How to do simulated phishing exercises ethically
See this article as it originally appeared in The Hartford Business Journal.
When I read last year that employees at layoff-and-buyout-battered Tribune Publishing newspapers (including the Hartford Courant) received mock phishing emails promising bonuses of $5,000 to $10,000, my heart sank.
I can only imagine how the journalists themselves felt.
Simulated phishing exercises, in which emails that resemble those coming from hackers are sent to employees to gauge and promote cybersecurity awareness, are becoming increasingly common at companies of all sorts around the globe. These exercises can either build trust with employees or degrade it depending on how they are handled by leadership.
Believable, not hurtful
Phishing emails from hackers often look quite real, as if they are coming from a boss or coworker, and the content is designed to make recipients click without thought. There are always tells in these emails — such as misspelled words or strange wording — and hackers want to cause an emotional spike so that these go unnoticed.
They commonly do this through urgency (saying that an immediate action is needed to avoid disaster) or salaciousness (sending what appears to be a link to salaries for the whole company sent in error).
In order to be a real test of cybersecurity awareness, simulated phishing emails need to use these same tactics. However, leaders must also ask, “Could the content of this email be hurtful to anyone on the team?”
It’s important to pause and imagine how employees will feel once the ruse is revealed. Will they feel like this was a constructive step in building their cybersecurity awareness? Or will they feel duped?
Hackers tailor phishing emails to the organizations they target, and a very savvy hacker might realize that pretending to offer bonuses to underpaid journalists could be effective. In that regard, Tribune Publishing’s fake phishing emails were realistic.
However, there are certainly other narratives that would have been just as effective without looking so much like callous mocking in the end.
Assess results as a team
Once the results of the phishing exercise are in, those who took the simulated phishing bait should not be pointed out publicly on an individual basis. Instead, it's helpful to share the overall percentage of employees who would have fallen for the attack had it been real. The team can track their progress as a whole without singling out or shaming individual employees.
When the results of a phishing exercise are treated with discretion, certain brave employees are likely to come forward voluntarily to share their story of how the exercise fooled them. Without any judgment, encourage them to share their experience. If they can describe what was passing through their mind when they saw the email, it can help others recognize when their cybersecurity awareness may be dulled.
Leaders: Be vulnerable
If company leaders are among those who clicked the simulated phishing link, it can be particularly powerful if they are willing to open up about this. I’ve done it myself.
I was able to show that we don't do simulated phishing to make anyone feel bad. We do it to sharpen our senses so we can work together to beat cybercrime. We do it because anyone can be phished — even the CEO of an IT company who has been in this industry for almost 40 years — so we all have to sharpen our skills.