Why phishing tests shouldn't be about tricking people

Security awareness is important to any organization, particularly awareness about phishing and social engineering. However, no matter how much online training and how many quizzes are assigned, phishing simulation tests, when done right, provide you with a reality check about how effective your security awareness efforts really are. If you had to train staff about what to do in case of a fire, would simply showing them an evacuation plan and explaining to them the relevant procedures be sufficient?

Such information is important but is not enough. In fact, it is a legal requirement to perform fire drills from time to time. Phishing tests are there to achieve a similar effect. A phishing test is a risk assessment tool that allows an organization to measure and build resistance to phishing attacks. A phishing test sends fake phishing attacks to employees to gain valuable insight into how many of them would interact with the malicious links and attachments in a real phishing attack. Phishing tests in turn also measure how many employees would recognize phishing attack and subsequently report them to the security team.

Why are phishing tests important?

Phishing and social engineering attacks lead to more successful data breaches than any other form of a cyberattack causing such attacks to retain the number 1 spot in the 2021 Verizon Data Breach Investigation Report (DBIR). Not only this, but in 2021, phishing attacks increased by 11% from 2020 with COVID-19 related lures on the rise and phishing attacks, in general, contributing to 36% of data breaches. Why is this? Humans are the weakest link in the chain and are hence the most targeted. The Verizon DBIR estimates that 85% of breaches involved a human element. Therefore tackling this human element is vital to reduce the number of successful phishing attacks.

What does a good phishing test campaign look like?

Phishing tests should not be there to manipulate people or to trick negligent employees. Rather, phishing tests should be an opportunity to educate employees practically on how to protect themselves and the company from cybercrime. It should aim to raise awareness about phishing and motivate employees to report them.

There are 4 steps to a successful phishing campaign:

1. Training: The employees need to first be aware of what phishing is and how it can be carried out. Otherwise, they will be right to feel tricked when the next step comes along.

2. Simulation: The test itself should aim to test whether the employees can apply the training given to a real-world scenario and understand the repercussions should they fall for the lure.

3. Reporting: This is what demonstrates the success (or lack of) of the training provided. It gives a clear indication of who noticed that they were exposed to a phishing scam and how many of these reported it. Such figures should only be used for statistical purposes and should not single out individuals. The campaign should aim to counter the feeling of deception by rewarding those employees who correctly report such emails rather than focusing only on the negatives.

4. Follow-up training: Those who did not notice that it was a scam and divulged sensitive information should be privately approached and given additional training to help ensure that they do not make such mistakes again. It is important that any sensitive information given by such employees during the test remains confidential and is discarded.

   
   
   

It is also worth keeping in mind that the subjects chosen during phishing tests should aim to be realistic but not deceptive. Chances are that if an employee feels betrayed at the end of the test, not only will it lower morale but it will end up doing more harm than good. Employees will not learn through this feeling but it will instead make them feel even more anxious about the idea of being phished. Therefore, baits such as those related to health or teasing a bonus should be avoided at all costs. Additionally, employees should be aware that phishing simulations are being carried out so that they can be extra vigilant.

An ethically planned phishing test will not only avoid the feeling of deception amongst employees but can serve as a learning moment for the organization as a whole. In other words, phishing tests should rather be seen as an opportunity to raise awareness about the problem of phishing and to teach constructively as opposed to setting out to “catch” people for clicking on links – only then can you start to improve your organization’s security awareness program.