When is phishing education going too far?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







68















I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.



We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.



We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.



Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations



In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.



To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically



Questions




  1. When is phishing education going too far?


  2. Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?











share|improve this question




















  • 19





    I would re-word the title from "education" to "testing" or "simulations"

    – schroeder
    yesterday






  • 6





    This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?

    – Mark Amery
    16 hours ago











  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    10 hours ago











  • The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.

    – paul23
    6 hours ago













  • Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.

    – Harper
    3 hours ago




















68















I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.



We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.



We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.



Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations



In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.



To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically



Questions




  1. When is phishing education going too far?


  2. Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?











share|improve this question




















  • 19





    I would re-word the title from "education" to "testing" or "simulations"

    – schroeder
    yesterday






  • 6





    This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?

    – Mark Amery
    16 hours ago











  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    10 hours ago











  • The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.

    – paul23
    6 hours ago













  • Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.

    – Harper
    3 hours ago
















68












68








68


15






I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.



We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.



We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.



Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations



In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.



To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically



Questions




  1. When is phishing education going too far?


  2. Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?











share|improve this question
















I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.



We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.



We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.



Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations



In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.



To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically



Questions




  1. When is phishing education going too far?


  2. Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?








phishing user-education






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 1 hour ago







Anthony

















asked yesterday









AnthonyAnthony

1,086818




1,086818








  • 19





    I would re-word the title from "education" to "testing" or "simulations"

    – schroeder
    yesterday






  • 6





    This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?

    – Mark Amery
    16 hours ago











  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    10 hours ago











  • The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.

    – paul23
    6 hours ago













  • Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.

    – Harper
    3 hours ago
















  • 19





    I would re-word the title from "education" to "testing" or "simulations"

    – schroeder
    yesterday






  • 6





    This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?

    – Mark Amery
    16 hours ago











  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    10 hours ago











  • The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.

    – paul23
    6 hours ago













  • Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.

    – Harper
    3 hours ago










19




19





I would re-word the title from "education" to "testing" or "simulations"

– schroeder
yesterday





I would re-word the title from "education" to "testing" or "simulations"

– schroeder
yesterday




6




6





This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?

– Mark Amery
16 hours ago





This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?

– Mark Amery
16 hours ago













Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
10 hours ago





Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
10 hours ago













The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.

– paul23
6 hours ago







The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.

– paul23
6 hours ago















Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.

– Harper
3 hours ago







Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.

– Harper
3 hours ago












10 Answers
10






active

oldest

votes


















75














I think there is an underlying problem that you will need to address. Why do the users care that they are failing?



Phishing simulations should, first and foremost, be an education tool not a testing tool.



If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.



So, your response should be:




  • educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)

  • remove negative consequences to failing


This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.



Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.



Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.



Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.






share|improve this answer





















  • 21





    "graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...

    – Daniel Jour
    yesterday






  • 5





    Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.

    – Mars
    yesterday








  • 4





    I don't think any user in the history of IT has ever asked for a harder security awareness test

    – Mars
    yesterday






  • 3





    You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.

    – schroeder
    22 hours ago








  • 3





    @Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.

    – Baldrickk
    17 hours ago





















44















We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.




This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.



Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.



If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.






share|improve this answer































    22














    There's one possible point to make that I haven't seen in other answers, but have seen in the real world.



    Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.



    I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.



    One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.






    share|improve this answer



















    • 7





      This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.

      – Mohirl
      16 hours ago








    • 1





      This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.

      – Colin Young
      15 hours ago






    • 3





      I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.

      – Michael Kay
      12 hours ago











    • @MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit AcmeViSAupdate.com [a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.

      – supercat
      7 hours ago











    • I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.

      – Michael Kay
      6 hours ago



















    13
















    1. When is phishing education going too far?




    When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:




    • the effort to implement the test

    • false positive reporting of (not) phishing emails

    • lower engagement rates on legitimate emails

    • ill will towards the Security group.


    The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.





    1. Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
      specifically the inability to recognize legitimate from
      malicious emails?




    Um, maybe?



    If their click-through rates remain high, then awareness is still lacking and they need further training.



    If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.



    It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).



    You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.



    Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.






    share|improve this answer





















    • 1





      Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?

      – Vipul Nair
      yesterday






    • 6





      @VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.

      – gowenfawr
      yesterday






    • 3





      @gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).

