Educating employees through ethical phishing – Kiwibank

Peter Plowman, Senior Manager, Fraud and Security and Nick Tucker, IT Risk and Security

“No, you can’t trick staff, I can’t approve this!”

This might be the response expected from a manager when initially asked if a false phishing email could be sent to employees. However, while risky, the concept of conducting an internal email phishing experiment can do more good than harm as it can be an effective way to safely train and educate vulnerable staff.

The concept is simple: engage employees by sending an email claiming to be one thing, but linking to an educational message about identifying scams. Rickrolling with a purpose…or ‘ethical phishing’ in more technical parlance.

For companies looking for a non-technical action to protect their business from the recent ransomware attacks, this approach is something to consider. Like learning to drive, people can read about hazard identification and give way rules in theory, but the best way to learn is through practical, safe and (sometimes unpredictable) real world training.  Businesses put staff in charge of machines with direct access to its business life-blood every day.  Why wouldn’t you educate and train them in a safe, no consequence environment? 

Isn’t it actually unethical not to?

If organisations do it right (and find an expert in conducting exercises like this), staff will be better prepared to face real world phishing attacks.  Some of the best practice guidelines include:

  • Communicate to staff that you’ll be conducting a cyber security exercise.  It often doesn’t make a difference to results, but gives you another opportunity to educate. 
  • Expect some people to be offended.  Explain the purpose and effectiveness.  Engage your stakeholders early and openly, they often come around.
  • The linked message shouldn’t frighten.  No red banners and ‘WARNING’ messages.  People panic, close them and don’t get the education. 
  • Keep it light and focused on education.  Some research suggests using a comic and mild humour.  Emphasise that there’s no consequence, it helps to encourage open discussion.
  • This is education, not entrapment. No consequences, no individuals shamed.  You’ll get asked ‘who clicked?’ Make sure it’s not tracked and everyone understands why.  When it’s used as a stick, this exercise can cross the line to unethical and be ineffective.  Anyone can be fooled.
  • Don’t make your ‘phish’ perfect.  Give them a chance to spot red flags through spelling mistakes, incorrect links, generic greeting, etc.
  • Anyone can be fooled; a percentage will always get caught.  The point is to target and educate those vulnerable and unaware of what they should look for, letting others who identify it either report or delete it.  Try not to focus on ‘getting the number down’.  Think of it as ‘x employees better educated’.

Phishing emails are sent almost every day, and everyone with an email address is at risk. By conducting an education exercise, you can decrease the chance of people in your organisation being impacted by a real threat.