A version of this story was first published at https://it-seal.de/en/customer-fail-story-fail-with-phishing-simulations-or-celebrate-success/
Cybercrime has evolved: Via smuggled-in ransomware, and with the threat of subsequent public shaming, companies are blackmailed to pay ransoms or to hand over sensitive information. For many companies it is therefore more important than ever to increase security awareness. However, a lot of things can go wrong while you are trying to improve it.
In order to be best prepared for the activities of cyber criminals, you as an IT security officer need one thing the most: independent and responsible colleagues, who approach potential attacks with a wary eye and take IT security seriously. However, the effort to ensure such awareness can be tremendous. Phishing simulations have established themselves as a cost-effective and powerful tool for this purpose since the early 2010s.
We see the positive effect every day: through phishing simulations – if well done – employees become aware of their own responsibility regarding information security and are able to instinctively act correctly in critical situations.
But phishing simulations can also go wrong. They can even have a negative impact on the security awareness of employees – something that even we have witnessed ourselves at one point or another. The reasons for this can be found in unfavourable decisions made by the companies, for example, regarding communication with employees or the technical preparation of the measure.
We have summarized our experiences with companies and what can go wrong with a phishing simulation in a story of the fictional Spigrin AG, its Managing Director, George Anderson, and its Information Security Officer, Thomas Hunt. Would you have considered all aspects for a successful phishing simulation?
Phishing simulation at Spigrin AG - a short story of failure
‘Spigrin AG is a leading company in the electrical and optical joining technology. Our innovations are what make us competitive in the world market. Working with us means working for an international company that develops these innovative products with committed and goal-oriented employees.’
Security has always been an important company objective for George Anderson, Managing Director of Spigrin AG. Together with his Security Officer, Thomas Hunt, he has invested a lot of time and money in technical security measures in the “NextGen” category. They confidently say: ‘Our IT is secure.’
But now Thomas Hunt is alarmed: Phishing mails from some business partners have managed to get past the spam filter. As a result, numerous employees have become victims of perfidious attacks. An expert advises Thomas to test the security awareness of his colleagues – after all, it would be dramatic if so much effort had been put into IT security systems only for the employees to be used as a gateway for cyber-attacks.
Thomas sees and understands the problem. Together with his boss George, he decides to test how well their almost 700 employees, who are spread over various locations, react to phishing emails.
Thomas is a craftsman. A small tool is quickly programmed that sends fake phishing emails and counts clicks accordingly. He sends out his first phishing email ... but nobody clicks. ‘This can’t be...?’ Thomas obviously forgot to adjust the email filter – his mail was not designed to overcome the spam filter and got stuck.
‘Damn it,’ Thomas says, ‘I’ll just get a tool which is designed to bypass filters.’ He installs and configures a free tool and sets up the whitelisting according to the instructions. During the preparation time, however, something unexpected happens: real-world attacks are starting to pile up. Thomas’ settings have made it easier for real attackers to get through the filters. Thomas quickly reconfigures the whitelisting so that it only points to the sending IP address, bringing the security systems back to the same level of effectiveness as before the whitelisting.
Keep in mind: Whitelisting should always refer exclusively to the IP address of the sending email server.
Now Thomas would like to really challenge his colleagues. He organizes a competition in the IT department for the “best” phishing email. The winner is an email on behalf of the management containing a link providing information on the upcoming move. On click, the employees are shown an error message – after all, nobody should notice and start talking about it. Thomas sends the email to all employees: 70% – that is, over 450 employees – fall for the email.
Thomas presents the result to his boss. He was shocked: ‘This can’t be true! I thought we were secure?!’ Thomas tries to calm him down: ‘That was the best phishing email we had. Most real attacks are much worse.’ But how are they supposed to classify such a result?
George suggests repeating the test with a more realistic phishing email. In the second round, a realistic attack is sent with an allegedly overflowing mailbox.
This time, almost 20% of the employees click. George is now a bit calmer, but Thomas points out: ‘I have noticed that the colleagues have warned each other – in case of a real attack we are surely worse off.’
Keep in mind: The “office grapevine” is good!
In a secure company it is a powerful tool for employees to warn and support each other. However, a phishing simulation that only uses individual emails can quickly fail because of it. Sending many different phishing emails is more realistic and more meaningful. This approach can decrease the effect of corridor radio on the results of the phishing simulation to a minimum.
