The Problem with Phishing Simulators

Posted by Stephen Ferrell
Stephen Ferrell

We live in an evolved world, and work in environments shaped by the largesse’s of the robber barons and the victories of the labor movement. While there is much work to be done, the workplace of today is generally more civilized and equitable than it has ever been. Sadly though, phishing attacks are on the rise and even the best trained employees often fall victim.

Email security challenges and phishing attacks are not limited to your organization. Everyone, everywhere with an email address is a potential victim. If you have an ID of any kind, digital or otherwise you and all the people in your organization are potential victims of fraud and crime. To combat this, the anti-phishing community has developed training and awareness programs coupled with phishing simulators. While these systems have merit, their effectiveness declines as phishing attacks become more complex.

EMAIL SIMULATOR SHORTFALL

For talking sake let’s consider this scenario:

You are at an airport sitting at the gate, struggling to hear a conference call, someone distracts you, briefly perhaps, asking for assistance with a bag, when you turn around again your laptop is gone, imagine how you feel in that moment - helpless right?

Now imagine that moments later corporate security arrives to tell you you’ve been part of an elaborate scheme to check on your vigilance with regards to looking after corporate assets.

Phishing simulators, though well intentioned, can often have a negative effect on employee morale and without coupling to appropriate electronic prevention methods, they may have a questionable benefit on your email security.

Phishing simulators do not, in of themselves, prevent phish from getting through.

Pushing fake phishing attempts into your associates' inboxes can strengthen phishing awareness, the thought being that you can draw actionable, discernible data from how your associates react. Consider this though, every phishing attack is completely unique, and each day grows increasingly complex and difficult to discern. How one reacts to a fake call to action on a Tuesday may be completely different as to how they react two weeks next Thursday, and how many phishing simulations will you be able to expose your employees to before the complaints start?

Exposing people to a barrage of fake phishing attacks can have unintended consequences. Otherwise competent and dedicated employees can feel embarrassed and ostracized. Consider to, the impact to productivity after a fake phishing attack. Many times, phish fakery negatively conditions employees to the point of ‘analysis paralysis’, often making them less likely to action legitimate emails and in turn tie up IT employees resources who are now spending time fielding questions on the legitimately of messages that otherwise would have been taken care of.

THE BEST OF BOTH WORLDS: TRAINING AND PREVENTION IN ONE

Given the practicality of having a limited sample size, statistically it is unlikely that the email security practitioner can draw anything meaningful or indicative from simulated phishing attempts. Certainly, if everyone falls for your phish faking you could pat yourself on the back for a brilliant simulation or perhaps consider that it might be time to deploy a best of both worlds’ solution that both trains and actively prevents phishing attacks.

INKY’s Phish Fence treats all email users with equal respect.

Every email is flagged and evaluated to provide your associates with just the right amount of information to keep rolling or hit the pause button. There is no naming, no shaming, and no precious IT resources diverted to crafting fake emails. Email security cannot be achieved through fear, at INKY we know that and we’ve flipped the script.

Phishing simulators can be useful, do your awareness training sure, but couple it with INKYs next generation Phish Fence platform, every email will come with a direct and easy to understand banner summary that serves as a non-invasive point in time training.

INKY deploys Computer Vision, Machine Learning and Artificial Intelligence to create an impenetrable barrier against Phishing attacks. At INKY, email security is not a once and done activity, Phish Fence evolves each day which significantly improves our customers email security posture.

When the phish can’t get through, there is no need to simulate them. Take the INKY Phishing Fitness challenge today and you won’t look back.

INKY - Phight Phish.

Topics: phishing simulator