Many organisations consider performing phishing tests against their own staff; whilst this can be a great way to determine your risk exposure and to determine the effectiveness of security awareness training, it can actually introduce problems into your security strategy too. In this episode I talk about a few common issues with company phishing campaigns:
1. Vanity Metrics – where company perform biased testing (unintentionally or otherwise) which cause a positive shift in their metrics but not necessarily the same positive shift in their security.
2. Repetitive Scenarios – there’s a lot of different scenarios a phisher could try, if your testing programme is repeating the same old scenario (or something very close) then you’re not testing staff accurately on what they may be exposed to.
3. Desensitising Staff – If your phishing training is so frequent as to cause users to treat every phishing like it’s an internal test, they may develop bad habits – like clicking links out of curiosity or trying to cause co-workers to get caught out for a laugh.
4. Ethical Scenarios – Just because a criminal would do it does not make it fair game for a security tester to do it. You need to balance the benefits against potential harms. Campaigns that put the user under significant duress, may cause them to take actions which could harm themselves or the company should be avoided – even if the criminals would consider it fair game.
5. Don’t blame the user. If phishing emails were easy to detect you would have blocked them at the perimeter. Users are imperfect human being and we all make mistakes, teaching users that they’ll get in trouble if they fall for a phishing email is likely to actively avoid working with the security team on other ventures – it should never be security versus users; we’re all on the same team. And finally remember – there’s more to phishing than just clicking a link.
If you’re looking at phishing testing as part of your security testing programme then it’s possible to build campaigns to capture credentials, capture 2FA tokens, or other sensitive information. For defence there’s more to it than teaching users not to click links, you should implement defence in depth.