Engineering Blog – Internal Security Training (Training Emails)

Welcome to the engineering blog, where we share what we’re learning and working on daily.

As part of our employee security education efforts, we conducted a training email exercise.

What is a Training Email?

A training email involves sending employees simulated emails that mimic targeted attack emails to strengthen their ability to respond effectively.
Targeted attack emails are a sophisticated technique aimed at stealing sensitive information, often directed at specific organizations or individuals.

In this training, pseudo-attack emails resembling work-related communications were sent to selected employees to evaluate whether they would open the email or its attachments.

What We Did

1. Created Realistic and Persuasive Email Content

We designed email content and subject lines that employees might open without thinking twice. The goal was to create emails that seemed plausible during the training period.

Example of training email

2. Created a Fake Virus File (Word Document)

For this exercise, we embedded a mechanism into a Word file that accessed our company-managed server when opened.

If an employee opened the attachment, the file accessed the server and logged a unique ID hidden in the document.
By checking the output log, we were able to identify which employees had opened the file.

Unfortunately, a few employees did open the attachment during this exercise.

How training emails work

3. Conducted Internal Re-education

We followed up with additional internal training to reinforce measures against targeted emails and raise awareness further.

Refresher materials

Summary

This exercise helped raise employees’ security awareness.
We plan to continue these efforts in the future to further improve security measures.

Thank you for reading, and stay tuned for the next edition of the engineering blog!