A simulated phishing email that used the false promise of company bonuses as a lure to trick employees has ignited a debate over the ethics of security awareness testing that potentially engender distrust and hard feelings.
On the one hand, simulations should mimic real-life phishing campaigns as closely as possible, security awareness experts argue. On the other hand, an insensitive training exercise can place your company in bad standing with employees.
The email in question, which was sent last week to employees of Chicago-based Tribune Publishing, told recipients that they would receive $5,000 to $10,000 in bonus payments, "as a direct result of the success created by the ongoing efforts to cut our costs."
The email encouraged individuals to click on a link to find out their reward, but doing so revealed a message that the email was actually a phishing simulation test from security awareness training company KnowBe4.
Justin Fenton, a reporter at Tribune-owned Baltimore Sun, explained in a tweet why the fake phish was problematic: “After slashing our staff, closing newsrooms, furloughing reporters and cutting pay during a pandemic, @tribpub thought a neat lil way to test our susceptibility to phishing was to send a spoof email announcing large bonuses,” he wrote, adding: “Fire everyone involved.”
It's a fine line
SC Media reached out to multiple security awareness and email security experts, who had mixed reactions about the Tribune’s phishing exercise.
Matthew Gardiner, cybersecurity strategist at Mimecast, contends that the phishing test was within bounds: "Cybercriminals have no moral or 'nice' filter as they are attempting to motivate clicks and engagement. Thus, it is perfectly reasonable for a simulation to take the same tact,” he said in an interview with SC Media. “Since money is the universal motivator, it is a very common social engineering technique used by cybercriminals, and thus should also be used in simulations that are intended to test and help staff be more cautious.”
Gardiner noted that cybercriminals often perform reconnaissance on their targets and know how best to entice a reaction from their employees. Thus, “To unilaterally disarm your security awareness training program" by disallowing targeted tests "is only to give a further advantage to the cybercriminals.”
This is why companies like Mimecast and KnowBe4 routinely craft phishing simulations from genuine campaigns they have encountered. "The closer simulations are to reality the better. This way, security professionals don’t even need to guess the approach that cybercriminals would take when targeting their organization," said Gardiner.
In a company blog post addressing the issue, KnowBe4 founder and CEO Stu Sjouwerman acknowledged that some users on Twitter found the test "disrespectful, a slap in the face and tone-deaf," adding that the reaction "is understandable."
While the CEO said that phishing tests should be "sensitive to the existing corporate culture and circumstances," he also said it's a "fine a line to walk, because the bad guys don't care about those values at all, and will use any distasteful social engineering tactic to get an employee to click so that they can take over the workstation and shut the whole company down with ransomware."
Sjouwerman said KnowBe4 possesses 5,000 of its own phishing templates that are "known to work" and are rated by difficulty and sorted into categories, including "controversial." Other templates are community-submitted or created from scratch by the user.
Sjouwerman also told SC Media in a separate statement that KnowBe4 did not initiate Tribune Publishing's campaign or suggest the template that was used. "In this instance, they [Tribune Publishing] took a community-submitted template and significantly modified it."
Some experts said the harm of the Tribune test outweighed the value.
“I replied to the Tweet already, expressing my distaste for it,” said Kevin O’Brien, founder and CEO of GreatHorn. “It’s not only ethically questionable, it does nothing to help to train anyone. On the contrary, it will drive staff to distrust security and feel shame and embarrassment, rather than arming them with the information they need to do their jobs more effectively.”
“Security can either be a business partner, empowering employees through process and technology to help make better decisions, or it can be an adversarial ‘gotcha’ group that everyone cringes away from," O'Brien continued. "What we’re seeing in an exercise like this is the misapplication of training technology. Preying on your users and then snickering at them from the bowels of corporate IT is not how progressive information security organizations operate.”
Lance Spitzner, director of research and community at SANS Institute, also expressed concern.
“You want to replicate what the bad guys are doing, but you've got to be careful and not go too far,” said Spitzner. Otherwise, "you start destroying the trust of your workforce and you start creating a toxic security culture. And that's just what happened here.”
However, at another organization, this type of test may have been completely expected and accepted.
For example, if that exact same phishing email was sent to employees with Lockheed Martin or any defense organization, Spitzner expects people would not bat an eye, because they've been phished for years.
In that case, employees "know the company's not trying to 'trick' them, they know they're targeted by the Chinese and Russians. So, they have a culture where this is acceptable."
But they've also been trained properly. If the Tribune did not do regular phishing simulations previously, starting with this one probably "kicked off all sorts of emotional triggers," said Spitzner. "Unfortunately it's not black or white. It's not binary. It's really about what is acceptable in your organization's culture."
COVID-19 complicates the debate
Similar ethical discussions have cropped up around whether simulated phishing campaigns that leverage crises such as the COVID-19 pandemic are ill-conceived.
For that reason, Gardiner said COVID emails are fair game too – although if the phishing simulation is a good one, it shouldn't be designed to cause panic. According to Gardiner, "cybercriminals don’t want their targets to get their hackles up, but [rather] engage and then forget that they did so. To be maximally effective, simulations need to mimic reality as closely as possible" and not raise too many alarm bells.
"They don’t want to be noticed, they want to steal login credentials, sensitive information, and plant malware," Gardiner continued. "And the longer the organization doesn’t notice, the better for the attacker. The reality of this tends to mollify attackers’ social engineering and thus similarly should guide simulations as well."
Spitzner said it's all in the wording.
"If you send out a COVID-19 email saying, 'Oh my God, half the people in the company are infected with Covid. Click here to find out who got infected,' that's probably going to go badly," said Spitzner. But if you do a more basic COVID-type theme, something like, 'Are you concerned about COVID? Well, here you can buy masks that are 10 percent cheaper,' that's not nearly pushing the same emotional triggers, but you're still using the same method."
But some phishing test lures companies should completely avoid, said Spiztner, including Viagra and mail-order bribes. Phishing simulations like these could cause great pain and embarrassment to an employee who gets caught clicking.
To help companies craft more effective phishing simulation tests, the SANS Institute has published a comprehensive strategic guide on the topic. One of the key lessons within is to be mindful of employees' feelings and don't use lures that are too emotional or sensational.
"Sometimes the people in charge of phishing programs are very good, but highly technical security people, and they're only thinking of it from the perspective of the threat," said Spitzner. "You need to think about the human factor also."
Tribune Publishing has issued a statement apologizing for the incident, saying: "Last week the company conducted a regular, internal test to assess and reduce its current phishing and malware risk level. Based on input provided by the company’s cybersecurity team and advisors, the content of that test included language regarding employee bonuses. Having fallen victim to attacks of this nature before, the company recognized that bad actors use this type of language regularly and decided to use the language to simulate common phishing scams."
"The company had no intention of offending any of its employees. In retrospect, the topic of the email was misleading and insensitive, and the company apologizes for its use."