Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

January 11, 2021 Experts Corner

How to do simulated phishing exercises ethically

When I read last year that employees at layoff- and buyout-battered Tribune Publishing newspapers (including the Hartford Courant) received mock phishing emails promising bonuses of $5,000 to 10,000, my heart sank.

I can only imagine how the journalists themselves felt.

Simulated phishing exercises, in which emails that resemble those coming from hackers are sent to employees to gauge and promote cybersecurity awareness, are becoming increasingly common at companies of all sorts around the globe. These exercises can either build trust with employees or degrade it depending on how they are handled by leadership.

Believable, not hurtful

Barry Kelly

If you’re wondering, “How could Tribune have thought dangling bonuses in a fake phishing email would be a good idea?” here’s what they were thinking: “What’s an email concept so enticing it will really put our employees’ cybersecurity training to the test?” It’s a good question to be asking, but only half the equation.

Phishing emails from hackers often look quite real, as if they are coming from a boss or coworker, and the content is designed to make recipients click without thought. There are always tells in these emails — such as misspelled words or strange wording — and hackers want to cause an emotional spike so that these go unnoticed. They commonly do this through urgency (saying that an immediate action is needed to avoid disaster) or salaciousness (sending what appears to be a link to salaries for the whole company sent in error).

In order to be a real test of cybersecurity awareness, simulated phishing emails need to use these same tactics. However, leaders must also ask, “Could the content of this email be hurtful to anyone on the team?”

It’s important to pause and imagine how employees will feel once the ruse is revealed. Will they feel like this was a constructive step in building their cybersecurity awareness? Or will they feel duped?

Hackers tailor phishing emails to the organizations they target, and a very savvy hacker might realize that pretending to offer bonuses to underpaid journalists could be effective. In that regard, Tribune Publishing’s fake phishing emails were realistic. However, there are certainly other narratives that would have been just as effective without looking so much like callous mocking in the end.

Assess results as a team

Once the results of the phishing exercise are in, those who took the simulated phishing bait should not be pointed out publicly on an individual basis. Instead, it's helpful to share the overall percentage of employees who would have fallen for the attack had it been real. The team can track their progress as a whole without singling out or shaming individual employees.

When the results of a phishing exercise are treated with discretion, certain brave employees are likely to come forward voluntarily to share their story of how the exercise fooled them. Without any judgment, encourage them to share their experience. If they can describe what was passing through their mind when they saw the email, it can help others recognize when their cybersecurity awareness may be dulled.

Leaders: Be vulnerable

If company leaders are among those who clicked the simulated phishing link, it can be particularly powerful if they are willing to open up about this. I’ve done it myself.

In addition to conducting simulated phishing exercises for our clients, Kelser Corp. also regularly tests our own team with simulated phishing. In one case, I fell for the ruse. By coming forward to admit that I clicked the link, I made everyone else who did so as well feel better about it.

I was able to show that we don't do simulated phishing to make anyone feel bad. We do it to sharpen our senses so we can work together to beat cybercrime. We do it because anyone can be phished — even the CEO of an IT company who has been in this industry for almost 40 years — so we all have to sharpen our skills.

Barry Kelly is CEO of Kelser Corp., an IT consulting firm in Glastonbury

Sign up for Enews


Order a PDF