      – schroeder
      yesterday











    • Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).

      – dwizum
      15 hours ago






    • 2





      @dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)

      – gowenfawr
      15 hours ago



















    7














    There's one way in which this may have gone too far:



    We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.



    You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.






    share|improve this answer































      1














      The question of "going too far" requires context; what part is going too far?



      The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.



      So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.



      The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.



      If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?



      What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.



      Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.



      We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.






      share|improve this answer










      New contributor




      Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 5





        The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.

        – schroeder
        yesterday






      • 1





        Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?

        – Roostercrab
        yesterday






      • 3





        No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.

        – schroeder
        yesterday











      • I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.

        – Roostercrab
        yesterday



















      0














      Faced something similar and currently part of a team that runs something similar. Here are my two cents:



      Education is a very tricky concept as the way people learn are
      different for different individuals. But what I have seen is that if
      you try to concise the information you want to convey in 2-4 points,
      in as few words as possible that always help. We do something like
      this when it comes to educating people:



      Whenever you get an email from someone outside the org ask these questions:




      • Do you personally know this email id?

      • Does the email id and the domain name look fishy to you?

      • Do you really want to click that link or want to give this guy your personal info?


      And lastly we always mention that:





      • if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com




        1. Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.




      I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.






      share|improve this answer





















      • 5





        The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"

        – Vipul Nair
        yesterday













      • Downvoted for the reason @VipulNair stated

        – Kevin Voorn
        yesterday











      • @VipulNair Isn't "not being able to educate" is education gone too far?

        – BoredToolBox
        yesterday











      • And the top voted one, says the exact same thing.

        – BoredToolBox
        yesterday



















      0














      I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:




      • You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.

      • Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.


      While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.






      share|improve this answer































        0














        I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
        - Make some spoofy emails, send them to users, see what users do.



        We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.



        Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.



        If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.






        share|improve this answer








        New contributor




        subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.




























          -2














          I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.






          share|improve this answer








          New contributor




          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.
















          • 2





            Not neccissarily, there can be malicious actors within an orginisation.

            – meowcat
            3 hours ago











          • Please review Shannon's Maxim: The enemy knows the system.

            – forest
            2 hours ago












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "162"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207389%2fwhen-is-phishing-education-going-too-far%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          10 Answers
          10






          active

          oldest

          votes








          10 Answers
          10






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          75














          I think there is an underlying problem that you will need to address. Why do the users care that they are failing?



          Phishing simulations should, first and foremost, be an education tool not a testing tool.



          If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.



          So, your response should be:




          • educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)

          • remove negative consequences to failing


          This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.



          Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.



          Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.



          Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.






          share|improve this answer





















          • 21





            "graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...

            – Daniel Jour
            yesterday






          • 5





            Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.

            – Mars
            yesterday








          • 4





            I don't think any user in the history of IT has ever asked for a harder security awareness test

            – Mars
            yesterday






          • 3





            You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.

            – schroeder
            22 hours ago








          • 3





            @Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.

            – Baldrickk
            17 hours ago


















          75














          I think there is an underlying problem that you will need to address. Why do the users care that they are failing?



          Phishing simulations should, first and foremost, be an education tool not a testing tool.



          If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.



          So, your response should be:




          • educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)

          • remove negative consequences to failing


          This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.



          Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.



          Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.



          Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.






          share|improve this answer





















          • 21





            "graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...

            – Daniel Jour
            yesterday






          • 5





            Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.

            – Mars
            yesterday








          • 4





            I don't think any user in the history of IT has ever asked for a harder security awareness test

            – Mars
            yesterday






          • 3





            You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.

            – schroeder
            22 hours ago








          • 3





            @Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.

            – Baldrickk
            17 hours ago
















          75












          75








          75







          I think there is an underlying problem that you will need to address. Why do the users care that they are failing?



          Phishing simulations should, first and foremost, be an education tool not a testing tool.



          If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.



          So, your response should be:




          • educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)

          • remove negative consequences to failing


          This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.



          Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.



          Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.



          Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.






          share|improve this answer















          I think there is an underlying problem that you will need to address. Why do the users care that they are failing?



          Phishing simulations should, first and foremost, be an education tool not a testing tool.



          If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.



          So, your response should be:




          • educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)

          • remove negative consequences to failing


          This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.



          Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.



          Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.



          Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered yesterday









          schroederschroeder

          79.2k30176213




          79.2k30176213








          • 21





            "graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...

            – Daniel Jour
            yesterday






          • 5





            Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.

            – Mars
            yesterday








          • 4





            I don't think any user in the history of IT has ever asked for a harder security awareness test

            – Mars
            yesterday






          • 3





            You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.

            – schroeder
            22 hours ago








          • 3





            @Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.

            – Baldrickk
            17 hours ago
















          • 21





            "graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...

            – Daniel Jour
            yesterday






          • 5





            Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.

            – Mars
            yesterday








          • 4





            I don't think any user in the history of IT has ever asked for a harder security awareness test

            – Mars
            yesterday






          • 3





            You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.

            – schroeder
            22 hours ago








          • 3





            @Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.

            – Baldrickk
            17 hours ago










          21




          21





          "graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...

          – Daniel Jour
          yesterday





          "graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...

          – Daniel Jour
          yesterday




          5




          5





          Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.

          – Mars
          yesterday







          Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.

          – Mars
          yesterday






          4




          4





          I don't think any user in the history of IT has ever asked for a harder security awareness test

          – Mars
          yesterday





          I don't think any user in the history of IT has ever asked for a harder security awareness test

          – Mars
          yesterday




          3




          3





          You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.

          – schroeder
          22 hours ago







          You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.

          – schroeder
          22 hours ago






          3




          3





          @Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.

          – Baldrickk
          17 hours ago







          @Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.

          – Baldrickk
          17 hours ago















          44















          We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.




          This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.



          Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.



          If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.






          share|improve this answer




























            44















            We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.




            This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.



            Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.



            If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.






            share|improve this answer


























              44












              44








              44








              We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.




              This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.



              Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.



              If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.






              share|improve this answer














              We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.




              This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.



              Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.



              If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered yesterday









              BlrflBlrfl

              1,438107




              1,438107























                  22














                  There's one possible point to make that I haven't seen in other answers, but have seen in the real world.



                  Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.



                  I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.



                  One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.






                  share|improve this answer



















                  • 7





                    This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.

                    – Mohirl
                    16 hours ago








                  • 1





                    This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.

                    – Colin Young
                    15 hours ago






                  • 3





                    I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.

                    – Michael Kay
                    12 hours ago











                  • @MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit AcmeViSAupdate.com [a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.

                    – supercat
                    7 hours ago











                  • I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.

                    – Michael Kay
                    6 hours ago
















                  22














                  There's one possible point to make that I haven't seen in other answers, but have seen in the real world.



                  Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.



                  I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.



                  One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.






                  share|improve this answer



















                  • 7





                    This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.

                    – Mohirl
                    16 hours ago








                  • 1





                    This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.

                    – Colin Young
                    15 hours ago






                  • 3





                    I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.

                    – Michael Kay
                    12 hours ago











                  • @MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit AcmeViSAupdate.com [a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.

                    – supercat
                    7 hours ago











                  • I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.

                    – Michael Kay
                    6 hours ago














                  22












                  22








                  22







                  There's one possible point to make that I haven't seen in other answers, but have seen in the real world.



                  Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.



                  I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.



                  One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.






                  share|improve this answer













                  There's one possible point to make that I haven't seen in other answers, but have seen in the real world.



                  Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.



                  I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.



                  One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 18 hours ago









                  James_picJames_pic

                  1,6071317




                  1,6071317








                  • 7





                    This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.

                    – Mohirl
                    16 hours ago








                  • 1





                    This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.

                    – Colin Young
                    15 hours ago






                  • 3





                    I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.

                    – Michael Kay
                    12 hours ago











                  • @MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit AcmeViSAupdate.com [a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.

                    – supercat
                    7 hours ago











                  • I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.

                    – Michael Kay
                    6 hours ago














                  • 7





                    This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.

                    – Mohirl
                    16 hours ago








                  • 1





                    This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.

                    – Colin Young
                    15 hours ago






                  • 3





                    I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.

                    – Michael Kay
                    12 hours ago











                  • @MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit AcmeViSAupdate.com [a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.

                    – supercat
                    7 hours ago











                  • I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.

                    – Michael Kay
                    6 hours ago








                  7




                  7





                  This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.

                  – Mohirl
                  16 hours ago







                  This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.

                  – Mohirl
                  16 hours ago






                  1




                  1





                  This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.

