Phishing is Failing: 5 Things to Know

By Rick Deacon on March 7, 2016

Phishing and social engineering are the origin of most data breaches. It’s no wonder that security practitioners turn to simulated phishing of their employees to understand their risk. It’s simple, it’s quick, and it seems effective. An automated email is launched from a phishing service, 10,000 people click the simulated phishing link, and the practitioners feel good knowing that they “got em”. The data feels satisfying and there’s the hope that it backs up the $100,000 investment.

There’s a problem, though. What data was retrieved? How? At what cost? How did it affect your workforce? Will the phishing data stand up for itself?

Here are a few things to know before you phish your folks.

1. The Data is Skewed

When a person clicks a phishing link, real or simulated, they’re not necessarily insecure. Their environment - the situation, what’s going on, and when - all play a factor in why someone might click a phishing link. Were they not paying attention because their boss was talking to them? Did they accidentally click while trying to navigate elsewhere? Stuff happens. Relying on an open rate with no context may give you false clues.

2. Employees Won’t Like It

No matter what the vendor tells you, your employees won’t feel empowered. They’ll feel tricked, cheated, and ashamed. Their biggest concern? Their reputation and their job. Tricking employees into clicking a link they shouldn’t have doesn’t drive security to the forefront of their mind.

3. Diminishing Returns

Over time, you’ll see less improvement. Those who learned from their mistakes will continue to not click suspicious links (at least the ones you send) while those who didn't learn will still be clicking.

4. Reduced Productivity

It may not be obvious, but a common outcome of phishing campaigns is reduced productivity. When a person is tricked into clicking a phishing link, and then told to not do so again, they become skeptical of all hyperlinks. Sometimes paranoia is useful, but in this case it’s keeping your people from opening legitimate emails and reducing their efficiency.

5. You Won’t Get the Whole Story

Without collecting sufficient data to understand why a person fell for a phishing attack, you can't paint a clear picture of how to fix the problem. A full spectrum of information is necessary to truly understand your organization’s security posture. Phishing simulations provide just one piece of a much larger puzzle.

It’s obvious that a phishing campaign can produce data and trigger a feeling of accomplishment for an administrator. That said, be aware that sometimes the marketing hype for simulated phishing is more convincing than the results.

To get a more accurate, actionable view of workforce risk, take a holistic approach. Make sure the solution you use has the ability to measure and map multiple problem areas to lead to better security decisions.

Author picture

by Rick Deacon

About Apozy

Founded in April of 2014 in San Francisco, we are a venture-backed motley crew of passionate hackers building cybersecurity technologies to make the world's information faster, cleaner and safer to access.