I Love PhishFlip!
Even though I work full-time for a security awareness training company, KnowBe4, I rarely discuss it or its products on this forum. I tend to cover phishing more broadly and a whole range of other computer security topics (e.g., password security, quantum, crypto, MFA, securing the Internet in general, etc.). If it interests me, I write about it.
So, this article, on a new KnowBe4 feature is quite different for me. But because I think it is awesome, I am going to write about it. I am not going to let my attempt not to be an advertising arm of my employer prevent me from sharing a great idea. But beware, this is definitely a product sales-type of article, so stop reading if you are against such things. I promise it will not happen often on this forum. I think this is my first or maybe second in three years.
We just released a new product/feature called PhishFlip? (https://blog.knowbe4.com/new-phisher-feature-flip-the-script-on-phishing-emails-with-phishflip). It allows an admin to turn any real phishing email into another otherwise innocent simulated phishing email, with safe links, to test and see how their users would have performed if they had been fooled by the real phishing email. I think it is pretty genius!
It works like this. A user admin reports a suspected phishing email using our (PAB) Phish Alert Button (https://www.knowbe4.com/free-phish-alert). It places a little fish-hook-looking button (see below) in your Gmail or Microsoft Outlook email client.
If a user sees an email that they know or suspect is a phish, they can click on the PAB and it will send the email to a predefined email address (hopefully to IT security) and delete the email from the user’s inbox. That part works the same whether you use our other products or not. It is a good way to give users a quick method to report phishing. It allows IT to stay on top of general phishing metrics and to be able to recognize when a specific phishing campaign is suddenly targeting their organization.
With our suite of products, a reported phishing email can be reported to our PhishER? product (https://www.knowbe4.com/products/phisher), where it can automatically be identified as a confirmed phishing attack or be manually reviewed and confirmed by an admin. Here is an example screenshot (below).
If an admin sees a phish that has been confirmed as something malicious more than once or is simply worried that more of their co-workers could have it in their inboxes, they can tell PhishER to search all email clients and delete it. That is called PhishRIP?.
What’s new now is PhishFlip. It allows any email in the PhishER console to be clicked and converted into a simulated phishing campaign. All the maliciousness is removed. Malicious URL links are replaced with safe links. Then the admin can send out the simulated phish, based on the real phish, and see how many of their co-workers would have clicked on the real thing. It is really great to hear admins say, “If that had been a real phish that everyone got, over 60 people would have clicked it!” It is immediate feedback of who needs to be better trained based on real phishing attacks. And yes, we allow automation (using what we call SmartGroups) so that people who failed the simulated test get immediate training. It is pretty cool.
Here is an example real-life phish that was converted to what we call “templates” that can then be flipped back out as a simulated phishing campaign.
The key difference between the real phishing email and this simulated version is that the “View Invoice” URL points to an internal URL (example above) that will allow admins to figure out who did and did not get fooled into clicking the link.
I just love this idea that you can be sent a real phish, stop it and then flip it back out as a simulated phishing test. One of the biggest challenges for a security awareness training admin is how to make good simulated phishes that mimic what is sent by criminals in real life. Now you can easily do it. And you can easily show management that had a particular real-life phish been allowed to be distributed in the environment, how many victims the organization would have had. I cannot think of an easier to prove value proposition than that.