When is phishing education going too far?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations
In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.
To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing user-education
|
show 2 more comments
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations
In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.
To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing user-education
19
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
yesterday
6
This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?
– Mark Amery
16 hours ago
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
10 hours ago
The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.
– paul23
6 hours ago
Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.
– Harper
3 hours ago
|
show 2 more comments
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations
In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.
To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing user-education
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Edit to address some comments that say spear phishing simulations are too extreme / bad design of simulations
In analyzing the past results of phishing simulations, the users who clicked tended to show certain patterns. Also, one particular successful phish that resulted in financial loss (unnecessary online purchase) was pretending to be a member of senior management.
To respond to comments on depth of targeting / GDPR, methods of customization are based on public company data (i.e: job function), rather than private user data known to that person only. The "content that users are likey to see" is based on "typical scenarios", not what content users at our workplace see specifically
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing user-education
phishing user-education
edited 1 hour ago
Anthony
asked yesterday
AnthonyAnthony
1,086818
1,086818
19
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
yesterday
6
This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?
– Mark Amery
16 hours ago
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
10 hours ago
The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.
– paul23
6 hours ago
Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.
– Harper
3 hours ago
|
show 2 more comments
19
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
yesterday
6
This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?
– Mark Amery
16 hours ago
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
10 hours ago
The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.
– paul23
6 hours ago
Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.
– Harper
3 hours ago
19
19
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
yesterday
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
yesterday
6
6
This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?
– Mark Amery
16 hours ago
This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?
– Mark Amery
16 hours ago
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
10 hours ago
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
10 hours ago
The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.
– paul23
6 hours ago
The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.
– paul23
6 hours ago
Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.
– Harper
3 hours ago
Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.
– Harper
3 hours ago
|
show 2 more comments
10 Answers
10
active
oldest
votes
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
21
"graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...
– Daniel Jour
yesterday
5
Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.
– Mars
yesterday
4
I don't think any user in the history of IT has ever asked for a harder security awareness test
– Mars
yesterday
3
You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.
– schroeder♦
22 hours ago
3
@Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.
– Baldrickk
17 hours ago
|
show 4 more comments
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.
This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.
Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.
If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.
add a comment |
There's one possible point to make that I haven't seen in other answers, but have seen in the real world.
Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.
I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.
One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.
7
This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.
– Mohirl
16 hours ago
1
This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.
– Colin Young
15 hours ago
3
I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.
– Michael Kay
12 hours ago
@MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visitAcmeViSAupdate.com
[a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.
– supercat
7 hours ago
I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.
– Michael Kay
6 hours ago
add a comment |
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
1
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
yesterday
6
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
yesterday
3
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
yesterday
Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).
– dwizum
15 hours ago
2
@dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)
– gowenfawr
15 hours ago
|
show 3 more comments
There's one way in which this may have gone too far:
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.
You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
New contributor
5
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
yesterday
1
Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?
– Roostercrab
yesterday
3
No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.
– schroeder♦
yesterday
I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.
– Roostercrab
yesterday
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
5
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
yesterday
Downvoted for the reason @VipulNair stated
– Kevin Voorn
yesterday
@VipulNair Isn't "not being able to educate" is education gone too far?
– BoredToolBox
yesterday
And the top voted one, says the exact same thing.
– BoredToolBox
yesterday
add a comment |
I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:
- You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.
- Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.
While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.
add a comment |
I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
- Make some spoofy emails, send them to users, see what users do.
We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.
Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.
If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.
New contributor
add a comment |
I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.
New contributor
2
Not neccissarily, there can be malicious actors within an orginisation.
– meowcat
3 hours ago
Please review Shannon's Maxim: The enemy knows the system.
– forest
2 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207389%2fwhen-is-phishing-education-going-too-far%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
10 Answers
10
active
oldest
votes
10 Answers
10
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
21
"graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...
– Daniel Jour
yesterday
5
Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.
– Mars
yesterday
4
I don't think any user in the history of IT has ever asked for a harder security awareness test
– Mars
yesterday
3
You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.
– schroeder♦
22 hours ago
3
@Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.
– Baldrickk
17 hours ago
|
show 4 more comments
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
21
"graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...
– Daniel Jour
yesterday
5
Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.
– Mars
yesterday
4
I don't think any user in the history of IT has ever asked for a harder security awareness test
– Mars
yesterday
3
You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.
– schroeder♦
22 hours ago
3
@Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.
