This blog was written by an independent guest blogger.
Phishing exercises are an important tool towards promoting security awareness in an organization. Phishing is effective, simply because it works. However, any social engineer can devise a marvelously deceptive message with an irresistible link that only the most tech-savvy person would spot as a phishing test. Sometimes, the phish can be sent at a time of day that catches the recipient off-guard, which causes a person to click the malicious link. These techniques are so effective, that even the most experienced people have gotten fooled, not only by phishing tests, but also by real scams.
As social engineers, it is easy to play on people’s vulnerabilities; their fears, hopes, and dreams. Fears, such as those used in scams against the elderly; hopes, such as those used against the optimistically trusting; and dreams, such as those used against the wistfully romantic. However, with any security practice, we have to temper our thrill of victory, that is, the adrenaline rush of the “gotcha” moment when a person falls for our brilliantly crafted phishing test, with the reality of our true purpose, which is to educate, and build trust. With that in mind, we must ask ourselves, when have we gone too far?
For example, according to a report that was published at the height of the pandemic, Covid-related scams rose to an all-time high. The cybercriminals have been hard at work, trying to capitalize on our fears, and our desires to seek information, and more recently, our desire to become vaccinated.
Has your organization used the pandemic in any recent phishing exercises? How effective were they? Was the “hit” rate high? More importantly, did the people who failed the test thank you for showing them the error of their ways? I doubt it.
I am not stating this merely to make enemies in the security community. As a 20+ year veteran in the industry, I too understand the struggles and the frustrations of building a security culture in an organization. However, let’s look to the legal profession for a moment to try to understand why Covid-based phishing exercises are simply wrong.
The problem at hand is one of our freedom to act recklessly. If we look to the landmark U.S. Supreme Court case of Schenck v. United States, we are met with the famous quote about how freedom of speech does not give one the right to “Yell ‘Fire!’ in a crowded theater”.
In a later case, Rochin v. California, the phrase “Shocks the conscience” became part of legal doctrine. An action is understood to "shock the conscience" if it is "grossly unjust to the observer."
Contrary to helping an already stressed staff, does a Covid-based phishing exercise succeed in anything other than violating the senses, as well as bordering on a cavalier abuse of our “expertise”? There are so many ways to educate our colleagues, that such indecorous tactics will probably be counterproductive.
A talented social engineer has enough tools in the arsenal to avoid the need for cheap shots when launching a phishing campaign. These do nothing to educate, or make the security team seem like a trusted advisor in the quest to improve the protection of the organization. At this point, most people know that criminals will stop at nothing to get what they are after, no matter how distasteful or “unfair” the approach. If our true aim is to educate, and build alliances so that security becomes part of the corporate culture, there are better ways to do so without resorting to the criminal’s behavior. Before you craft that next great phishing message, consider whether it crosses that line of helpful, or harmful to the greater cause.