                  – Colin Young
                  15 hours ago





                  This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.

                  – Colin Young
                  15 hours ago




                  3




                  3





                  I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.

                  – Michael Kay
                  12 hours ago





                  I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.

                  – Michael Kay
                  12 hours ago













                  @MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit AcmeViSAupdate.com [a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.

                  – supercat
                  7 hours ago





                  @MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit AcmeViSAupdate.com [a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.

                  – supercat
                  7 hours ago













                  I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.

                  – Michael Kay
                  6 hours ago





                  I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.

                  – Michael Kay
                  6 hours ago











                  13
















                  1. When is phishing education going too far?




                  When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:




                  • the effort to implement the test

                  • false positive reporting of (not) phishing emails

                  • lower engagement rates on legitimate emails

                  • ill will towards the Security group.


                  The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.





                  1. Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
                    specifically the inability to recognize legitimate from
                    malicious emails?




                  Um, maybe?



                  If their click-through rates remain high, then awareness is still lacking and they need further training.



                  If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.



                  It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).



                  You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.



                  Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.






                  share|improve this answer





















                  • 1





                    Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?

                    – Vipul Nair
                    yesterday






                  • 6





                    @VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.

                    – gowenfawr
                    yesterday






                  • 3





                    @gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).

                    – schroeder
                    yesterday











                  • Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).

                    – dwizum
                    15 hours ago






                  • 2





                    @dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)

                    – gowenfawr
                    15 hours ago
















                  13
















                  1. When is phishing education going too far?




                  When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:




                  • the effort to implement the test

                  • false positive reporting of (not) phishing emails

                  • lower engagement rates on legitimate emails

                  • ill will towards the Security group.


                  The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.





                  1. Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
                    specifically the inability to recognize legitimate from
                    malicious emails?




                  Um, maybe?



                  If their click-through rates remain high, then awareness is still lacking and they need further training.



                  If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.



                  It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).



                  You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.



                  Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.






                  share|improve this answer





















                  • 1





                    Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?

                    – Vipul Nair
                    yesterday






                  • 6





                    @VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.

                    – gowenfawr
                    yesterday






                  • 3





                    @gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).

                    – schroeder
                    yesterday











                  • Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).

                    – dwizum
                    15 hours ago






                  • 2





                    @dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)

                    – gowenfawr
                    15 hours ago














                  13












                  13








                  13









                  1. When is phishing education going too far?




                  When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:




                  • the effort to implement the test

                  • false positive reporting of (not) phishing emails

                  • lower engagement rates on legitimate emails

                  • ill will towards the Security group.


                  The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.





                  1. Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
                    specifically the inability to recognize legitimate from
                    malicious emails?




                  Um, maybe?



                  If their click-through rates remain high, then awareness is still lacking and they need further training.



                  If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.



                  It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).



                  You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.



                  Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.






                  share|improve this answer

















                  1. When is phishing education going too far?




                  When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:




                  • the effort to implement the test

                  • false positive reporting of (not) phishing emails

                  • lower engagement rates on legitimate emails

                  • ill will towards the Security group.


                  The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.





                  1. Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
                    specifically the inability to recognize legitimate from
                    malicious emails?




                  Um, maybe?



                  If their click-through rates remain high, then awareness is still lacking and they need further training.



                  If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.



                  It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).



                  You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.



                  Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited yesterday









                  schroeder

                  79.2k30176213




                  79.2k30176213










                  answered yesterday









                  gowenfawrgowenfawr

                  54.8k11115162




                  54.8k11115162








                  • 1





                    Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?

                    – Vipul Nair
                    yesterday






                  • 6





                    @VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.

                    – gowenfawr
                    yesterday






                  • 3





                    @gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).

                    – schroeder
                    yesterday











                  • Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).

                    – dwizum
                    15 hours ago






                  • 2





                    @dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)

                    – gowenfawr
                    15 hours ago














                  • 1





                    Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?

                    – Vipul Nair
                    yesterday






                  • 6





                    @VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.

                    – gowenfawr
                    yesterday






                  • 3





                    @gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).

                    – schroeder
                    yesterday











                  • Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).

                    – dwizum
                    15 hours ago






                  • 2





                    @dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)

                    – gowenfawr
                    15 hours ago








                  1




                  1





                  Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?

                  – Vipul Nair
                  yesterday





                  Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?

