Client: Mastercard
Date: April 22, 2025
Role:
Design a phishing email to send to employees. Analyze the results of that email and create a security awareness training program addressing the phishing results.
Project Overview:
This project aimed to design and deploy a simulated phishing email as part of a company-wide cybersecurity awareness initiative. The goal was to evaluate employee vulnerability to phishing tactics and enhance long-term resilience against real threats.
Objectives:
- Examine an obvious fake email and revise it to make it more believable
- Examine the results of the phishing attack by department
- Create a short presentation to help teams improve security awareness
Methodology:
A credential-harvesting phishing email was designed to mimic communication from the Internal IT Department, playing on themes of urgency and system security. Key psychological triggers included technical authority, compliance pressure, and familiar branding.
Key Findings:
- High click-through rate indicated effective mimicry of legitimate internal email styles.
- The HR Department was highly responsive to phishing attacks more than any other department.
- Reporting rates were lower than expected, highlighting the need for improved training and tooling.
Recommendations:
- Launch quarterly phishing simulations
- Add a “Report Phishing” button to email client
- Emphasize phishing awareness and critical thinking in training sessions
- Tailor future simulations to other departments (e.g., Finance, IT)
Conclusion:
The campaign successfully revealed behavioral patterns in employee responses to phishing. Future exercises will expand the scope and integrate real-time feedback and micro-training modules.