Imagine this: You’re at your desk working at home, as many people are currently doing during the pandemic. Your office has been shut for months and you live in a constant state of uncertainty: You’ve seen some friends furloughed, some get seriously ill. You haven’t been able to see your family in weeks, months or even years. Then, an email appears in your inbox. It’s from your management team, saying that they “are pleased to inform you” that you will be provided with a bonus of “between 5,000 and 10,000 dollars this year”. This is thanks to all of the staff’s great work and custcotting efforts. Finally, some good news!
You click the link, excited. Maybe now you’ll be able to afford that COVID-19 test which you need to do in order to be able to board a flight to visit your family on the other side of the country. You might be able to financially help out your sibling who lost their job due to the pandemic, or ensure your parents get proper healthcare in case they contract the virus. However, before you can imagine another positive outcome, it dawns on you that you won’t be able to do any of these things. The email is a scam, sent to you not by hackers, but by your employers as part of a company-wide phishing test. You’ve failed – miserably. Instead of a $5,000 bonus, you’ll be attending a compulsory cyber security training.
Sounds unrealistic? The scenario described above took place in September 2020, when Tribune Publishing, the owner of daily newspapers such as the New York Daily News, the Chicago Tribune, and the Baltimore Sun, decided to test the cyber awareness of its staff.
Too good to be true
Simulated phishing campaigns that use an element of emotional manipulation, such as financial reward, are becoming increasingly popular among companies attempting to bolster their security. Thought to have first originated in the US, the controversial practice has since made its way across the Atlantic to countries such as Germany and the UK.
In May, West Midlands Trains came under fire for sending out a similar email to its 2,500 employees. The train operator’s managing director, Julian Edwards, told employees in the message that he wanted to thank them for their hard work during the pandemic with a one-off payment. However, those who clicked the link for the bonus received a message telling them it was all but only a "phishing simulation test".
Dr Rois Ni Thuama, ambassador of the Cyber Global Alliance and head of cyber governance at Red Sift, first analysed the events at West Midlands Trains in a blog post aptly-named Don’t Phish your Friends. However, months on, the incident still generates many questions:
“Why did nobody say ‘hang on, this seems like a bad idea’? Why didn’t the person who’s in charge of human resources say ‘don’t do this to our team’?” she asks.
Ni Thuama points out that, like many other frontline workers, West Midlands Trains employees had been forced to go into work every day since the pandemic started. They hadn’t been afforded the luxury of being able to work remotely, as trains cannot be driven from home – at least not for the time being. Unsurprisingly, this has had dangerous consequences on the train operator’s staff, with some catching COVID-19 at work and one person dying of the disease.
“So the reality of the situation is, those people lost a colleague to COVID and still had to go into work,” says Ni Thuama. “So for me, that’s just picking a bad bit of kit to do a job that it can't reasonably do, according to the experts.”
Research conducted last year by the Karlsruhe Institute for Technologies (KIT) and Ruhr-Universitat Bochum in Germany found that simulated phishing campaigns have a negative impact on the self-efficacy and productivity of staff. They also generate potential data protection issues under GDPR or national legislation, and seriously diminish the trust between the company and its employees at a time when it should be considered a priority. Most importantly, the research emphasises that the “external validity of results for simulated phishing campaigns in general, and especially for some particular forms, is a matter of debate”.
The IT Pro Podcast: The psychology of security
How hackers exploit our brains as well as our binary
One of the authors of the research paper, professor Melanie Volkamer, says that cyber security awareness should generate a “positive feeling” among employees.
“But if you start hacking or attacking your employees, it isn’t positive,” she says. “It's like: ‘hey, they want to trick me into something, and if they try to trick me here, maybe they also try to trick me in other situations’ – and this is not a trust relationship you want to have with your company.”
Instead, Volkamer and her co-authors of the Analysing Simulated Phishing Campaigns for Staff research paper recommend that companies “invest time and money in an improvement of technical measures” as well as “appropriate awareness measures” which “make staff aware of the type of phishing messages they can reach despite all technical measures and of how they can identify them”. Lastly, organisations should make it easier to report phishing emails and inquire about their threat level.
Emotional manipulation or a chance to fail safely?
As the chief evangelist and strategy officer of security awareness training provider KnowB4, Perry Carpenter is a staunch supporter of simulated phishing campaigns.
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
“The reason that we're doing this isn't to fool you, to trick you, or to make you feel bad,” he says of the phishing tests. “It's to decrease the risk of the organisation, to give you a chance to fail safely, to teach you how to report risks.”
However, when asked about the incidents at Tribune Publishing or West Midlands Trains, he agrees that it’s better to “stay away from anything that's that volatile”. Instead, companies can opt for somewhat tamer topics than post-pandemic bonuses. These could be emails masquerading as “a news organisation that's giving information about COVID”, or even a coupon for free pizza.
“You might click on that because it's COVID-related but you might not feel the sense of betrayal,” he tells IT Pro. “So there's something here that's gonna drive that click, and it's usually based on curiosity or urgency or fear.”
However, he notes that during “highly volatile” times, such as a pandemic, “you might want to stay away from fear”.
“And you might want to stay away from something that's going to invoke greed or hope,” he adds.
In March 2020, Carpenter was faced with the dilemma whether phishing tests have a place during the global pandemic and subsequent financial crisis. However, at the same time, cyber criminals were carrying out more phishing attacks than ever, emboldened by the security gaps caused by the sudden mass shift to remote working. In a blog post analysing the issue, Carpenter argued that “not conducting phishing training during this time amounts to negligence”. Nevertheless, these need to be adapted to the stressful times, based on mutual understanding, proper communication, and empathy. He suspects that the latter in particular might have been missing from the simulated campaigns carried out at Tribune Publishing or West Midlands Trains, causing the security teams to make these “less than stellar decisions”.
Different companies might have different opinions on the use of simulated phishing campaigns. However, when fixing potential cyber security gaps within an organisation, it might be worth ensuring that the employer-employee relationship doesn’t crumble in the process.
“Ultimately, our recommendation is if you're going to be doing phishing, you should do it with an awareness of how people actually work, and you do it with the goal of building a relationship,” says Carpenter. “Then, over time, that is going to pay off in a reduction of risk.”