– Baldrickk
17 hours ago
|
show 4 more comments
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Another tactic to try is to graduate the phishing simulations so that they get harder as the users are successful in responding to phishing. I have done this with my custom programmes. It's more complex on the back end, but the payoffs are huge if you can do it.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
edited yesterday
answered yesterday
schroeder♦schroeder
79.2k30176213
79.2k30176213
21
"graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...
– Daniel Jour
yesterday
5
Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.
– Mars
yesterday
4
I don't think any user in the history of IT has ever asked for a harder security awareness test
– Mars
yesterday
3
You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.
– schroeder♦
22 hours ago
3
@Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.
– Baldrickk
17 hours ago
|
show 4 more comments
21
"graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...
– Daniel Jour
yesterday
5
Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.
– Mars
yesterday
4
I don't think any user in the history of IT has ever asked for a harder security awareness test
– Mars
yesterday
3
You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.
– schroeder♦
22 hours ago
3
@Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.
– Baldrickk
17 hours ago
21
21
"graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...
– Daniel Jour
yesterday
"graduate the phishing simulations so that they get harder as the users are successful in responding to phishing" this is good; might even be the first step towards turning these phishing simulations into a game: "look, I've managed to not fall for phishing mails of level 5" .. "cool, how did You do it?" ...
– Daniel Jour
yesterday
5
5
Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.
– Mars
yesterday
Going from top to bottom... Not why do users care, but why do users NOT care?? There seems to be a fair security vulnerability here and rather than fix it, they're whining.
– Mars
yesterday
4
4
I don't think any user in the history of IT has ever asked for a harder security awareness test
– Mars
yesterday
I don't think any user in the history of IT has ever asked for a harder security awareness test
– Mars
yesterday
3
3
You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.
– schroeder♦
22 hours ago
You are missing my points. You are talking about what has happened from your perspective. I'm talking about a goal state. Why do users care about failing these tests? Not all tests and education. Bad testing deserves complaint. If there are no negative consequences then there would be complaints, inherently. Negative consequences might be subtle. In my programmes, people ask for harder tests. It's a matter of framing and context.
– schroeder♦
22 hours ago
3
3
@Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.
– Baldrickk
17 hours ago
@Mars I haven't asked for one, but I have had a few and they have been laughably easy to spot, for me at least. Not to say that there were not a few who did click through, but the majority in the office saw it, laughed and forwarded to security. I'd welcome a harder one from time to time. It would help make people aware that they're not just poorly crafted.
– Baldrickk
17 hours ago
|
show 4 more comments
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.
This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.
Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.
If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.
add a comment |
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.
This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.
Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.
If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.
add a comment |
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.
This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.
Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.
If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails.
This is an indication that tests that could be rooted out as fakes by trained security professionals are being used to evaluate people who aren't. You may have the skills to pick an email apart and interpret the headers, but Dan in Accounting probably doesn't and his management's not likely to agree that a master class in RFC 822 is a good use of his time.
Crafting targeted emails to increase the hit rate has to be done based on intelligence collected about your users and your purported sender. This is not information to which a phisher will be privy and, as Michael Hampton pointed out in his comment, rises to spearphishing. That's a different ball game played on a different field.
If there are adversaries (real or potential) capable of good-enough spearphishing to damage your business, all of the phishing countermeasures and training won't help. Your job is to deploy tools that will give Dan in Accounting a way to distinguish the real ones from the fakes. That might mean security on the sending end like a cryptographic signature that users' mail clients can check and post a prominent warning when something is unsigned or the signature doesn't match. You can't depend on humans to get this stuff right 100% of the time, especially as your organization gets larger and people don't know each other so well.
answered yesterday
BlrflBlrfl
1,438107
1,438107
add a comment |
add a comment |
There's one possible point to make that I haven't seen in other answers, but have seen in the real world.
Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.
I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.
One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.
7
This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.
– Mohirl
16 hours ago
1
This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.
– Colin Young
15 hours ago
3
I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.
– Michael Kay
12 hours ago
@MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visitAcmeViSAupdate.com
[a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.
– supercat
7 hours ago
I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.
– Michael Kay
6 hours ago
add a comment |
There's one possible point to make that I haven't seen in other answers, but have seen in the real world.
Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.
I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.
One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.
7
This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.
– Mohirl
16 hours ago
1
This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.
– Colin Young
15 hours ago
3
I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.
– Michael Kay
12 hours ago
@MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visitAcmeViSAupdate.com
[a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.
– supercat
7 hours ago
I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.
– Michael Kay
6 hours ago
add a comment |
There's one possible point to make that I haven't seen in other answers, but have seen in the real world.
Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.
I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.
One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.
There's one possible point to make that I haven't seen in other answers, but have seen in the real world.
