Phishing simulation for tests and training in cyber security

These are the guidelines you must meet

1. Before the start of a cyber security or phishing training, the organisation (or the customer) sends an email to legal@dnsbelgium.be with the following information: 
   1. the main characteristics and the duration of the scheduled training.
   2. the .be-domain names you want to register for this training.
2. Correct contact details of the person registering the domain names (the registrant ). Falsified or non-existent contact details are not allowed. The registrant chooses whether the .be domain names are registered in the name of the cyber security organisation or the end client for whom the training is organised.
3. The organisation that is responsible for the cyber security training (or its customer) draws up a document (template in NL, FR and EN) with information on the campaign that DNS Belgium can share with third parties, for example when we receive questions about this.  
4. The organisation that is responsible for the cyber security training (or its customer) must at least share one email address as contact. DNS Belgium can then refer people with specific complaints about the registered domain names to this contact in order to follow up a complaint or for additional information.
5. Prior to the registration of a domain name, the organisation that is responsible for the cyber security training checks the possible use of logos, brand names and other online assets of third parties. For example, referrals to Office 365. The cyber security organisation takes the necessary initiatives to prevent infringements of the intellectual property rights of those third parties. 
    

It's important for all stakeholders to apply these guidelines. Under no circumstances does DNS Belgium accept liability for possible infringements of the intellectual rights of third parties, linked to the use of .be domain names that were pre-registered with DNS Belgium for a specific cyber security training. This remains the sole responsibility of the registrant of these domain names.

Nor will DNS Belgium accept liability for the negative consequences of and possible damage caused by actions that need to be taken regarding the pre-registered domain names, when it appears that the above guidelines were not followed correctly.

Correct observance of the above guidelines also remains the sole responsibility of the registrant of these domain names. If the above guidelines are observed correctly, DNS Belgium undertakes to act as 'trusted notifier' for the bodies that monitor abuse in the .be zone. To the best of its ability, DNS Belgium will let it be known that the .be domain names in question are not being used for illegal practices.

Good practices not te be categorised as phishing

• Whitelisting in phishing tests and simulations.
• Whitlisting simulated phishing in Google.

Why did we develop these phishing guidelines?

DNS Belgium often receives messages from corporations that organise cyber security training sessions for their customers to create awareness about cyber security and phishing in particular. To do so, they often register .be domain names that are very similar to an existing domain name. For example, a variant of an existing commercial website or of a well-known Belgian government domain name.

Chances are that for training and testing purposes in cyber security, these registrations must first pass our verification procedure. Our security regularly flags up these registrations and the specific domain name will not be activated in the .be zone. In other words, the scheduled training or cyber security campaign cannot take place. We also want to avoid the unnecessary labelling of these domain names as 'fraudulent' because it would have an incorrect negative impact on the reputation and security score of the .be zone. This is why we devised a method to help cyber security professionals.

Document version and applicability

This memo (version 1.0) comprises DNS Belgium's current policy regarding specific cyber security training, tests and actions that call for the registration of .be domain names and are reported to us in advance.

DNS Belgium reserves the right to unilaterally amend this memo and associated policies according to the evolution of economic, technical or legal circumstances. DNS Belgium will announce any amendments on its website at least one month before they take effect. We will inform organisations that registered campaigns in the past about the planned changes by email and to the best of our ability. We point out that few guidelines exist relating to this matter and that it's possible that in the future certain bodies may develop “good practices” for this. Where possible, DNS Belgium will align its policies with these 'good practices'.