Here’s how not to do a phishing test

It seems to happen almost on a cycle: the Army in 2014. Tribune Publishing in 2020. GoDaddy just a few months later. Yes, we’re talking about the phishing tests that result in a high-profile backlash from angry users.

This time, Oregon Health & Science University found itself in the crossfire after it sent staff a bogus email promising up to $7,500 in assistance to staff “experiencing financial hardship as a result of the coronavirus pandemic.” And this is academia we’re talking about⁠—⁠where armies of poorly compensated, indebted adjuncts, untenured faculty, and grad students already widely complain of exploitation—it’s not hard to see why this struck a nerve.

One tweet from a person who appeared to be a PhD student at OHSU asked “Is this a joke???” and got nearly 160,000 likes. The American Federation of State, County, and Municipal Employees Local 328, the union representing some OHSU employees, issued a statement that read, in part, “our members are subjected to the whims of OHSU’s worst ideas and behaviors.” OHSU, which said the email was a clone of a real phishing attack and part of regularly occurring exercises, eventually apologized.

“First and foremost, we want to sincerely apologize to the OHSU community,” OHSU spokesperson Sara Hottman told IT Brew in an email, calling the way the test was carried out a “mistake.”

“The real scam was insensitive and exploitative of OHSU members—and the attempt to educate members felt the same way, causing confusion and concern,” the statement continued. “We intend to learn from this event and implement preventive measures to keep a similar incident from happening in the future.”

While training users not to click on phony offers of cold, hard cash is one of a security department’s duties, so too is building trust (and hopefully avoiding mass outrage).

It’s not about punishment

Experts who spoke with IT Brew emphasized that smishing simulations should be paired with training beforehand. The goal should always be educating users rather than leaving them feeling shamed, or liable to be subjected to punishment.

“The first mistake is focusing on the undesired behaviors, so not looking at good behaviors,” Theo Zafirakos, CISO at cybersecurity training firm Teranova Security, told IT Brew. He said organizations should also consider factors, “good behaviors,” such as “how many people reported the message, how many people went out of their way to notify the IT desk.”

Tony Anscombe, chief security evangelist at ESET, acknowledged that mimicking bad guys might involve some dirty tricks, but believes it is necessary.

“Any phishing test needs to be as good or at or the equivalent of, or, if not slightly better, than a phishing attack that you might receive from a cybercriminal,” Anscombe told IT Brew. “Somebody shouldn’t be held to account or publicly shamed for clicking the test because it is educational.”

Don’t do it just to play gotcha

Experts told IT Brew that phishing simulation programs shouldn’t come out of nowhere, even if the actual email does. Even when they’re preceded by comprehensive training, institutions can often fail to convey the intent and purpose behind the training, or its importance to users’ safety and security on and off the job.

Daniel Pienta, an assistant professor of information systems and business analytics at Baylor University, said that sometimes organizations can go too far in trying to trick recipients, creating scenarios that would be difficult for an attacker to pull off in the first place.

“I think what a lot of companies do and a lot of security officers do is to trick people, rather than make this an exercise that really tests [whether you] can identify a phishing email,” Pienta told IT Brew. “They have such contextualized knowledge of their employee base and so much information that they can really make these tests easily manipulated in their favor.”

According to Pienta, sometimes organizations carrying out phishing simulations “bypass the technical countermeasures that would traditionally flag an email as phishing,” such as the use of an actual .edu account that is “really hard for a cybercriminal to get because it’s highly regulated.” Instead, attackers would typically mask the actual originating domain, he said, which would usually be caught by an email system with security measures in place. A phishing test using an actual .edu account would “inherently almost [be] tricking the individual that way.”

Other ways security offices might stack the deck in favor of a phishing test, Pienta said, include letting attachments that would normally be flagged through filters through or by using a trusted email account to send the email–particularly when said email is protected by multi-factor authentication and thus would represent a larger security failure if it was actually compromised.

Pienta’s research found a “deep and dramatic effect” among workers who do have privileged access to data and fail a test, whose “ability and competence after the training decreases.” He said that’s probably because it undermined their confidence in their own knowledge of phishing techniques.

In some highly regulated industries, particularly finance, multiple failures have resulted in termination.

“Do you jeopardize some of your top employees’ health, job satisfaction, and well-being just to see if they get tricked by a phishing email?” Pienta asked.—TM