To Phish or Not to Phish


Before you hit the GO button on your phishing simulation, there are a few things you should probably consider. Our panelists along with Chris Roberts had a great discussion on phishing simulations, how to approach them, and their unintended consequences.

Phishing comes from the cyber world and that world needs ownership but it’s also a business problem because businesses are losing money. When you add those two together, nobody cares about the people and this changes the way phishing simulations are approached.

Bad guys have no mercy, how about you?
Adversaries are not nice. They don’t care about emotions. Their only job is to get people to click on a harmful button or file no matter what it takes. Many people who run phishing simulations think they have to “be” the bad guy but the fact of the matter is that there are lines that shouldn’t be crossed.

True Story: A company was hit with ransomware when one employee clicked on a male enhancement phishing email. Would you really send this type of email to your employees? Probably not, but a bad guy will!

Cyber Security is a HUMAN issue that involves technology. (not the other way around)
Organizations need to understand WHY their people respond to different types of phishing emails. Is it a result of a stressful work environment Or “Get it done quickly” mentality.

It is critical to make a distinction between situational awareness and self awareness. A phishing test itself does not address self awareness and that may be a missing link in the entire system.

Understanding the human element and culture of your organization helps to drive how to run your campaigns. Stay away from certain topics like bonus emails that trigger major stressors. Use compassion and emotional intelligence. Put yourself in their shoes. Warn them the simulation is coming and that it is for training purposes only. At the end of the day, you are trying to educate them.

Testing to see what people don’t know vs. what they do know and help them do better to make less mistakes in the future.

Is phishing a Red Team activity?
Phishing is still the number one way adversaries are getting into networks, but simulations shouldn’t be used as a red team activity. If you’re going to do a phishing campaign, make sure your employees have the tools and know what to do when they suspect a phishing email. Otherwise, you are setting them up for failure. Should they report it and how? Should they call to verify requests that appear to come from their boss? Make sure they should know what the process is.

Also, check your existing processes are working. If something legit is happening like an email from the big boss asking for a wire transfer, can you check that the process was followed? Like, calling to verify?

What comes first, training or phishing?
If you haven’t trained, you are wasting your time. The purpose of phishing is to test people on what they've learned. Phishing simulations are part of a bigger education effort. They are not 100% effective on their own. Tabletop discussions and exercises are a great way to create scenarios that involve everyone without shaming.

Tell your employees you know they don’t come to work to get phished. Explain the risks and benefits. Let them know what to do if they do get phished.

Make it personal
Anything you learn about security awareness can be put to use anywhere at any time. Train employees with an understanding that they are being trained to help them learn how to deal with scams in real life. Thinking critically is your best asset and security awareness is a life skill. Making training personal not only helps employees help themselves, it translates to protecting the company.

Don't fall for unrealistic goals!
Have clear end goals. There is a big lack of data in security metrics overall. Phishing helps measure SOMETHING but maybe not the right thing. Some people are going to click no matter what. You cannot rule out car accidents totally even though everyone has been taught to drive. It is unrealistic to expect that 100% of your people will not click. Even if you get down toa 4% click rate, that may mean 40 people (out of 1000) clicking or 40 open doors for an attacker. That is a lot! We focus too much on click rate and not resiliency. Find out who reported the phishing emails or takes another form of correct action instead!

What do you do with the 4% that continually click?
Keep in mind that more than a million people become scam victims every year. And some people are scammed over and over because they didn’t address the root cause. What’s the psychology behind falling for a scam? Trust, Confirmation Bias, other biases, and belief in personal vulnerability? Once a victim understands these issues, they are in a position to fix them. Once a company understands these issues, they are in a position to teach it, However in some cases, the company doesn't have the expertise to handle psychological aspect. In this cas,e you may want to block internet access or change the person's role.

First time and repeat offenders are a danger to your company but they need to be handled with sensitivity, not humiliation. Perhaps they get 2nd or 3rd tier of remedial training. or a webinar before resorting to drastic measures like blocking internet access or changing their role in the company.

Is a 4% click rate good?
Sometimes, numbers can be misleading. If the 4% that clicked include senior managers, people with access to sensitive information, or admin privileges, that may be worse than 10% who have limited access.

How often should you phish your employees?
Too much and you end up stressing everybody out, their capacity to think critically will plummet, and you are literally bullying the workforce by normalizing it. They become numb to the phishing email and even start ignoring legit emails. Too little, and nobody will learn or retain anything. Our experts say that anywhere between 7 - 12 times a year is a good flow to create good habits and security awareness.

Does phishing kids in school cross a line?
Security Awareness is becoming a basic life skill and it starts at home. Does phishing kids in school cross a line? Some say phishing games or exercises are much more educational and some say that phishing is fine as long as it is done thoughtfully and sensitively.

Teach them in a way that protects themselves in the cyber world. Bring in ideas from child development to understand the techniques that teachers use to engage the kids on these topics.

As a security practitioner, you are an educational professional no matter what. Let’s take the educational approach that we would use on a kid and use it on employees. Hand hold, provide a safe space, and focus on training. Phishing simulations CAN be a good thing.

Moderated by

Wizer’s hacker, Chris Roberts!


Ayman Elsawah - Helping AWS Enabled Startups Avoid Breaches and Disasters. Advisor | Author | Podcast Host | Keynote Speaker

Doug Meier - National Director, Information Security & Data Governance

Shayla Treadwell - Cybersecurity Senior Leader | Speaker | Organizational Psychologist

Dr. Alexander Stein - Founder at Dolus Advisors

Gabriel Friedlander - Wizer Founder and CEO