What email addresses are tested?
This is a very popular question here at Hook Security since a number of companies approach this differently in the security training industry. However, we have decided to emulate the approach of the threats ("bad guys") and test every email that we can get our hands on.
We test everyone, every month, until the "bad guys" are no longer to manipulate users via email.
That said, we have a system built to recognize individual users within an enrolled organization. We know that an employee's inbox may be part of multiple distribution groups and have a number of aliases. Do not worry, we have anticipated a number of scenarios and have automated a number of tools to address distribution lists, groups, and shared inboxes.
Note: It is our aim to only bill for the inboxes we test, not the number of email addresses attached to that inbox.
What about distribution lists or groups?
For the most part, Hook Security's testing platform will disregard distribution lists and only record the actions of the individual inboxes (email addresses) that make up the distribution list. Testing a distribution list should not adversely affect your testing results.
From time to time, an individual user may receive multiple testing emails as part of the user group. This can be easily resolved by contacting firstname.lastname@example.org.
What about email aliases?
This is the tricky one. Each email alias, though attached to an individual inbox, will be treated as a distinct email address for recording purposes. In some cases, our system will automatically recognize the inbox email address and aggregate the results under one email address. This is not typical.
If you are aware of unique alias email addresses in your company's directory, please notify your Client Success Manager in order to appropriately mark those email addresses in our system (email@example.com).
What about shared inboxes?
In general, as a security practice, it is not recommended that companies directly share an email address or inbox by sharing credentials. In the case that your company has a shared inbox like this, we will be unable to identify which user engaged with our testing or training. We will, however, report any failures and the IP addresses of that inbox that engage with our testing or training.