George is completely unsettled: ‘What is the current situation? Are we secure?’ Even Thomas is confused and doesn’t know how to interpret the results. Even the first email could be copied by an attacker with little effort, since the move was announced in advance and all the needed information was available in the news and on the website. In addition, Thomas was unsettled by a real phishing email, which arrived in his mailbox today: It came in response to one of his mails directly from a business partner! Thanks to his trained eye he was able to expose the email. ‘The attacks just keep getting better and better!’ he points out.
Keep in mind: A phishing simulation should never consist of individual emails.
Just because an email has the perfect subject and timing, it does not mean that you have a huge problem right away. Attacks should be realistically simulated and contain information from freely available sources that real cyber criminals would use for their phishing emails (OSINT). This is the only way to get a real impression of the situation and to prepare the employees for the attacks.
Thomas has now diversified the phishing emails and formulated them realistically. He feels his simulation is now well prepared for the challenges to come. Tamara, the head of IT support, knocks on his door: ‘Your phishing attacks are currently generating a huge amount of work for us – how are we supposed to deal with all the messages?’ Thomas did not think about this: He didn’t give the employees or the IT support any instructions on how to proceed in case of a detected phishing email.
Keep in mind: The IT support has to always be informed in advance about a phishing simulation.
IT support need guidance and support on how to deal with questions from employees.
Well-established and functioning reporting processes are important to give employees confidence in dealing with phishing emails. A report button (e.g. as an Outlook plug-in) can be helpful here.
Meanwhile, Thomas and George are receiving more and more inquiries and complaints: Due to the lack of coordination in the IT support, many employees have casually noticed that they are being audited by their company. They are annoyed and feel monitored – mistrust is spreading throughout the whole company.
Keep in mind: Hiding a phishing simulation from the employees makes them feel insecure and creates mistrust.
Therefore, such a measure should always be announced in advance. It has proven to be a good idea to wait two weeks after the announcement before sending the first email.
But what if the employees then click out of curiosity? To prevent employees from clicking out of curiosity, the announcement should already contain a phishing email with a link and/or attachment that the employees can try out. This gives the opportunity to the employees to satisfy their curiosity by clicking the link and/or attachment without any danger. Now they should react correctly to a fake email in their inbox.
Thomas and George decide to officially inform all employees about the phishing test. However, their announcement causes great uncertainty because a click on a phishing email is being recorded. The employees are now afraid of making mistakes – they would prefer not to open any emails at all.
Keep in mind: Advise your employees at the right moment (preferably at the “most teachable moment”) for the possibilities for improvement.
Use positive feedback to increase the identification and learning success of the measure, e.g. when the employee reports a suspicious email to the IT support. This increases the good feeling of being able to contribute something to information security.
Meanwhile, Michael Gans, George’s secretary, is angry. Back at the very beginning of this saga, he received the first phishing email about the company’s move, sent in George’s name. He is in charge of planning the move and now thinks that he was passed over by his boss. The atmosphere between them was already tense and was further poisoned by this.
Keep in mind: Some employees have a problem with emails being sent in their name during the phishing simulation.
Please inform the relevant employees in advance about this and give them the opportunity to disallow to the use of their name.
But now the works council is getting involved. They noticed the phishing simulation and are threatening with consequences. After all, the IT department could see the behaviour of each individual person and use this information to monitor their behaviour and performance. The works council demands that the data already recorded should be deleted and the results should not be used further.
Keep in mind: Get the works or staff council on board as early as possible and consider any questions that may arise.
Consent or a collective agreement is usually not legally required, but it can significantly ease the situation. The results of the phishing simulation should also be evaluated on a group basis – this protects the individual employee while still maintaining the validity of the results.
Conclusion: It’s better to be employee-friendly
Thomas and George had to learn the hard way while planning and carrying out their phishing simulation. But the experience has shaped them. Now they are quite aware: The results of the simulation were critical. Phishing emails will still be a problem in the near future.
In order to prepare the employees in the best possible way and to gain a precise overview of the security awareness in the company, Thomas contacts experts who are familiar with the typical pitfalls and can give him the best advice on how to realise a phishing simulation.
Experts like the IT-Seal GmbH. What Thomas particularly appreciates about their solutions is the uncomplicated implementation as well as preparatory documents for communication with the works council and employees. Furthermore, the realistic attacks based on OSINT are important to him – this is the only way to prepare his employees and colleagues for the ever-increasing danger of perfidious phishing attacks.
We agree with him: Happy, responsible employees are the best protection against cyber-attacks. The employees of our customers no longer take the issue lightly, but seriously.
David Kelm has been working intensively on social engineering and employee awareness since 2012. His research at the TU Darmstadt focused on how to measure the security level of a company in a standardized way. After various awards and grants, the research results in 2016 led to the founding of the StartUp IT-Seal.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.