Users say they "have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails". What this may tell you, is that legitimate emails about password renewals, service changes and such, do not obey the rules that users are expected to follow.
I have certainly seen organisations whose training materials tell users not to click links in emails, and definitely not to put their passwords into the sites those links point to, or to install software from them. And the service teams at those organisations then send out mass emails about service updates that require action (such as password updates, software installs, etc), with helpful links to click.
One thing that might help would be to clarify that users should report these legitimate emails. It might not help the users directly, but it may help to remind the service team that their emails have rules to follow, which should make things clearer for users in the long run.
answered 18 hours ago
James_picJames_pic
1,6071317
1,6071317
7
This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.
– Mohirl
16 hours ago
1
This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.
– Colin Young
15 hours ago
3
I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.
– Michael Kay
12 hours ago
@MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visitAcmeViSAupdate.com
[a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.
– supercat
7 hours ago
I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.
– Michael Kay
6 hours ago
add a comment |
7
This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.
– Mohirl
16 hours ago
1
This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.
– Colin Young
15 hours ago
3
I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.
– Michael Kay
12 hours ago
@MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visitAcmeViSAupdate.com
[a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.
– supercat
7 hours ago
I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.
– Michael Kay
6 hours ago
7
7
This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.
– Mohirl
16 hours ago
This. I've worked in an organisation that sends similar phishing test emails, but then regularly sends "legitimate" emails that are indistinguishable from spam/phishing, often containing links to external sites (sometimes requiring logins) which my company has previously had no connection with. The problem may very well be that the legitimate mails are too spammy, rather than your tests going to o far.
– Mohirl
16 hours ago
1
1
This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.
– Colin Young
15 hours ago
This is absolutely a problem. If the organization is sending out legitimate emails that the users are expected to click links in, and you are not explicitly identifying those emails as legitimate and teaching the users how to identify them, your legitimate emails are actively working against and undoing the training you are trying to provide.
– Colin Young
15 hours ago
3
3
I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.
– Michael Kay
12 hours ago
I used to make a point of reporting emails from IT security to IT security as apparent phishing attempts. They never liked it.
– Michael Kay
12 hours ago
@MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit
AcmeViSAupdate.com
[a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.– supercat
7 hours ago
@MichaelKay: It really irks me that so many organizations send out real messages that are indistinguishable from phishing attempts. If Acme's VISA card moves from BankCorp to MegaBank, it should not inform customers about it by leaving phone messages asking them to visit
AcmeViSAupdate.com
[a domain the customers have never used before] but I had a real that did precisely that (names changed to protect the guilty), but instead inform them how to get the information using the phone number or web site printed on their card.– supercat
7 hours ago
I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.
– Michael Kay
6 hours ago
I've been known to receive purchase orders from a previously unknown sender saying simply "please find our purchase order attached". And of course the spam filter might well zap them before I have to make a decision.
– Michael Kay
6 hours ago
add a comment |
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
1
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
yesterday
6
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
yesterday
3
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
yesterday
Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).
– dwizum
15 hours ago
2
@dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)
– gowenfawr
15 hours ago
|
show 3 more comments
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
1
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
yesterday
6
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
yesterday
3
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
yesterday
Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).
– dwizum
15 hours ago
2
@dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)
– gowenfawr
15 hours ago
|
show 3 more comments
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
edited yesterday
schroeder♦
79.2k30176213
79.2k30176213
answered yesterday
gowenfawrgowenfawr
54.8k11115162
54.8k11115162
1
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
yesterday
6
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
yesterday
3
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
yesterday
Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).
– dwizum
15 hours ago
2
@dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)
– gowenfawr
15 hours ago
|
show 3 more comments
1
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
yesterday
6
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
yesterday
3
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
yesterday
Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).
– dwizum
15 hours ago
2
@dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)
– gowenfawr
15 hours ago
1
1
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
yesterday
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
yesterday
6
6
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
yesterday
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
yesterday
3
3
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
yesterday
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
yesterday
Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).
– dwizum
15 hours ago
Where are you guys getting these stats on targets for click through? I'm not in our IS group but I'm on their steering team, we're routinely around 5 - 6% click through for a fairly non-technical workforce of around 500 employees, and what I would consider very realistic test emails. I'm surprised that your comments seem to imply we're way ahead of average (or my interpretation of how difficult our simulated emails are is totally wrong).