                  – Vipul Nair
                  yesterday




                  6




                  6





                  @VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.

                  – gowenfawr
                  yesterday





                  @VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.

                  – gowenfawr
                  yesterday




                  3




                  3





                  @gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).

                  – schroeder
                  yesterday





                  @gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).

                  – schroeder
                  yesterday













                  Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).

                  – dwizum
                  15 hours ago





                  Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).

                  – dwizum
                  15 hours ago




                  2




                  2





                  @dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)

                  – gowenfawr
                  15 hours ago





                  @dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)

                  – gowenfawr
                  15 hours ago











                  7














                  There's one way in which this may have gone too far:



                  We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.



                  You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.






                  share|improve this answer




























                    7














                    There's one way in which this may have gone too far:



                    We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.



                    You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.






                    share|improve this answer


























                      7












                      7








                      7







                      There's one way in which this may have gone too far:



                      We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.



                      You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.






                      share|improve this answer













                      There's one way in which this may have gone too far:



                      We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.



                      You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered yesterday









                      Cliff ABCliff AB

                      2114




                      2114























                          1














                          The question of "going too far" requires context; what part is going too far?



                          The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.



                          So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.



                          The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.



                          If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?



                          What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.



                          Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.



                          We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.






                          share|improve this answer










                          New contributor




                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.
















                          • 5





                            The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.

                            – schroeder
                            yesterday






                          • 1





                            Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?

                            – Roostercrab
                            yesterday






                          • 3





                            No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.

                            – schroeder
                            yesterday











                          • I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.

                            – Roostercrab
                            yesterday
















                          1














                          The question of "going too far" requires context; what part is going too far?



                          The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.



                          So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.



                          The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.



                          If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?



                          What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.



                          Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.



                          We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.






                          share|improve this answer










                          New contributor




                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.
















                          • 5





                            The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.

                            – schroeder
                            yesterday






                          • 1





                            Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?

                            – Roostercrab
                            yesterday






                          • 3





                            No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.

                            – schroeder
                            yesterday











                          • I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.

                            – Roostercrab
                            yesterday














                          1












                          1








                          1







                          The question of "going too far" requires context; what part is going too far?



                          The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.



                          So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.



                          The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.



                          If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?



                          What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.



                          Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.



                          We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.






                          share|improve this answer










                          New contributor




                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.










                          The question of "going too far" requires context; what part is going too far?



                          The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.



                          So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.



                          The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.



                          If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?



                          What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.



                          Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.



                          We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.







                          share|improve this answer










                          New contributor




                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          share|improve this answer



                          share|improve this answer








                          edited yesterday









                          schroeder

                          79.2k30176213




                          79.2k30176213






                          New contributor




                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          answered yesterday









                          RoostercrabRoostercrab

                          111




                          111




                          New contributor




                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.





                          New contributor





                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






                          Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.








                          • 5





                            The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.

                            – schroeder
                            yesterday






                          • 1





                            Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?

                            – Roostercrab
                            yesterday






                          • 3





                            No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.

                            – schroeder
                            yesterday











                          • I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.

                            – Roostercrab
                            yesterday














                          • 5





                            The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.

                            – schroeder
                            yesterday






                          • 1





                            Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?

                            – Roostercrab
                            yesterday






                          • 3





                            No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.

                            – schroeder
                            yesterday











                          • I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.

                            – Roostercrab
                            yesterday








                          5




                          5





                          The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.

                          – schroeder
                          yesterday





                          The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.

                          – schroeder
                          yesterday




                          1




                          1





                          Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?

                          – Roostercrab
                          yesterday





                          Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?

                          – Roostercrab
                          yesterday




                          3




                          3





                          No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.

                          – schroeder
                          yesterday





                          No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.

                          – schroeder
                          yesterday













                          I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.

                          – Roostercrab
                          yesterday





                          I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.

                          – Roostercrab
                          yesterday











                          0














                          Faced something similar and currently part of a team that runs something similar. Here are my two cents:



                          Education is a very tricky concept as the way people learn are
                          different for different individuals. But what I have seen is that if
                          you try to concise the information you want to convey in 2-4 points,
                          in as few words as possible that always help. We do something like
                          this when it comes to educating people:



                          Whenever you get an email from someone outside the org ask these questions:




                          • Do you personally know this email id?

                          • Does the email id and the domain name look fishy to you?

