5 best practices for conducting ethical and effective phishing tests

Phishing tests have become a popular feature of cybersecurity training programs, but they should follow ethical frameworks to ensure they don’t do more harm than good.

Phishing simulations—or phishing tests—have become a popular feature of cybersecurity training programs in organizations of all sizes. One can see the appeal: phishing tests allow security staff to craft and send emails to employees en masse that are designed to appear as authentic and enticing as the genuine malicious phishing emails that bombard businesses on a regular basis. These typically include lures such as missed delivery notices, invoice payment requests, and celebrity gossip.

Under the control of the security team, responses to these emails can be quantified and used to ascertain (at least to a degree) the general security awareness of workers within an organization. How many attachments were opened or links followed? How many emails were flagged as suspicious or ignored altogether? Which subject lures proved most impactful compared to others? Are certain departments or users more likely to fall victim? This data can help security departments better tailor cybersecurity awareness training and education and identify potential weaknesses that need addressing.

Ethical questions raised over phishing tests

However, some high-profile incidents have raised important ethical questions around key elements of phishing testing practices. A railway company in the West Midlands of England recently caused notable controversy due to the subject matter used in a phishing readiness test it carried out on its employees.

In an email designed to appear to be sent from the finance and payroll department of West Midlands Trains (WMT), staff were informed that they were to receive a bonus payment as a sign of thanks for their efforts during the COVID-19 pandemic. Recipients were encouraged to click on a Microsoft Office 365 link that would lead to a ‘personal message from WMT managing director’ Julian Edwards. In actuality, the link led to a Sharepoint website containing a simulated phishing exercise set up by Microsoft, with those who clicked receiving an email from the company’s human resources team advising them to be aware of communications that asked staff for login credentials. Needless to say, there was no bonus payment to be had.

Ethical phishing testing

The promise of a payment of a sum of money is a common and effective tactic used by cybercriminals to trick victims. But using such a tactic in a phishing test raises questions about what is and isn't fair game and how to ensure that ethical lines aren't crossed. Beyond that, what measures should be taken to ensure that phishing tests remain a useful, effective, and beneficial cybersecurity training and educational exercise for all parties, and not something that risks doing more harm than good?

“Organizations should operate within ethical boundaries when it comes to phishing test scenarios because of the harm that can be caused when phishing simulations are taken too far,” Dr. Jessica Barker, co-CEO and co-founder, socio-technical lead at Cygenta, tells CSO Online. “Using highly emotive bait such as bonuses and healthcare—especially in the context of COVID-19—plays games with the emotional well-being of recipients, which in turn can harm psychological safety, trust, and culture within the workplace.”

This will only undermine the efforts of cybersecurity teams as a whole, alienating the very people they aim to engage with, Barker adds. “People generally don’t like to be tricked, and they don’t usually trust the people who trick them. One counterargument I often hear is that criminals use emotive lures in a phish, so why shouldn’t we? Well, criminals also cause physical damage to property, take systems offline, and disrupt services, but physical social engineers and pen-testers don’t—for good reason. Simulations should not cause active harm.”

Email templates should indeed be chosen carefully by organizations, avoiding topics that have the potential to cause upset to employees, agrees Dr. John Blythe, head of behavioral science at CybSafe.

“Even some criminal gangs such as REvil push for certain standards, as it now prohibits people from using its SaaS ransomware to target government, public, healthcare, or educational institutions,” points out Rick Jones, CEO at DigitalXRAID. “DarkSide also recently said that it had no intention to cause political, economic, or social disruption with the Colonial Pipeline attack, instead conducting the campaign with purely financial gains in mind. Those conducting phishing simulations have the same skills as the criminal gangs running real campaigns, but they have standards and ethics that must be adhered to.”

Following are 5 considerations for better phishing tests.

Understand the aim of phishing tests

The key place to start when preparing phishing simulations that are both ethical and productive is to understand the goal of phishing testing, explains Barker. “The key thing I recommend at the design phase of phishing simulations is to consider why you are planning the tests. If you’re thinking of phishing simulations as a ‘gotcha’ exercise, I recommend taking a step back and reflecting on that, because that’s not training, that’s a trick. If you’re thinking of the tests as training, what behavior do you want to train?”

Organizations must understand that the purpose of testing scenarios is to create a baseline understanding of what phishing emails look like and allow users to gain confidence in their ability to spot the tell-tale signs, adds Jones.

“Too many phishing simulations still focus on click rate,” Barker continues. “People will always click links, especially in a well-crafted phish. For more effective phishing tests, the focus should not be on driving down click rate but rather on driving up report rate. Ultimately, getting phishing simulations right is all about understanding organizational context and being respectful of it.”

Build trust through communication

Transparency is the next crucial element of phishing testing, argues Blythe. “Organizations need to be open with their employees, ensuring they are informing them when they are running a simulated phishing campaign and clearly emphasizing it is designed as an educational tool. Without building trust, employees can quickly become resentful, feeling as though they are under surveillance or waiting to be caught out.”

