top of page
  • Jessica Barker

When Phishing Simulations Backfire

Another week, another organisation putting itself in the firing line for their approach to phishing simulations. West Midlands Trains reportedly sent an email to 2,500 staff offering a financial bonus as a thank you for the huge strain placed on workers during the pandemic. However, when people clicked the link to read a thank you message from the Managing Director, they apparently discovered there was no bonus and the email was part of a phishing simulation. According to reports, WMT have defended their methods by arguing that they reflect the tactics used by cyber criminals.


This isn't the first example of an organisation that has used misguided phishing simulations, particularly in the context of COVID-19 when fear, uncertainty and doubt is already heightened for many people. GoDaddy apologised for a phishing simulation in 2020 that also offered employees a bonus, a Dublin law firm apologised to staff after a phishing simulation claimed recipients had close contact with someone who had tested positive for COVID-19, and a librarian shared their upset on twitter over a phishing test from their employer that used the promise of vaccinations as a lure.


These phishing simulations are indeed in line with the tactics used by cyber criminals, who have exploited the COVID-19 pandemic with social engineering attacks from the start. But, cyber criminals don't have to worry about building long-term trust and self-efficacy among their targets, nor do they have to consider the cultural and ethical ramifications of their tactics. As cyber security professionals, we do.


When phishing simulations breach the trust of employees, they are not training, they are tricks. The intention with such tests undoubtedly comes from the right place but the execution is flawed. There is no consideration of psychological safety; no empathy for the recipient of the email and their circumstances.


It is the exact opposite of the approach that we at Cygenta have been advocating for many years. A human approach to cyber security puts people at the centre, led by their perceptions, concerns, well-being and needs. Antagonistic phishing simulations go against this and act merely as a "gotcha". They undermine confidence, trust and the relationship between the security team and the rest of the organisation. In another example of phishing simulations taken too far, I know of a person breaking down in tears at their desk when an email from payroll was circulated with an important update. They didn't know whether to click the link or if it was another case of "IT out to get us".


The "us versus them" element of inappropriate phishing simulations contributes to a culture of fear in organisations. It builds silos and erodes communication. It far less likely that people will approach the security team with their questions, concerns or reports of incidents. It has a negative impact on at least three levels:


  • Individual employees can feel upset and betrayed

  • The security team will face more barriers building awareness, behaviour and culture

  • The organisation's security efforts will be undermined and productivity could suffer as people may learn to distrust every email that comes their way but not want to approach security with their concerns


In security, we must make people aware of threats. But not at the cost of individual well-being, psychological safety and company culture. In the same way that physical social engineering tests should not involve replica weapons, smashing windows and setting off fire alarms, phishing tests should not cause active harm.


Build the behaviour, and the culture, that you want. Focus on report rate not click rate. Give people the tools they need, and the education that supports and empowers them.


At Cygenta, we deliver engaging and insightful awareness-raising that empowers people to be security sensors rather than security vectors. Our How a Hack Works series demonstrates cyber attacks in a safe environment. Find out more and get in touch. If you're looking for a phishing platform, our partners at Beauceron Security built their behaviour change platform with people at its heart.




1,213 views

2 Comments


Jeffrey Glenn
Jeffrey Glenn
Oct 19, 2023

I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....



Like

Janet Lucy
Janet Lucy
Oct 12, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…


Like
bottom of page