                          • Do you really want to click that link or want to give this guy your personal info?


                          And lastly we always mention that:





                          • if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com




                            1. Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.




                          I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.






                          share|improve this answer





















                          • 5





                            The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"

                            – Vipul Nair
                            yesterday













                          • Downvoted for the reason @VipulNair stated

                            – Kevin Voorn
                            yesterday











                          • @VipulNair Isn't "not being able to educate" is education gone too far?

                            – BoredToolBox
                            yesterday











                          • And the top voted one, says the exact same thing.

                            – BoredToolBox
                            yesterday
















                          0














                          Faced something similar and currently part of a team that runs something similar. Here are my two cents:



                          Education is a very tricky concept as the way people learn are
                          different for different individuals. But what I have seen is that if
                          you try to concise the information you want to convey in 2-4 points,
                          in as few words as possible that always help. We do something like
                          this when it comes to educating people:



                          Whenever you get an email from someone outside the org ask these questions:




                          • Do you personally know this email id?

                          • Does the email id and the domain name look fishy to you?

                          • Do you really want to click that link or want to give this guy your personal info?


                          And lastly we always mention that:





                          • if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com




                            1. Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.




                          I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.






                          share|improve this answer





















                          • 5





                            The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"

                            – Vipul Nair
                            yesterday













                          • Downvoted for the reason @VipulNair stated

                            – Kevin Voorn
                            yesterday











                          • @VipulNair Isn't "not being able to educate" is education gone too far?

                            – BoredToolBox
                            yesterday











                          • And the top voted one, says the exact same thing.

                            – BoredToolBox
                            yesterday














                          0












                          0








                          0







                          Faced something similar and currently part of a team that runs something similar. Here are my two cents:



                          Education is a very tricky concept as the way people learn are
                          different for different individuals. But what I have seen is that if
                          you try to concise the information you want to convey in 2-4 points,
                          in as few words as possible that always help. We do something like
                          this when it comes to educating people:



                          Whenever you get an email from someone outside the org ask these questions:




                          • Do you personally know this email id?

                          • Does the email id and the domain name look fishy to you?

                          • Do you really want to click that link or want to give this guy your personal info?


                          And lastly we always mention that:





                          • if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com




                            1. Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.




                          I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.






                          share|improve this answer















                          Faced something similar and currently part of a team that runs something similar. Here are my two cents:



                          Education is a very tricky concept as the way people learn are
                          different for different individuals. But what I have seen is that if
                          you try to concise the information you want to convey in 2-4 points,
                          in as few words as possible that always help. We do something like
                          this when it comes to educating people:



                          Whenever you get an email from someone outside the org ask these questions:




                          • Do you personally know this email id?

                          • Does the email id and the domain name look fishy to you?

                          • Do you really want to click that link or want to give this guy your personal info?


                          And lastly we always mention that:





                          • if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com




                            1. Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.




                          I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited yesterday









                          schroeder

                          79.2k30176213




                          79.2k30176213










                          answered yesterday









                          BoredToolBoxBoredToolBox

                          325




                          325








                          • 5





                            The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"

                            – Vipul Nair
                            yesterday













                          • Downvoted for the reason @VipulNair stated

                            – Kevin Voorn
                            yesterday











                          • @VipulNair Isn't "not being able to educate" is education gone too far?

                            – BoredToolBox
                            yesterday











                          • And the top voted one, says the exact same thing.

                            – BoredToolBox
                            yesterday














                          • 5





                            The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"

                            – Vipul Nair
                            yesterday













                          • Downvoted for the reason @VipulNair stated

                            – Kevin Voorn
                            yesterday











                          • @VipulNair Isn't "not being able to educate" is education gone too far?

                            – BoredToolBox
                            yesterday











                          • And the top voted one, says the exact same thing.

                            – BoredToolBox
                            yesterday








                          5




                          5





                          The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"

                          – Vipul Nair
                          yesterday







                          The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"

                          – Vipul Nair
                          yesterday















                          Downvoted for the reason @VipulNair stated

                          – Kevin Voorn
                          yesterday





                          Downvoted for the reason @VipulNair stated

                          – Kevin Voorn
                          yesterday













                          @VipulNair Isn't "not being able to educate" is education gone too far?

                          – BoredToolBox
                          yesterday





                          @VipulNair Isn't "not being able to educate" is education gone too far?