– dwizum
15 hours ago
2
2
@dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)
– gowenfawr
15 hours ago
@dwizum Lance Spitzner, who's a SME in this area, claims <5% is "good". However, my comments about 10-20% and starting >50% stem from personal experience with a handful of organizations. My gut says that Lance has a self-selecting population ("people who care enough about this to hire him") and that 10-20% is a realistic churn point for good organizations. You may very well be doing better than average :)
– gowenfawr
15 hours ago
|
show 3 more comments
There's one way in which this may have gone too far:
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.
You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.
add a comment |
There's one way in which this may have gone too far:
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.
You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.
add a comment |
There's one way in which this may have gone too far:
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.
You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.
There's one way in which this may have gone too far:
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see.
You need to ask yourself whether employees at your company will actually be subject to this level of spearphishing. If the answer is no, then you've gone too far. Of course, this is all dependent on what the group does. If its the DNC, then the answer is yes.
answered yesterday
Cliff ABCliff AB
2114
2114
add a comment |
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
New contributor
5
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
yesterday
1
Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?
– Roostercrab
yesterday
3
No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.
– schroeder♦
yesterday
I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.
– Roostercrab
yesterday
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
New contributor
5
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
yesterday
1
Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?
– Roostercrab
yesterday
3
No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.
– schroeder♦
yesterday
I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.
– Roostercrab
yesterday
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
New contributor
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
New contributor
edited yesterday
schroeder♦
79.2k30176213
79.2k30176213
New contributor
answered yesterday
RoostercrabRoostercrab
111
111
New contributor
New contributor
5
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
yesterday
1
Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?
– Roostercrab
yesterday
3
No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.
– schroeder♦
yesterday
I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.
– Roostercrab
yesterday
add a comment |
5
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
yesterday
1
Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?
– Roostercrab
yesterday
3
No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.
– schroeder♦
yesterday
I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.
– Roostercrab
yesterday
5
5
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
yesterday
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
yesterday
1
1
Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?
– Roostercrab
yesterday
Right...but if they leave that simulation without being suspicious of emails then what was the point? They should be suspicious of anything that looks different, and the point of training is to make them so, right?
– Roostercrab
yesterday
3
3
No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.
– schroeder♦
yesterday
No. That's my entire point. The goal is not suspicion. I'm afraid to explain further will be to simply repeat my first comment.
– schroeder♦
yesterday
I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.
– Roostercrab
yesterday
I guess the question then is what do you want them to think when they look through their email inbox if not suspicion...I know that I am suspicious of emails and having users share my suspicion is the prime objective.
– Roostercrab
yesterday
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
5
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
yesterday
Downvoted for the reason @VipulNair stated
– Kevin Voorn
yesterday
@VipulNair Isn't "not being able to educate" is education gone too far?
– BoredToolBox
yesterday
And the top voted one, says the exact same thing.
– BoredToolBox
yesterday
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
5
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
yesterday
Downvoted for the reason @VipulNair stated
– Kevin Voorn
yesterday
@VipulNair Isn't "not being able to educate" is education gone too far?
– BoredToolBox
yesterday
And the top voted one, says the exact same thing.
– BoredToolBox
yesterday
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to {email id that verifies this}@{yourorg}.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
edited yesterday
schroeder♦
79.2k30176213
79.2k30176213
answered yesterday
BoredToolBoxBoredToolBox
325
325
5
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
yesterday
Downvoted for the reason @VipulNair stated
– Kevin Voorn
yesterday
@VipulNair Isn't "not being able to educate" is education gone too far?
– BoredToolBox
yesterday
And the top voted one, says the exact same thing.
– BoredToolBox
yesterday
add a comment |
5
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
yesterday
Downvoted for the reason @VipulNair stated
– Kevin Voorn
yesterday
@VipulNair Isn't "not being able to educate" is education gone too far?
– BoredToolBox
yesterday
And the top voted one, says the exact same thing.
– BoredToolBox
yesterday
5
5
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
yesterday
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
yesterday
Downvoted for the reason @VipulNair stated
– Kevin Voorn
yesterday
Downvoted for the reason @VipulNair stated
– Kevin Voorn
yesterday
@VipulNair Isn't "not being able to educate" is education gone too far?
– BoredToolBox
yesterday
@VipulNair Isn't "not being able to educate" is education gone too far?
– BoredToolBox
yesterday
And the top voted one, says the exact same thing.
– BoredToolBox
yesterday
And the top voted one, says the exact same thing.
– BoredToolBox
yesterday
add a comment |
I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:
- You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.
- Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.
While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.
add a comment |
I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:
- You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.
- Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.
While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.
add a comment |
I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:
- You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.
- Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.
While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.
I don't know whether this applies to your case or not, but one potential problem may be if your expectations about user awareness are higher than the security norms put into use. For example:
- You may educate users to always check the https certificates, but at the same time some internal web sites may use self-signed or expired certificates, or even require submitting usernames and passwords through plain unencrypted http.
