Over the last year I’ve noticed that small- to medium-sized organizations have done a better job reacting to vulnerabilities and zero days. As a result, attackers have pivoted to different methods. Rather than attack us through our operating systems, attackers have targeted remote control tools, our consultants, and most importantly our users via phishing attacks.
Companies have attempted to “patch the human” by using phishing simulations. These simulations are often less than ideal and sometimes unethical. Recently, GoDaddy sent phishing simulations to more than 7,000 of its employees. The phishing simulation was an email sent from the company offering a Christmas bonus of $650 and asking them to fill out a form with their personal details. Nearly 500 employees failed the phishing simulation.
The phishing simulation sparked a public backlash and was derided as tone-deaf because its content showed a lack of sensitivity to the economic hardships occurring in this pandemic time. The company apologized to its employees for its insensitive testing process.
Educating users helps keep your system secure, but your phishing lures should be sensitive to external issues and designed to educate, not shame the employee. See their failure to pass the test as your failure to train them and protect them. The key to good education is to not make it into an event that triggers a public relations incident, but rather a constant reinforcement technique.
A phishing simulation campaign can’t be effective unless you’ve properly prepared your users for it. Here is what you need to teach or provide before you test them.