Such a transparent approach appeals to Jones, too. “Users should be introduced to the idea of phishing gradually, taught what to look out for and how to respond,” he argues. “The culture of communication built out of this process is what you should be looking for.”

Provide positive reinforcement

Positive reinforcement not only plays a crucial role in the short and long-term effectiveness of phishing testing, it can also have significant influence on whether an organization’s approach is considered ethical or not.

For example, rather than blaming or punishing employees that fail phishing tests—which can create feelings of negativity, belittlement, and disillusionment—instead put greater focus on openly celebrating the responses and behaviors you want to encourage. “This positive reinforcement is much more impactful; it draws on principles of social proof and engages people much more effectively,” says Barker.

Gary Warner, director of intelligence at DarkTower, recommends a similar ‘carrot not stick’ approach to phishing simulations, citing an example from his time as an IT director. “I told my boss I could improve the reporting of suspicious emails for $100. I took the most recent report we had received and did a full analysis on it. Then I did a companywide email blast that said something like:

‘Joe in the service center got a suspicious email that looked like THIS (insert screenshot). Joe knew just what to do! He forwarded the email to phishing@myoldjob.com. If Joe had clicked the link instead, it would have infected his computer with XYZ virus and started stealing data from our network and sending it to Russia! To thank Joe for watching out for the company, we’re sending him for a steak dinner for two at a restaurant. Thanks for protecting the company, Joe! Have YOU seen a suspicious email? Please forward it to phishing@myoldjob.com! You just might save the company from a devastating cyber-attack and win yourself a prize!’

Reports went up about 1000% and cost me $100 a month for our prize dinner.”

While the lure Garner used in that example could be likened to the one used in WMT’s phishing test effort, the overall method differed greatly because it was communicated clearly, informatively, and without the highly emotive, ‘click-me-now’ type of language that the rail company opted to use (not to mention the fact there actually was a free meal to be had for partakers, not just the promise of one that is then snatched away). It is a prime example of how positive reinforcement can be used to encourage users to build on successes and acquire good security behaviors as a habit.

Turn phishing test failures into security wins

Once data has been obtained from the testing process, follow-up actions are just as important to get right as the planning and implementation phases of the tests. These should not only focus on users, but also on how the wider organization can benefit from the results of simulations.

“It’s a cliché, but data is king within cybersecurity,” says Jones. “Everything from technical data from security logs or devices to information from users provides vital knowledge. Employees are a business’s first line of defense, so it’s important that decision-makers are aware of the risk they pose, especially as a successful phishing attack can allow malware to bypass all other security tools that are in place.” But security education and encouragement must trump blame when it comes to engaging with those who have failed the simulations.

“When individuals do click on a simulated phishing email, they should receive timely, helpful feedback,” explains Blythe. That feedback should be brief and engaging rather than lengthy mandatory training or punishment for the best outcome. “In general, our approach to human cyber risk needs to draw much more upon empathy,” he adds. “A more understanding approach that seeks to help and empower employees to change their behavior is more likely to succeed in the long run than an approach that blames and belittles those who succumb to simulated attacks.”

Data from phishing simulations can also be used when communicating with governing authorities such as the UK’s Information Commissioner’s Office, Jones adds. “This allows businesses to prove that they’re aware of their internal threat and that they are taking steps to reduce it. Revealing the threat level that employees pose to an organization and providing evidence of driving positive change through encouragement and communication is a crucial outcome.

Use the right tool at the right time

One last important consideration an organization must explore is whether phishing testing is the right exercise at any given time. “In some cases, running phishing simulations at all is unhelpful, for example when there is already a culture of fear in terms of cybersecurity,” advises Barker. “Phishing simulations are just a tool and, like all tools, they need to be used in the right way, at the right time.”

One aspect of that may include using somewhat watered down phishing testing as a gentler introduction to the more distressing tactics used by genuine cyber-criminals in attacks, says Jones. “To ensure employees aren’t left uneducated on the real dangers, it is possible to have a constructive discussion about the possible tactics cybercriminals may use without exposing staff to these topics in a simulation.”

Either way, it’s important that simulated phishing remains just one part of an overall strategy that seeks to build good security behavior of employees over time, says Blythe. “It’s also worth noting that there are other security behaviors that need to be addressed if the ultimate aim is to reduce the number of employees that fall victim to phishing attacks.”

Ultimately, if the goal of a phishing test is to use any means necessary to trick users into clicking, just so they can be sent a ‘slap on the wrist’ to urge them to do better, it will most likely not only fail to educate users of the risks of phishing attacks, but also leave them disengaged, demotivated, and perhaps even emotionally affected. In contrast, if an approach is taken that is ethical and empathic is nature, in keeping with the culture of the organization, and supported by positive reinforcement and constructive interaction that teaches about the real threats posed by email-based attacks and encourages employees to practice safer behaviors over time, then phishing tests can be a useful tool in the drive towards better security awareness in an organization.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline