This article describes what simulation campaigns are in SMARTFENSE, what types they include, and when to use each one. The goal is to help you choose the right format according to the attack vector you want to evaluate and the target audience.
What are simulation campaigns?
Simulation campaigns are those that measure the real behavior of users against a controlled attack. Unlike awareness campaigns, which focus on transmitting knowledge, simulations reproduce attack scenarios to observe how users react and, optionally, trigger a Teachable Moment that raises awareness at the exact instant a risky action is performed.
The maximum duration of a simulation campaign is 4 days, which allows obtaining results similar to those of real campaigns carried out by cybercriminals.
Available types
SMARTFENSE includes five types of simulation campaigns. Each one reproduces a different attack vector, allowing you to cover multiple risk surfaces within the organization.
Phishing
Emails that aim to deceive the user into revealing confidential information. They include links that redirect to a page with a form that attempts to capture that data. They allow you to measure clicks, data entry, and email reports.
Recommended for evaluating behavior against the most common attack vector and reinforcing the recognition of malicious emails.
How to create a Phishing simulation campaign.
Ransomware
Emails that aim to make the user download a file and double-click on it. The file can arrive as an attachment or via a download link, and it can be an HTML, an HTML compressed in a ZIP, or an executable file that verifies whether it is possible to encrypt files in the user's folder.
Recommended for evaluating the response against suspicious files and validating the effectiveness of endpoint security tools.
How to create a Ransomware simulation campaign.
Smishing
SMS messages that aim to deceive the user into revealing confidential information through mobile messaging. They include links that redirect to a page with a form that attempts to capture that data. Requires having SMS shots available and a valid phone number in the user's profile.
Recommended for evaluating behavior against mobile attacks, increasingly frequent outside the corporate environment.
How to create a Smishing simulation campaign.
QR Phishing
Physical-format exercise that uses a scenario with QR within a Phishing or Ransomware campaign. The QR is printed and placed in a physical location of the organization (poster, elevator, cafeteria) and, when scanned, redirects to the scenario's landing page.
Recommended for evaluating behavior against physical attack vectors and reinforcing awareness in shared spaces.
How to create a QR Phishing simulation campaign.
USB Drop
Campaigns that measure user behavior when they find a USB drive that does not belong to them. They allow you to know whether they open the files contained in the drive and whether they enable the Macros of the opened files. It does not require user selection: data is collected based on the actions performed with the device's content.
Recommended for evaluating the response against physical attack vectors based on removable devices.
How to create a USB Drop simulation campaign.
Teachable Moment
Complementary component that is not scheduled independently: it is added to a Phishing, Ransomware, or Smishing simulation campaign from the Derived actions section. It raises user awareness at the exact instant they perform a risky behavior within the simulation, increasing the level of message assimilation and promoting the adoption of safe habits.
Recommended for reinforcing awareness within simulations, teaching the user at the most relevant moment of learning.
What a Teachable Moment is and how it is used.
💡 Best practices
- Apply a Whitelist process in all the organization's security tools before launching Phishing or Ransomware campaigns, to avoid blocks and software-generated statistics.
- Launch a Test campaign prior to the real campaign to detect false positives, validate the navigability of the landing page, and confirm the delivery of emails or SMS messages.
- Combine simulations with a Teachable Moment to raise user awareness at the exact instant they perform an unsafe action.
- Use the Random sending option to reproduce real behaviors and reduce the "user-to-user warning" effect during the campaign.
- Keep the campaign duration within the 4-day maximum to obtain realistic results comparable to real attacks.
- Combine simulations with awareness campaigns to measure the impact of formative content on the user's real behavior.