Many companies conduct phishing simulations to test employee’s readiness for email-based social engineering attacks.
But sometimes the phishing campaign is met with strong resistance internally, especially if employers approach tender topics that make employees feel unfairly deceived. And when your cybersecurity awareness training program pushes fear or shame, these campaigns are often not successful.
Phishing campaigns should be an opportunity for Security Awareness Program Owners to build a culture of education and support, not one in which users resent employers for sending emails that hit too close to home.
Here are a few questions to ask yourself before launching a campaign to see if you’re taking your phishing simulation too far:
1. Does this phishing simulation unfairly play on employees’ trust in the organization?
Generally speaking, employees trust their organization to protect their personal information, maintain their current workplace benefits, and operate according to a certain standard of ethics. So when an employer breaks that trust by sending a purposely manipulative phishing email leading employees to believe their personal safety within the workplace is at risk, it can leave a lasting impression on your team.
You may think, “Social engineers use manipulative tactics to trick people; therefore, a realistic phishing simulation should do the same,” but there is often a fine line between realistic and harmful. Phishing campaigns that capitalize on the emotional well-being of their recipients often reflect poorly on your organization and leave employees irritated and upset.
Here are a few examples of phishing messages related to employees’ work security that could unfairly toy with your team’s trust:
- Bonus payouts. “Thanks for your hard work—here’s your annual bonus!”
- Losing work benefits. “This has been the third consecutive month we did not receive your healthcare insurance payment. Effective tomorrow, we’re revoking your coverage.”
- Termination notices. “Notice of Termination: Effective Immediately.”
- Personal possessions within the workplace disruption. “In last night’s burglary, contents on your desk were stolen.”
- Personal company-protected data leaked. “Our company was the victim of a data breach that could have potentially exposed personal information, such as your home address, phone number, etc., to cybercriminals.”
In these situations, the phish affects more than just your workplace environment: it directly targets the employee. Notice how the typical phishing schemes about missed package delivery notices or unpaid invoice requests often deal exclusively with business operations, while threatening an employee’s psychology or financial safety is directly aimed at the individual.
“Using highly emotive bait such as bonuses and healthcare—especially in the context of COVID-19—plays games with the emotional well-being of recipients, which in turn can harm psychological safety, trust, and culture within the workplace,” says Dr. Jessica Barker, co-CEO and co-founder at Cygenta, and we have to agree.
People don’t like to be deceived and often don’t like the people who deceive them. Don’t leave a sour taste in your employee’s mouths by personally scaring or angering them in poorly positioned phishing simulations.
2. Does this phish threaten employees’ homes or personal security?
Just as personally-targeted work-related messages attack an individual’s emotional well-being, dragging an employee’s home life into your phishing campaign is often a big no-no. Any phishing message that relates to an employee’s safety outside of the workplace has no place in a corporate phishing campaign.
For example, a work email phish stating an employee’s personal banking account was breached or that their home security system detected a break-in is not an ethical practice. While it’s true that highly specific, fear-based phishing emails are often the ones people fall for, your employee is likely to feel resentful of this personally invasive trick and will not appreciate you bringing their home life into the workplace setting. Stay far, far away from dragging your staff’s personal property into a professional phishing setting.
Check out our webinar, “Metrics, Training, Culture - Why Your Phishing Program Isn’t Working,” where our co-founder, Drew Rose, talks about the ethics of phish testing employees and poses the question, “When are we taking it too far?”
3. What is the potential impact of this email on employees’ mental health?
In the two questions above, you’ll notice the focus remains on your employee’s mental health. By inciting anxiety and panic in a way that threatens their psychological safety, you are causing your employees unnecessary stress and eroding their very trust in your organization.
Before hitting send on a phishing campaign, review the message again and ask yourself how the tone could be perceived by employees. Is this campaign empathetic of their personal boundaries and respectful of their well-being? Seek help from an occupational health advisor on how it might affect the team and your cultural perspective, if unsure.
4. Am I genuinely trying to change behavior, or am I purposely trying to get them to click?
It’s important to pulse-check your motivation for sending a phishing message before launching the campaign. What’s your goal for sending the phish? Is it to positively promote learning and nurture employees on best practices for avoiding cyber threats? Or is it to earn lots of clicks so you can show management how you turned those phishing click rates around after a year or two of simulation training?
The point of a phishing campaign is not to fool employees and make it look as though you’re effecting cultural change. It’s to actually train employees so that they don’t fall for phishing attacks. It’s to educate and empower your team to recognize and report suspicious messages with the goal of benefitting your employees and organization’s security at large.
If you find yourself trying to fool employees to prove how great you are at crafting clever phishing emails, we urge you to reassess your motive and the impact you hope to leave long after the campaign comes to an end.
5. Am I following up on the phish?
You spend so much time developing and orchestrating your phishing campaign, but after all the results are in, how are you sharing them with your team? If you are making employees go through your phishing training, the least you can do is share how they did as a whole at the end. If scalable, you could even share individual feedback with employees who failed and provide resources for them to improve their awareness for next time. Remember, this is an opportunity for you to support and empower your users, not make them feel ashamed for their mistakes.
Consider sending out a mass email to participants and giving a few shoutouts to people who caught the phish for the ruse it was, while still being kind to those who failed and providing valuable feedback that all employees could learn from.
The Foundation for an Ethical Phish
It can be difficult to ensure a phishing simulation is ethically sound. But when your employees’ psychological well-being and your organization’s culture are at stake, it’s crucial to get it right.
Never worry about the ethics of your phishing simulation again with help from Living Security’s phishing simulation training. We provide pre-written phishing content screened and tested for its ethical integrity: content that considers all the questions in this article and more. Best of all, our team can offer guidance about your own unique campaign. Contact us to learn more today.