                          – BoredToolBox
                          yesterday













                          And the top voted one, says the exact same thing.

                          – BoredToolBox
                          yesterday





                          And the top voted one, says the exact same thing.

                          – BoredToolBox
                          yesterday











                          0














                          I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:




                          • You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.

                          • Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.


                          While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.






                          share|improve this answer




























                            0














                            I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:




                            • You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.

                            • Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.


                            While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.






                            share|improve this answer


























                              0












                              0








                              0







                              I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:




                              • You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.

                              • Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.


                              While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.






                              share|improve this answer













                              I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:




                              • You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.

                              • Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.


                              While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered 17 hours ago









                              ZoltanZoltan

                              1857




                              1857























                                  0














                                  I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
                                  - Make some spoofy emails, send them to users, see what users do.



                                  We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.



                                  Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.



                                  If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.






                                  share|improve this answer








                                  New contributor




                                  subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                  Check out our Code of Conduct.

























                                    0














                                    I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
                                    - Make some spoofy emails, send them to users, see what users do.



                                    We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.



                                    Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.



                                    If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.






                                    share|improve this answer








                                    New contributor




                                    subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.























                                      0












                                      0








                                      0







                                      I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
                                      - Make some spoofy emails, send them to users, see what users do.



                                      We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.



                                      Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.



                                      If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.






                                      share|improve this answer








                                      New contributor




                                      subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.










                                      I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
                                      - Make some spoofy emails, send them to users, see what users do.



                                      We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.



                                      Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.



                                      If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.







                                      share|improve this answer








                                      New contributor




                                      subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.









                                      share|improve this answer



                                      share|improve this answer






                                      New contributor




                                      subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.









                                      answered 8 hours ago









                                      subssubs

                                      1




                                      1




                                      New contributor




                                      subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.





                                      New contributor





                                      subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.






                                      subs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.























                                          -2














                                          I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.






                                          share|improve this answer








                                          New contributor




                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.
















                                          • 2





                                            Not neccissarily, there can be malicious actors within an orginisation.

                                            – meowcat
                                            3 hours ago











                                          • Please review Shannon's Maxim: The enemy knows the system.

                                            – forest
                                            2 hours ago
















                                          -2














                                          I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.






                                          share|improve this answer








                                          New contributor




                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.
















                                          • 2





                                            Not neccissarily, there can be malicious actors within an orginisation.

                                            – meowcat
                                            3 hours ago











                                          • Please review Shannon's Maxim: The enemy knows the system.

                                            – forest
                                            2 hours ago














                                          -2












                                          -2








                                          -2







                                          I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.






                                          share|improve this answer








                                          New contributor




                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.










                                          I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.







                                          share|improve this answer








                                          New contributor




                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.









                                          share|improve this answer



                                          share|improve this answer






                                          New contributor




                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.









                                          answered 7 hours ago









                                          BoarGulesBoarGules

                                          971




                                          971




                                          New contributor




                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.





                                          New contributor





                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.






                                          BoarGules is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.








                                          • 2





                                            Not neccissarily, there can be malicious actors within an orginisation.

                                            – meowcat
                                            3 hours ago











                                          • Please review Shannon's Maxim: The enemy knows the system.

                                            – forest
                                            2 hours ago














                                          • 2





                                            Not neccissarily, there can be malicious actors within an orginisation.

                                            – meowcat
                                            3 hours ago











                                          • Please review Shannon's Maxim: The enemy knows the system.

                                            – forest
                                            2 hours ago








                                          2




                                          2





                                          Not neccissarily, there can be malicious actors within an orginisation.

                                          – meowcat
                                          3 hours ago





                                          Not neccissarily, there can be malicious actors within an orginisation.

                                          – meowcat
                                          3 hours ago













                                          Please review Shannon's Maxim: The enemy knows the system.

                                          – forest
                                          2 hours ago





                                          Please review Shannon's Maxim: The enemy knows the system.

                                          – forest
                                          2 hours ago


















                                          draft saved

                                          draft discarded




















































                                          Thanks for contributing an answer to Information Security Stack Exchange!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid



                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.


                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function () {
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207389%2fwhen-is-phishing-education-going-too-far%23new-answer', 'question_page');
                                          }
                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          數位音樂下載

                                          When can things happen in Etherscan, such as the picture below?

                                          格利澤436b