- Or you may educate users that all official internal tools reside on your company domain, but in reality you use popular third-party services like Gmail or Slack connected with OAuth.
While the first example is an actual issue with the infrastructure, the second one is a safe practice paired with out-of-date recommendations. I have seen both happening in the wild and in these cases the principles that you are trying to teach can not be applied in day-to-day practice and may ultimately lead to confusion and failure to comply.
answered 17 hours ago
ZoltanZoltan
1857
1857
add a comment |
add a comment |
I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
- Make some spoofy emails, send them to users, see what users do.
We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.
Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.
If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.
New contributor
add a comment |
I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
- Make some spoofy emails, send them to users, see what users do.
We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.
Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.
If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.
New contributor
add a comment |
I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
- Make some spoofy emails, send them to users, see what users do.
We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.
Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.
If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.
New contributor
I'm not sure the size of your organization, but the most practical advice I can offer is that you can go too far when you overthink it.
- Make some spoofy emails, send them to users, see what users do.
We use a tool (KnowBe4)- run a few trials against the users, and use that to educate them/get them aware. We capture who passed, who failed, and use the overall process to educate and demonstrate that we educate.
Don't overthink the audience with custom targeting; don't do complicated data analysis... If you are, you are probably wasting time you could spend on the next challenge.
If you see there's spear phishing at your execs or certain folks, engage them personally and often, and maybe do something operational to make sure that if they are fooled, you catch it. By operational change, for example, if someone's trying to get your CFO to release wire payments- then the CFO better have an additional maker/checker process, or get secondary non-email (Voice?) confirmation that a wire should go out.
New contributor
New contributor
answered 8 hours ago
subssubs
1
1
New contributor
New contributor
add a comment |
add a comment |
I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.
New contributor
2
Not neccissarily, there can be malicious actors within an orginisation.
– meowcat
3 hours ago
Please review Shannon's Maxim: The enemy knows the system.
– forest
2 hours ago
add a comment |
I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.
New contributor
2
Not neccissarily, there can be malicious actors within an orginisation.
– meowcat
3 hours ago
Please review Shannon's Maxim: The enemy knows the system.
– forest
2 hours ago
add a comment |
I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.
New contributor
I suspect that your simulation is using knowledge about your intended targets that no genuine phisher would ever know. That is why they complain about your fakes being too hard to distinguish from the real thing. In a word, you are cheating.
New contributor
New contributor
answered 7 hours ago
BoarGulesBoarGules
971
971
New contributor
New contributor
2
Not neccissarily, there can be malicious actors within an orginisation.
– meowcat
3 hours ago
Please review Shannon's Maxim: The enemy knows the system.
– forest
2 hours ago
add a comment |
2
Not neccissarily, there can be malicious actors within an orginisation.
– meowcat
3 hours ago
Please review Shannon's Maxim: The enemy knows the system.
– forest
2 hours ago
2
2
Not neccissarily, there can be malicious actors within an orginisation.
– meowcat
3 hours ago
Not neccissarily, there can be malicious actors within an orginisation.
– meowcat
3 hours ago
Please review Shannon's Maxim: The enemy knows the system.
– forest
2 hours ago
Please review Shannon's Maxim: The enemy knows the system.
– forest
2 hours ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207389%2fwhen-is-phishing-education-going-too-far%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
19
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
yesterday
6
This question seems to me like it lacks key details. Why are your users claiming that the phishing emails you send them are indistinguishable from legitimate ones? Is it because they truly are (at least with the tools at a normal user's disposal), or is it because they're screwing up? Receiving an email from a person you've not previously had contact with is not inherently suspicious, so it matters how you are measuring failure. Based on them actually handing over sensitive information? Or just based on them clicking a link in an email that they could not reasonably know was fake in advance?
– Mark Amery
16 hours ago
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
10 hours ago
The creation of such a targeted system is completely against the reasoning of gdpr. So yes you are already far across the line of acceptable. I'm not sure why this question requires an answer, the premise is already breaking several laws in many countries. - And that should be indication enough.
– paul23
6 hours ago
Any competent phishing email is indistinguishable from normal ones. What is your education campaign trying to teach them? That old bogon that phishing emails have wacky From lines or Subject lines or misspellings or Engrish? The only way I can possibly think to spot a competent phishing email is mouseover the link and see where it points. Ever tried to mouseover on a touchscreen? It's a PitA if even possible because mobile is really feature-restricted.
– Harper
3 hours ago