What To Do if You Suspect a Reported Phishing Email is a Test

Periodically KnowBe4 or Curricula will send out phishing email tests to our clients who are paying for the services to help test the knowledge of users and to help demonstrate what a phishing email looks like.  If a client sends an email to you that they suspect to be phishing, but looks like it may be a phishing test, this article will explain how to handle it.  IF YOU ARE UNSURE AT ANY POINT IN THIS PROCESS, ESCALATE THE TICKET TO INFORMATION SECURITY!  Better to be safe than sorry.

 

Some Signs that an Email May be a Phishing Test

1. It Comes From the Sender's Domain: Almost all of our clients have SPF and DKIM implemented, which should prevent emails from being sent by users not in the client's approved domain sender list.  If you see something like manager@theclientcompany.com and it's not from a real email address for the client that is likely to be a phishing test.
2. Links Have Obvious Names: Phishing test links usually have a path that contains a domain that should look obviously suspicious such at 451.farenheit.com or not.secure.net.
3. It's a Bit Too Perfect: A lot of phishing or scam emails tend to have grammar or spelling mistakes, but a lot of the phishing test emails won't.

How to Check If an Email is a Phishing Test

1. Navigate to Perception Point for the client account via the Acronis backup system: https://backups.audian.com/ .  If you are unsure how to do this or you don't have access, please ask a manager for help.
2. Locate the email in Perception point (easiest way is to search by sender).  If you can't locate the email, it was likely sent via Curricula which sends emails directly through Microsoft 365, so it bypasses Perception Point (see info below on Curricula).
3. Once you have located the email, click the blue "Open Scan" email to the right of the item to open the full set of information for the email.
4. Once you have the full details opened, look at the "Verdict" section, if this is a phishing test email, it will show that it was sent by KnowBe4 and is a "simulation".  If you see anything else, escalate to Information Security to investigate futher.

 

Check If The Email is From Curricula

As mentioned in step 2 above, Curricula bypasses Perception Point, so if you see a suspected phishing test email that isn't in Perception Point, then it's likely from Curricula.  To check, first see if the user is from one of the following clients that use Curricula: 

AGM Real Estate
Audian Internal
Black Lion Heating & Air Conditioning
Brink Property Management
Comtech
Coreland Companies
Gamut 360Omni Group
Precision Plumbing & Heating
Raymark Plumbing and Sewer
SEER - Aladdin
SEER - Alexander Heating
SEER - All Fuel Installation & Services

SEER - Climate Control 

SEER - Brower Mechanical 

SEER - Gropp Heating & Air
SEER - J A Bertsch Heating & Cooling
SEER - Mike's Mechanical
SEER - Terry's Heating & Air Conditioning
SEER - Western Heating & Air Conditioning
Shoc Networks
Snohomish Station District 4
Van Siclen, Stocks & Firkins

Additionally, emails sent from Curricula will send from the following domains: 

alerts.mycurricula.com
amazonsecurity.org
breach-notice.com
businessnotice.org
databoxonline.com
electronic-hr.com
emailtransaction.com
employee-services.org
feedback-collect.com
filesharingnow.com
fraud-assistance.com
governmentnotice.org
invite-meeting.com
mailbox-quota.com
mycurricula.com
news-article.com
notificationservices.org
passwordsnotification.com
payment-process.com
phish.mycurricula.com
securelinkedin.com
security-updater.com
securitynotifications.org

If the user is from a client that uses Curricula and you can confirm the sender domain appears to match up, then you can safely email the user informing them it is a phishing email.

Once You Have Confirmed the Email is a Phishing Test Email

Send the user an email back explaining this is a phishing email.  Send the correct response on the basis of which testing service they are using.

For KnowBe4 Users: 

Hi <user>, 

This was an email to test your phishing awareness from KnowBe4, I'm glad this was recognized and brought to our attention as it shows excellent security posture on your part.  Please remain vigilant of potential phishing attempts and report anything you find suspicious either by clicking the "Phish Alert Report" button on the top right of Outlook (guide here: https://hudu.audian.com/shared_article/QkvKk8q3qfXqJJTkeiKRjjND) or by emailing us as you just did at help@audian.com so we can verify that the email is either a phishing attempt or a phishing test.  If you have any questions please feel free to email us at help@audian.com or call us at 844-611-6110, option 3 for IT.  Thank you and have a nice day!

For Curricula Users: 

Hi <user>, 

This was an email to test your phishing awareness from Curricula, I'm glad this was recognized and brought to our attention as it shows excellent security posture on your part.  Please remain vigilant of potential phishing attempts and report anything you find suspicious by emailing us as you just did at help@audian.com so we can verify that the email is either a phishing attempt or a phishing test.  If you have any questions please feel free to email us at help@audian.com or call us at 844-611-6110, option 3 for IT.  Thank you and have a nice day!

Once you have emailed the user, close the ticket under the work category "IT Security Threat > Phishing Email" and the resolution category "Informational > Training".