already conduct phishing simulations, you may not need a second method to test your users unless you want to create diversity in your process to really keep users on their toes. For some, this may be a more affordable option and will include insurance industry-specific content as our program grows.

When you join through the Big I Illinois program, it is centrally managed by both Big I Illinois and RLS Consulting and cannot be modified. However, you can set up your own subscription directly through RLS with a discount as a Big I Illinois member and customize your program.

Contact Shannon at Big I Illinois, or Ryan Smith of RLS Consulting for more information.

These types of phishing simulation programs can help your users improve their ability to identify and avoid phishing attacks but there is no ability to guarantee that you will stay protected from attacks. Threat actors can often use complex techniques and may leverage multiple attack vectors to find their way into an environment, phishing may only be one such tactic.

For help with overall cybersecurity or data security compliance, RLS Consulting has other programs and resources available to support Big I Illinois members.

When you enroll in the program, you will need to accept the terms and conditions for this program. This gives permission for us to use our platform to send simulated phishing emails to your staff that you identify upon setup.

No harm will come from anyone who interacts with these simulations, they are educational only and will not result in access to anyone’s computer or email system.

For the program to function, we do require your permission and a simple setup process to allow our emails to reach the users you add to the program.

We cannot take responsibility for any real phishing emails you receive or other types of attacks you could experience. If you are a Big I Illinois member that wants help tightening security practices in other areas of your business, RLS Consulting can help members with discounts on other services that may help.

In a rare instance, if Phishr or RLS Consulting were to suffer a breach and that threat actor discovered a way to access the phishing platform, the attacker could theoretically send a phishing campaign to people in that platform. However, if any actual malicious links were embedded into one of these emails, the goal would be that other email security tools would identify and remove the threat.

For help ensuring you have the proper email security practices in place to help in this type of a situation, RLS Consulting has other resources and services available through Big I Illinois that can help your agency improve your security and data security compliance practices.

Overall, no, we will have very limited access to only data around your users based on what is needed to send them our emails. We will not have access to your email system beyond the ability to create emails depending on the setup process you choose:

Upon setup, the provider, RLS Consulting, and the phishing platform, Phishr, will need to be provided with general user information (names, emails, departments, and company name). This can be done either through a CSV file upload or with an integration with Microsoft.

When you use the integration method, it gives us limited access to see your user list so you don’t have to manually load a spreadsheet.

Similarly, with email deliverability, the emails need to be “whitelisted” so that our email server that sends the messages is not blocked. This process allows the emails to make it to the end user to be able to test their awareness.

When you set up the email delivery, this can again be done through an integration with Microsoft where we use their ability to ‘inject’ the email directly into the inbox. This is an easier method but does require permissions for Phishr to write emails, we cannot see any email messages or other data.

Alternatively, if you do not have Microsoft or are not comfortable with this permission, there are other ways you will be able to manually whitelist the email server to ensure messages make it to the intended users.

RLS Consulting is a cyber-focused consulting firm that specializes in education and resources designed for the insurance industry to both address their own risks and compliance, as well as work with agencies to help them sell cyber liability and reduce the risks of insureds.

RLS is founded by Ryan Smith who has been supporting the insurance industry in various ways over the past 15 years. Originally starting with insurance technology, Ryan helped found a successful cybersecurity firm devoted to helping the insurance industry in late 2017. After being acquired, Ryan eventually left to start RLS Consulting and help independent insurance agencies with many of the challenges that come with cybersecurity, data security compliance, and selling cyber liability.

You can learn more about RLS and their programs at rlsconsulting.co.

Phishr is a new phishing simulation and training platform based out of the UK. With their ability to integrate with Microsoft environments and user-friendly platform, they make it easy and affordable to create and manage phishing campaigns.

The setup can be completed rather quickly.

Once you sign up with the Big I Illinois, you will be given instructions on how to start the enrollment process. This will include a link and a unique code to use for your enrollment.

Prior to starting the process, consider who you would like to list as your IT Manager or IT Admin as well as a contact that should receive reports.

Note: The IT Manager will need to have administrative access to your email system to complete the setup process.

After collecting some initial information about your business and identifying any other contacts related to your account, you or the person identified as the IT Manager will receive an email with the next phase of the setup.

The IT Manager will have two easy steps to complete: adding users and ensuring email deliverability. Specific instructions are provided as they continue through the process.

When adding users, there are two methods you can use:

• Preferred method: Microsoft users can allow a synch of your user list with Phishr, which can be modified to add/exclude specific users after the initial import.

• Alternate and manual method: For non-Microsoft email systems or those that do not want to allow Phishr to synch users, a CSV file upload can be created using our template.

