Can a simulated phishing attack be counterproductive?

I always enjoy reading articles from IT professionals who have sent simulated phishing exercises to their employees.  As I checked my email over the weekend my good friends at Google were kind enough to alert me about a new article from Tom Cochran, CTO of Atlantic Media, on this subject so I poured a fresh cup of coffee and started to read.

Oh a brief history of me and why I’m credentialed to call Tom out.  Former Deputy CISO of General Electric (yes, all of GE globally), 15 years in IT, 9 in InfoSec, 8 managing employee behavior, 6 managing phishing mitigation strategies and PhishMe evangelist since 2008.

I found the first flaw in the first sentence, ironic I know. Tom states, “Earlier today, everyone at Atlantic Media received an email warning them to ‘reverify’ their Google Apps account.”  Giving Tom the benefit of the doubt, I chalked the use of a brand without permission up to a rookie mistake.  The paragraph continued but unfortunately confused me. It’s unclear if the email came from Tom or if they are just highlighting that Tom masterminded the simulation. If it’s the former my disappointment should have been exponentially higher, but again I figured rookie mistake.

The article goes on to describe how 58% of the employees targeted in the simulation fell pray and followed the innocuous URL, a number that falls well within the first time susceptibility metrics that PhishMe has seen over the past 5 years working with over 200 customers and 4MM email users.   I felt as if the ship may be righting itself …alas I read on.

Tom’s next step is the one that prompted me to write this response.  I’m sure he had good intentions, and hoped to educate and show consumers of email how easy it is to dupe them, etc. But his method is not only flawed, it’s counterproductive.  Instead of providing a firm but encouraging education piece directly in line with the experience (ie. just after the user clicked the link) Tom sends an email to the staff chastising them for their actions and specifically calls out — in print no less — how each division performed. This is basically saying, “Hey everyone, phish these groups!”.

The icing on the cake is Tom’s answer to all of this: two factor authentication, which Aaron noted is not phish-proof.

Some takeaways for all of you who may be fans of Tom’s methods:

  • This isn’t news, phishing simulations with embedded education and behavioral change metrics have been around since 2008
  • Phishing simulations are not a pen test (see Aaron’s post here)
  • Simulations are targeting people, treat them with respect if they don’t make the best decision.  The diminutive tone of Tom’s email and the entire article will do more to alienate people than it will to motivate them to change their behavior. 
  • Omitting education or providing it separately from the simulation is useless.  Similar to employee performance evaluations, feedback should be immediate, actionable and constant.  
  • Simulations with good education need to be a core part of your anti-phishing strategy.
  • Don’t use brands, logos or other unapproved intellectual property in your simulations.  Aside from raising the ire of the infringed brand you will lose credibility with your email users and your legal teams.
  • Don’t go it alone – we have seen many security professionals try this approach and never achieve the intended result. What works well with technology doesn’t always apply to humans. Even an awesome CTO or incident responder may need help performing simulated phishing exercises designed to change behavior and improve overall security posture.

In summary, a phishing test like Tom’s doesn’t tell us anything we don’t already know, doesn’t fix the problem, and alienates employees. Focus instead on providing people with useful feedback that helps the entire organization improve.

–Scott Greaux

Protecting your business from phishing attacks
The Phish Chain: Phishing Attack from Start to Finish