When Phishing Simulations Backfire
Another week, another organisation putting itself in the firing line for their approach to phishing simulations. West Midlands Trains reportedly sent an email to 2,500 staff offering a financial bonus as a thank you for the huge strain placed on workers during the pandemic. However, when people clicked the link to read a thank you message from the Managing Director, they apparently discovered there was no bonus and the email was part of a phishing simulation. According to reports, WMT have defended their methods by arguing that they reflect the tactics used by cyber criminals.
This isn't the first example of an organisation that has used misguided phishing simulations, particularly in the context of COVID-19 when fear, uncertainty and doubt is already heightened for many people. GoDaddy apologised for a phishing simulation in 2020 that also offered employees a bonus, a Dublin law firm apologised to staff after a phishing simulation claimed recipients had close contact with someone who had tested positive for COVID-19, and a librarian shared their upset on twitter over a phishing test from their employer that used the promise of vaccinations as a lure.
These phishing simulations are indeed in line with the tactics used by cyber criminals, who have exploited the COVID-19 pandemic with social engineering attacks from the start. But, cyber criminals don't have to worry about building long-term trust and self-efficacy among their targets, nor do they have to consider the cultural and ethical ramifications of their tactics. As cyber security professionals, we do.
When phishing simulations breach the trust of employees, they are not training, they are tricks. The intention with such tests undoubtedly comes from the right place but the execution is flawed. There is no consideration of psychological safety; no empathy for the recipient of the email and their circumstances.
It is the exact opposite of the approach that we at Cygenta have been advocating for many years. A human approach to cyber security puts people at the centre, led by their perceptions, concerns, well-being and needs. Antagonistic phishing simulations go against this and act merely as a "gotcha". They undermine confidence, trust and the relationship between the security team and the rest of the organisation. In another example of phishing simulations taken too far, I know of a person breaking down in tears at their desk when an email from payroll was circulated with an important update. They didn't know whether to click the link or if it was another case of "IT out to get us".
The "us versus them" element of inappropriate phishing simulations contributes to a culture of fear in organisations. It builds silos and erodes communication. It far less likely that people will approach the security team with their questions, concerns or reports of incidents. It has a negative impact on at least three levels:
Individual employees can feel upset and betrayed
The security team will face more barriers building awareness, behaviour and culture
The organisation's security efforts will be undermined and productivity could suffer as people may learn to distrust every email that comes their way but not want to approach security with their concerns
In security, we must make people aware of threats. But not at the cost of individual well-being, psychological safety and company culture. In the same way that physical social engineering tests should not involve replica weapons, smashing windows and setting off fire alarms, phishing tests should not cause active harm.
Build the behaviour, and the culture, that you want. Focus on report rate not click rate. Give people the tools they need, and the education that supports and empowers them.
At Cygenta, we deliver engaging and insightful awareness-raising that empowers people to be security sensors rather than security vectors. Our How a Hack Works series demonstrates cyber attacks in a safe environment. Find out more and get in touch. If you're looking for a phishing platform, our partners at Beauceron Security built their behaviour change platform with people at its heart.