A simulated phishing email that used the false promise of company bonuses as a lure to trick employees has ignited a debate over the ethics of security awareness testing that potentially engender distrust and hard feelings.
On the one hand, simulations should mimic real-life phishing campaigns as closely as possible, security awareness experts argue. On the other hand, an insensitive training exercise can place your company in bad standing with employees.
The email in question, which was sent last week to employees of Chicago-based Tribune Publishing, told recipients that they would receive $5,000 to $10,000 in bonus payments, “as a direct result of the success created by the ongoing efforts to cut our costs.”
The email encouraged individuals to click on a link to find out their reward, but doing so revealed a message that the email was actually a phishing simulation test from security awareness training company KnowBe4.
Justin Fenton, a crier reporter at Tribune-owned Baltimore Sun, explained in a tweet why the fake phish was problematic: “After slashing our staff, closing newsrooms, furloughing reporters and cutting pay during a pandemic, @tribpub thought a neat lil way to test our susceptibility to phishing was to send a spoof email announcing large bonuses,” he wrote, adding: “Fire everyone involved.”
It’s a fine line
SC Media reached out to multiple security awareness and email security experts, who had mixed reactions about the Tribune’s phishing exercise.
Matthew Gardiner, cybersecurity strategist at Mimecast, contends that the phishing test was within bounds: “Cybercriminals have no moral or ‘nice’ filter as they are attempting to motivate clicks and engagement. Thus, it is perfectly reasonable for a simulation to take the same tact,” he said in an interview with SC Media. “Since money is the universal motivator, it is a very common social engineering technique used by cybercriminals, and thus should also be used in simulations that are intended to test and help staff be more cautious.”
Gardiner noted that cybercriminals often perform reconnaissance on their targets and know how best to entice a reaction from their employees. Thus, “To unilaterally disarm your security awareness training program” by disallowing targeted tests “is only to give a further advantage to the cybercriminals.”
This is why companies like Mimecast and KnowBe4 routinely craft phishing simulations from genuine campaigns they have encountered. “The closer simulations are to reality the better. This way, security professionals don’t even need to guess the approach that cybercriminals would take when targeting their organization,” said Gardiner.
In a company blog post addressing the issue, KnowBe4 founder and CEO Stu Sjouwerman acknowledged that some users on Twitter found the test “disrespectful, a slap in the face and tone-deaf,” adding that the reaction “is understandable.”