Phishing remains one of the top threats to organizations today. Every user regularly receives emails designed to trick them into clicking on a link, opening an attachment, or providing credentials to critical systems. If a single user falls for such an attack, it may mean that sensitive customer information gets stolen, or ransomware gets installed. The stakes are high, and most organizations counter this with user awareness training and simulated phishing attacks that are effective in lowering the likelihood that an employee will fall for a phishing email.
While phish awareness training and testing has been effective in drastically reducing the likelihood that an employee will fall for a phishing email, it has also been a double-edged sword, as it has forced attackers to create trickier and more realistic-looking phishing emails. This has resulted in organizations having to ask a hard question: How “tricky” should I make my test phishing?
The trickiness of a test phishing campaign can raise some interesting trust questions. If an organization sends a test message that looks like it is from an internal IT person asking system users to click on a link, will users trust any future emails from IT? If a test message is designed to look like a misdirected email from HR that contains salary information for all management, will management trust the users who click on the message hoping to gain insight into their bosses pay? Many organizations do not want to deal with these trust questions, so they avoid sending these tricky test emails.
Organizations need to assume that attackers are driven by a profit motive and have no moral compass. Hackers know that many companies avoid asking questions that may cause trust issues, and they will use this information to design campaigns directly targeted to take advantage of the trust that organizations are trying to preserve. While it may be true that these messages may raise trust issues, organizations need to realize that if they do not train users proactively, the organization will become a victim of its own fear.
When an organization is ready to send the “tricky” test messages, the key is to think about the potential trust issues these messages can bring and to send messages to employees that lessen the impact. If sending test phishing messages pretending to be from IT, send out emails to all staff before and after the phishing campaign letting them know that it is always appropriate to call IT before following instructions sent via an email.
Before sending emails that claim to have executive salary information, have management commit to not having visibility into who the clickers are, and customize the message for anyone who does click to let them know that their name will not appear in a management report. Think through the scenario and research what can be done to not erode internal trust.
If you need help designing your user training program, we'd love to help! Email us at support@bedelsecurity.com for more information!
Additional Resources:
To Click or Not to Click? The 5 Laws of Links
https://www.bedelsecurity.com/blog/click-not-click-5-laws-links
Protecting Against Email Compromise
https://www.bedelsecurity.com/blog/protecting-against-email-compromise
Typ0squatting
https://www.bedelsecurity.com/blog/typ0squatting
Quick Tip: Protect Yourself From Phishing Emails by Learning How to Spot Bad URLs
https://www.bedelsecurity.com/blog/quick-tip-protect-yourself-from-phishing-emails-by-learning-how-to-spot-bad-urls
Essential Employee Training
https://www.bedelsecurity.com/blog/essential-employee-training