I felt like I had to make a headline that could get the idea across quickly because it is critical for this topic. 

With that, I am also ready to elaborate on the subject and provide arguments that would put the effectiveness of phishing tests for training under the question mark. It is already clear that I am not an avid advocate of fake phish training, but my thesis should not revolve around my personal experience or feelings.

In my effort to prove a point against simulated phishing, I also will have to present you with some definitions and even numbers that would back up simulated phishing is a good practice.

What Is Simulated Phishing and Why Companies Use It?

Simulated phishing is a security practice of attacking employees with fake emails that mimic real and malicious messages sent out by the hackers. This is done for educational purposes, so employees could spot bad emails and react to them accordingly. 

This “risk-free” activity allows the workers to get the on-field experience of a cyberattack without jeopardizing the well-being of the company or its assets. If the training is done right, users emotionally connect the dots presented to them during the security awareness training, which ideally takes place before the simulated attack. 

So far so good? 

If we run through the positives, simulated phishing doubles employee awareness retention rates, also boasting a near 40% ROI, according to the Ponemon Institute. This activity is recommended by data protection and privacy regulation bodies, so it is often done for compliance reasons. Chief information security officers largely agree that simulated phishing can make a difference, and it surely can, if done correctly. 

A little bit of practice won’t hurt anybody, but if we think about it a bit more, we can imagine how this could take the wrong turn and do more harm than good. 

One thing simulated phishing should always stick to is the fine ethical line. Often security people within the company forget about that, trying to make their phishing emails as authentic and as relevant as possible, using topics that would elicit a strong reaction and generate some clicks. 

For example, an email coming for the top executive called “COVID-19 Staff Infection List”.

As you may know, this topic has been used heavily in very real phishing campaigns, as can be proven by the number of news items present in the cybercrime digest. Should red teamers use this knowledge when preparing for a campaign of their own though? 

Experts have split into two camps here, and you can tell which side I choose here.

Social Engineering Is Like Hot Sauce – Use It Carefully

For my taste, there are a lot of factors that could derail the test phish crusade.

The use of social engineering in training is really like the sauce you put on the top of your dish. 

If you don’t use any of it, the dish will feel dry, mild and lame. Nobody would get excited about it. On the other hand, if what’s on your plate is invisible under the spicy sauce, you make the experience less enjoyable, if not torturous.

What’s worse, if you don’t tell people about the spiciness before that, and overdo it spectacularly, it just becomes unfair. Some phishing tests are carried out specifically to catch the user doing something wrong, without telling how to do it right. 

To me, it looks like the Youtube show “Hot Ones”, with a few exceptions. 

It is not nearly as fun, the treats are not good, and the host behind them is often not as charismatic and delicate. Besides, that show invites celebrities to test themselves, so it wouldn’t happen without consent.

I will draw out a few problems I see in simulated phishing.

1. It is largely wasteful without prior education

Simulated phishing without prior education is largely pointless and can identify a lazy security team. Teach, don’t overreach for numbers and statistics, as they should never be a focus here. 

Quite often the entire company will get blasted with a mass phish, and those who clicked would be publicly shamed. Only then the awareness course would take place, funnily enough. After that people would run another test, and would you believe it, the numbers would decrease. Of course they would, but how much value would they really hold?

Security is all about people, and not all about the statistics.

2. One-and-done tests hold no real value 

Firstly, you can’t compare the metrics and analyze the change in public behavior. Secondly, the practice itself will be forgotten soon enough. 

Ideal simulated phishing should be consistent and progressive in its difficulty. It also shouldn’t be carried out to target everyone at the same time, as employees will start talking among themselves about the test. When you send phishing emails to specific employees, the probability of the test becoming a topic for a watercooler conversation decreases substantially.

If we’re thinking cynically, testing one or two people would also be smart for damage limitation reasons. Upsetting one or two employees is less painful than upsetting the entire workforce.

3. It creates “Us vs. Them” mentality

Unfair simulated phishing can alienate the users and divides the company into “US vs THEM” camps, which is not ideal if you’re looking to build a functional team. 

Make sure everyone takes part and everyone is fine with it. 

Top-level executives should also be in the target pool, don’t exclude them just because their feelings might be hurt – everyone should be treated equally. 

4. It can be deeply offensive

Simulated phishing that goes wrong is a breeding ground for future insider attacks. 

If you upset someone greatly by acting like a cybercriminal during the test, don’t act surprised if the person retracts to actions expected from a cybercriminal to test you sometime in the future. 

The practice often comes with an unnecessary generalization and diminishment of users. Saying that “people are the weakest link” is an uncreative and fairly short-sighted take to hold on to for a long time, even though it is true to some extent. 

5. Genuine emails will also get reported 

If there’s no easy way to report a phishing email or ensure that forwarded emails will be checked by a security professional, you can effectively reduce the productivity of the team, if not destroy the feeling of trust within the company. 

Teaching people to successfully pinpoint phishing emails is as hard as teaching people how to spot liars. If someone is hiding their eyes, mutters, looks unsure, or something in their face gives away a lie, it could be a lie. But it could also just be an unsure person. 

Good liars are not giving away any signs that they are saying anything but the truth. If they are looking you dead in the eyes and ooze confidence, does that prove their intentions are clean? No, and the same concerns emails. 

You can’t know for sure how good or bad emails can be just by applying an eye scan, except it is a poorly-written mass phish. I have discussed this topic too recently, so feel free to check out the article “Why Most Hackers Are So Bad at English?”

Something to Consider Before Testing Your Employees

If I have to put it down to a couple of paragraphs, I will say this... 

The ideal learning experience makes students want to learn more and feel better about themselves at the end. Does “out of the box” simulated phishing achieve that? I am not sure. 

At last, I want to give a little warning message to many security staff members.

If you choose to act like a bad guy during such a test, be prepared to be treated like a bad guy after it by your peers. Stay ethical and respectful to people's lives and don’t blame them for security failures made possible by the tools we use.

I discuss the topic of ethical user education in the book called “The Art of Email Security”, which is a helpful read for both employers and employees who have to deal with email threats on a daily basis. This book offers all the information on email security in a friendly manner that can warm regular people to the often unfriendly topic of cybersecurity.

With so much free time on our hands, picking up a free book seems like a no-brainer.