It might Be Time to Rethink Phishing Awareness

In the wake of the MGM news, I thought it a good time to discuss phishing awareness. It’s rumored that the attacker(s) were able to impersonate an internal MGM employee and social engineer the help desk into resetting their password. This story, while believable, may or may not be true. However, it got everyone talking about phishing and how such attacks fits into our threat models.

Phishing attacks, be they by SMS, phone call, email, or even in person, usually have one thing in common. They target employees who are unlikely to have any cybersecurity experience, and therefore are unable to identify social engineering attacks. A logical, but often misguided practice is phishing training, with many organizations attempting to convert their regular employees into amateur threat analysts.

Now, don’t get me wrong, I’m not saying all phishing awareness is bad, but results will differ wildly based on approach. Phishing awareness could boost your security posture, or it could completely undermine it.

The pitfalls of misguided phishing awareness & testing

Phishing tests, specifically, are somewhat of a double-edge sword. If simulated attacks aren’t realistic enough, they may train employees to only detect and avoid specific examples, or worse, phishing tests in general. On the flip side, if the attacks are too realistic, they can erode employee trust and create friction within the organization.

Attackers are freely willing to exploit people’s emotions, but security testers should not. I’ve seen phishing simulations pretending to be sick relatives, announcing fake bonuses to employees during times of financial hardship, and even publicly shaming staff who fail the tests. Whilst the phishing lures themselves may be highly effective, the end result is likely to be anything but.

Imagine you’ve had a long difficult year at work. You’re struggling with bills, maybe your car needs a big repair. But don’t worry, you’re getting a Christmas bonus! Or, so you thought. Upon clicking the link you’re met with the harsh reality that not only are you not getting that bonus, you’re going to have to add sitting through phishing training to your busy work schedule. Now, I don’t know about you, but I’d be leaning less towards extra security vigilance and more toward ransoming the network myself.

Jokes aside, playing on employees’ emotions or punishing them for failing at something that isn’t even their job is likely to be extremely counter-productive. Employees who fall victim to genuine phishing attempts will become far less likely to notify the security team out of fear, shame, or resentment. Workers may also attempt to avoid failing phishing tests by undermining other security controls, such as through the use of personal devices that don’t run EDRs or pass through the corporate gateway.

I’ve often joked that the world’s best hackers aren’t the people who work for ransomware groups, nor the NSA, they’re your employees when your security controls get in the way of their work.

The goal of phishing awareness should not be to entirely prevent phishing. Even the best cybersecurity professionals can fall victim to a well-orchestrated phishing attack. Whilst it is entirely possible to lower the success rate, it is absolutely never going to hit zero. The last line of security defence cannot be the collective infallibility of your entire workforce.

Considerations for effective phishing awareness

Phishing awareness is an efficient way to crowdsource threat intelligence. Organizations should be pushing to constructively incentive employees to report suspicious activity, giving positive feedback whenever possible.

Many phishing lures create a false sense of urgency, resulting in targets only realizing they’ve fallen victim after the fact. With the potential for a successful phishing attempt to escalate to full breach in a matter of hours, an employee self-report could easily be the difference between re-issuing an access token and responding to a ransomware event.

Even reports of unsuccessful phishing attempts often provide valuable insight into attacker tools, techniques, and procedures, which can be used to shore up other defences. Known phishing urls and payloads can also be monitored or blocked to prevent future employees falling victim.

When it comes to phishing tests, I’m yet undecided on whether they are even worthwhile. I don’t see any reason why employees can’t simply be familiarized with common phishing lures without also being the intended target. Phishing simulations run a very high risk of creating distrust and friction between your employees and security team.

Considerations for phishing tests

If phishing tests are to be conducted, I think it’s important to tread carefully. Organizations should entirely avoid emotionally-manipulative lures such as those involving pay rises, vacations, or sick relatives.

I also think it ill-advised to punish employees for failing phishing tests. And yes, I’m counting phishing awareness training in that. Having to put aside a busy workload to focus on a menial tasks is exhausting. On top of that, being singled out, or worse, being the reason the whole team got enrolled, is completely humiliating. The last thing you want from a phishing test is to disincentives employees from reporting real threats.

Personally, I’d lean toward silent phishing test if testing is a must. Ones where employees are given no indication of the fact that it is a test, was a test, or that they failed. Data gathered can instead be used behind the scenes to inform future security decisions, without undermining employee trust. Even then, I’d still avoid emotionally-manipulative lures at all costs.

Overall, I think phishing awareness can be highly effective, but far too many organizations are treating it as a carrot and stick exercise. Negative incentives seldom work in any aspect of life, and organizational security is no different.