To ask before the start of a phishing engagement.
- What is your idea of a phishing engagement?
- What are you looking to measure?
- How many campaigns are you looking for us to conduct?
- What types of engagements are you looking for us to conduct? (Cred. capture, payload, text-only, hybrid)
- Do you implement security awareness training?
- Will you be testing detection and response?
- Will you be testing solutions around email security?
- How many phishing engagements have been performed? When?
- What were your last 3 to 5 pretexts?
- Will you be whitelisting the domain if there are no categorized ones available?
- Do you want us to try one non-categorized domain and one that is? (Need a few days for categorization)
- Do you want us to try a freshly obtained domain and an older one?
- Will you require greenlighting the pretext?
- Is there a contact we can test the pretext with beforehand?
- Will there be more than one pretext and group of targets?
- Can we reply to targets that email us back?
- Can we use the captured credentials for further compromise?
- What do you consider compromise? Getting Domain Admin, getting PII, payment data, etc.?
- Can we test the payload before the engagement?
- Do you need us to craft different levels of payloads? (Common to custom/complex)
- Will you be providing the list of employees or do you expect us to find them via OSINT gathering?
- Can any employee be targeted or are we targeting a specific department/location?
- Are any folks Out of Scope? (NOT RECOMMENDED)