Conducting Employee Phishing Testing

Answered by:

Question:

With phishing and BEC scams becoming prevalent, we want to conduct phishing tests on our employees as part of our IT training by sending scam emails and seeing whether our employees will “click.” What are some suggestions for launching a program? Do we send out reminders to all employees reminding them to make sure they know where an email is coming from before opening or clicking on any linking, without disclosing the name of the employee who failed our test?

Answer:

Fascinating question! Phishing experiments that simulate real-world conditions can provide cybersecurity experts and organizations with valuable knowledge they can use to develop countermeasures to prevent employees from being victimized by phishing attacks. However, these experiments may infringe on consent requirements and involve deception. Therefore, it is vitally important that ethical and legal matters are carefully considered.

David B. Resnik, JD, Ph.D., in an article titled Ethics and Phishing Experiments, contends that phishing testing can be conducted under the appropriate conditions. He outlines three different approaches:

Surveys or interviews with individuals concerning their experiences with such attacks. Investigators, in this approach, can analyze responses to try and understand what types of phishing emails have been received and how recipients responded. This process has limitations because it relies on the subject’s memory and does not involve any experimental behavior manipulation.
Testing participants’ ability to distinguish between phishing emails and legitimate inquiries under controlled environments. These studies can provide valuable information about participants’ "phishing IQ," however, the lack of experimentally - manipulative behavior restricts the investigator’s efforts.
Conducting experiments that mimic actual phishing attacks. Investigators are provided with employee email addresses for the research. Recipients would not easily ascertain whether they were receiving actual phishing emails or messages concocted by investigators. Recipients would be instructed to submit personal or financial information to a website linked to the message. The test website would be secure and private, data beyond the sender’s email would not be stored to protect privacy and confidentiality.

The first two methodologies, according to Resnik, do not raise any significant ethical issues. Resnik asserts that the third approach poses substantial ethical challenges due to questions surrounding consent and the practice of deception.

Resnick concludes that phishing susceptibility testing is valuable. He reminds us that conducting experiments mimicking actual phishing attacks can be performed ethically when:

Risks are minimized, and confidentiality is protected.
Potential participants are permitted to opt-out.
Everyone is appropriately debriefed after their involvement ends.
Researchers, sponsors, organizations, and oversight committees are engaged and ensure that ethical standards are met

We recommend that you consult with your senior leadership teams, legal counsel, and human resources professionals before launching simulated phishing testing.

This Q&A originally appeared in Bankers' Hotline. For more information, sample issues, and to subscribe, click here or email bh@bankersonline.com