PhishGuru Training and Assessment Frequently Asked Questions

What is PhishGuru?

PhishGuru is an online tool used to assess and train your employees with simulated phishing emails.  A training message is presented to the user once they fall for a simulated phishing attack.

What is different about PhishGuru Release 2.0?

PhishGuru Release 2.0 identifies whether an employee fell for an attack through a mobile phone, a tablet, or their computer, and specifically what type of device and browser they were using. Also included in PhishGuru 2.0 is the ability for administrators to send fake malicious attachments, phishing links or data entry pages.

How is PhishGuru accessed?

PhishGuru is a Software-as–a-Service (SaaS) and is accessed via the web.

Who creates the training campaigns?

Email simulations or campaigns are created by you, the client.  You can craft a phishing email using email templates provided within the service or by creating your own attack.

Are there templates for crafting emails?

A number of templates are provided that make creating a phishing attack very easy.  The templates are based on real life attacks that criminals use.  If you like, you can also edit the templates or create your own phishing email.

What level of reporting is provided?

PhishGuru provides in-depth reporting by campaign, user and device.  PhishGuru can tell you which users are susceptible to various phishing attacks, the effectiveness of each campaign, and show improvements in a user’s ability to identify phishing traps over successive campaigns.

How effective is PhishGuru?

Research has shown that the PhishGuru anti-phishing training simulations have been able to reduce the likelihood of a user falling for an attack by 60% in just one campaign.

How do you recommend getting started?

We typically recommend to our clients that they use PhishGuru to create emails that mimic the types of phishing attacks they are seeing in their company. In practice criminals will often include details from real companies in their emails such as logos, phone numbers, or links. This helps to add legitimacy to the email and distract from the malicious link or attachment they have placed in the email.   Start out with a very simple campaign that has many flags that the email is phishing. This can include:

• Misspelled words 
• Time sensitive pressure, such as "You must respond within two days"
• Incorrect message signatures or terminology
• The "From" address may be from a completely fictitious company
• Incorrect logos
• Links are to a page that is not typically where a user would go

How can I get management to support this process?

The best approach for communicating to management is by showing examples of the types of phishing emails you are seeing in your organization.  The reality is that one of your employees will fall for it if you don't train and test them.

What approach does PhishGuru take to protect user data?

Wombat takes customer data security seriously, which is why PhishGuru takes a multipronged approach to security. First, all communication with PhishGuru is conducted over https to prevent eavesdropping.  Second, your email addresses are protected using AES-256 bit encryption with a key that is unique to your account. All encryption and decryption takes place in the application, providing higher security than database based encryption. Lastly, PhishGuru requires a password of at least 8 characters with numbers and symbols, and upper and lowercase letters. This helps to increase the security level of any password used. The client is responsible for their username and password security for PhishGuru to ensure their password is not compromised.