Phishing simulations, used by many companies as a key cyber training tactic, use deception to gather sensitive and personal information. The cyber criminals and fraudsters are using very sophisticated phishing social engineering methods to trick us into clicking links, opening infected attachments, and providing credentials. We know the cyber-criminal takes advantage of current events, emotional triggers, and popular branding and logos to lure us into becoming a victim. They capitalize on stressful experiences and encounters, involving highly personal issues. Simulations that include financial topics such as refund checks, or health scares such as COVID, are sure to attract and trick most of us.
Let’s look at what ethical phishing is and what it is not.
Ethical phishing is considering your corporate culture, creating a positive, transparent, well communicated program. Your phishing simulations may include current events but focus on “calendar events” rather than emotionally triggered or personal topics. The phish should be accompanied with some sort of training or awareness, providing a “just in time” learning moment for the employee. The JIT tactic may include the indicators the victim should have noticed before clicking the link, opening the attachment or providing the requested credentials.
Ethical phishing is not creating and executing simulations sure to trigger anxiety and distress among all levels and roles of your employee base. It ‘s not purposely generating (without specific goals), a high undesired action rate: clicking on a link, opening an attachment, or providing credentials based on personal, sensitive topics. These tactics, without the proper context, are sure to put your program at risk. It will be tough to recover, regain, or create an environment of trust.
We’ve heard of companies that send internal phishing simulations promising bonuses, promotions, or creating health care scares. These simulations cause panic and backlash among the employee base, with wide exposure and publication on cyber security sites across the globe. This repercussion comes with program criticism, damaging the reputation of the phishing program.
There’s always the argument that “the adversaries don’t care about frightening emails, so neither should we”. But as professionals in the field, what do we need to consider ensuring a positive experience throughout each campaign, and subsequently develop a model of employee trust and supportive engagement?
What simulations, triggers and best practices can we use to better understand our phishing risk profile without creating an anxious and possibly alienated workforce?
First and foremost, transparency is key. Ensure your workforce is aware of the phishing program, the drivers, and goals behind the effort. Reinforce the concept that the program is geared to provide cyber security awareness, arming employees with the tools to better protect not only company resources, but personal information as well. Provide program updates and publish sanitized metrics.
Secondly, utilize phishing simulations that steer clear of topics that may create emotional reactions. As we know, the adversaries don’t care, but it’s imperative we create a positive learning environment, gain the support of the employee base and possibly draft advocates. It’s been my experience you can phish your employee base, reaching your program goals, without antagonizing the workforce and subsequently creating an environment of mistrust and skepticism.
You learn more about SANS Security Awareness Phishing Training Platform here.