Phishing simulations—or phishing tests—have become a popular feature of cybersecurity training programs in organizations of all sizes. One can see the appeal: phishing tests allow security staff to craft and send emails to employees en masse that are designed to appear as authentic and enticing as the genuine malicious phishing emails that bombard businesses on a regular basis. These typically include lures such as missed delivery notices, invoice payment requests, and celebrity gossip.
Under the control of the security team, responses to these emails can be quantified and used to ascertain (at least to a degree) the general security awareness of workers within an organization. How many attachments were opened or links followed? How many emails were flagged as suspicious or ignored altogether? Which subject lures proved most impactful compared to others? Are certain departments or users more likely to fall victim? This data can help security departments better tailor cybersecurity awareness training and education and identify potential weaknesses that need addressing.
Ethical questions raised over phishing tests
However, some high-profile incidents have raised important ethical questions around key elements of phishing testing practices. A railway company in the West Midlands of England recently caused notable controversy due to the subject matter used in a phishing readiness test it carried out on its employees.
In an email designed to appear to be sent from the finance and payroll department of West Midlands Trains (WMT), staff were informed that they were to receive a bonus payment as a sign of thanks for their efforts during the COVID-19 pandemic. Recipients were encouraged to click on a Microsoft Office 365 link that would lead to a ‘personal message from WMT managing director’ Julian Edwards. In actuality, the link led to a Sharepoint website containing a simulated phishing exercise set up by Microsoft, with those who clicked receiving an email from the company’s human resources team advising them to be aware of communications that asked staff for login credentials. Needless to say, there was no bonus payment to be had.