When setting up emails to ensure they reach end users, there are also two methods:

• Preferred method: Microsoft users can provide permission for Phishr to directly ‘inject’ the message into the users’ inboxes. This basically writes the email into your system to avoid challenges with other email security tools.

• Alternate and manual method: For non-Microsoft email systems or those that do not want to allow Phishr to write emails into inboxes, we will provide steps to ‘whitelist’ emails coming from our email server by identifying our IP address as safe. When additional email security tools are in place, they may also need to have our email server whitelisted.

After everything is set up, the IT Manager will have the ability to send a test email to make sure it gets into the appropriate inbox.

Once you are confident that emails are getting to the right place and the correct users are listed, you are ready to go and will be automatically included in the next monthly campaign!

Your agency will only need to provide limited information to us.

During setup, we will ask for the name of your business and for you to identify any additional IT or Reporting contacts.

Regarding your users, we will request access to high-level information: names, email addresses, departments, and the company name.

Depending on the permissions and options selected during setup, we may ask for limited access to Microsoft accounts to give us visibility into the user list and to allow us to create emails directly into inboxes to make it easier to ensure users get access to the email campaigns for phishing simulations and training.

If you do not want to allow this permission, there are manual options for how you can add your users and ensure emails are able to be delivered through traditional means.

We do recommend the Microsoft integrations when possible because it is easier to manage.

Possibly, someone with Administrative access to your email system and any related email security tools will need to help with setup.

No, Any email system can be used in this program. Microsoft offers some special integrations that can make things easier, but the manual process you would use for other systems is still simple to set up.

You may need to ‘whitelist’ our email server in your email security tool. The integration we have with Microsoft allows us to bypass other security tools and write emails directly into inboxes, so we prefer this method to make the setup easier.

No problem! You can provide your user list in a CSV file and you will get a template to use during the setup process.

Yes, as you go through the setup process, you can add or remove email addresses to make sure the appropriate people receive the training and phishing simulations.

This is a term for our integration with Microsoft that allows us to directly write an email into a user’s inbox instead of sending it through traditional means.

If you are not comfortable with this, there is a manual process where you can ‘whitelist’ our email server as a safe and trusted IP address that will allow the email to get to users. This process may involve several steps if you have multiple tools for email security.

In our case, “whitelisting” is the process of identifying an email server’s IP address and listing it as a known, safe, and trusted resource that tells your security tools to allow our messages to be delivered.

When phishing simulations are conducted, the emails we use are very similar to real threats that your email security is designed to stop. While it’s not possible for email security tools to block everything, they are great at blocking obvious things like known malicious links, suspicious files, or even language commonly seen in phishing attacks.

We will not be sending anything malicious, but some tools may block our emails or raise extra caution to users, which can harm the ability to truly test their awareness.

Whitelisting allows us to test your users and allow emails to get through to their inbox.

When you sign up, the only people notified will be the individuals identified as your IT Manager and the reporting contact.

We recommend NOT telling staff about the simulations right away. This gives you a baseline to see how they are performing.

However, when you do not tell them, you may notice some users reporting suspicious emails. This is a great response to see but any IT support roles may need to be aware of what is going on to avoid any false alarms.

Our recommendation would be to keep it quiet for at least the first campaign.

Once you get your report each month, it would be a great practice to review it with your staff and address questions as an opportunity to provide security awareness training reminders.

“Clickers” are tracked and identified in reports so you can create learning opportunities and address areas of risk. We can also tell if a user clicks a link and has entered information into one of our landing pages (some emails do not include landing pages).

In the moment, when the user completes an action like clicking a link or entering information into a landing page, they will be taken to a screen that explains what happened and what to look for in future phishing emails.

This is intended to provide in-the-moment education at the point of the click when the user is most likely to remember what happened and how to avoid it in the future.

Aside from the phishing simulations and training (delivered by emails through the phishing system), Phishr will have no contact with you or your staff.

RLS is helping to manage and support this process and is a partner of Big I Illinois and may reach out for feedback, address questions/issues if they arise, or ensure everything is working as intended. You might work with RLS if you run into questions or need support.

For the most part, you will continue to work directly with Big I Illinois for continued support or questions about your enrollment in the program.

Just like the initial setup process, you will have options to re-synch your users or update your user list through a CSV file upload. The IT Manager will have the ability to see current users and modify them as necessary.

If you need help with this program or getting set up, please direct questions to Shannon Churchill at Big I Illinois.

If you need help with cybersecurity or data security compliance beyond this program, reach out directly to Ryan Smith of RLS Consulting, and let them know you are a Big I Illinois member to receive special discounts on any additional services.