As the internet has become a bigger part of our lives, phishing techniques have kept up, growing ever more sophisticated in how they target individuals and companies.
Organisations have realised the risk this poses for their teams, and we’ve seen the demand for phishing simulation services grow. The way these services typically work is that they send your team emails that look like phishing emails, but which don’t lead to anything bad happening if someone clicks on a link or shares sensitive information as a result.
Instead, the person finds out they’re part of a phishing simulation, and the fact they took an action in response to the email is included in an aggregated report their team leader (or whoever’s in charge of the phishing simulation at the organisation) gets.
In August 2020, SafeStack Academy launched our very own phishing simulation service: Spotted. You might remember our friendly mascot, Sam the Salamander.
We’d noticed most phishing simulation services weren’t made for the small to medium sized organisations we work with a lot, and we wanted to help meet that need.
So off we went. There’s more to the story (which we’ll get into below) but despite getting positive feedback from our customers and learning a lot, we decided to wind Spotted up six months after launching it.
Why SafeStack Academy stopped offering phishing simulations
We believe everyone has the right to do what matters to them safely and securely, and taking a fear-free approach to cyber security is an important part of how we do things at SafeStack Academy.
It can be easy to feel overwhelmed by what can go wrong with online security, and our goal is to empower people to feel more confident, not more worried.
We built this approach into Spotted, making sure all the communications around it were supportive and reassuring, with an overall message that clicking on a link in a phishing email can happen to anyone and there’s no shame in it if it happens to you. What’s most important is that you know what to do next, and you feel comfortable doing that.
But even with our best intentions, we soon ran into some aspects that didn’t feel right to us.
What message are phishing simulations sending?
There’s no getting around the fact that the last couple of years have been hard for a lot of people. COVID-19 has turned life on its head for many folks, and there are plenty of sore spots a phishing simulation can push on to get “results” — but is it worth it?
We’ve seen phishing simulations that include calls to action (the bit that tries to convince you to do something) like offering bonuses to staff who’d survived ongoing rounds of pandemic-related redundancies and pay cuts, or inviting people to book in for COVID-19 vaccinations.
In phishing simulations, the idea is that the emails are designed in the same way attackers might design them, with the ultimate goal of getting malicious software into an organisation's systems or gathering sensitive information.
There’s an argument that phishing simulations should act just like actual phishers would. Or, to put it another way, that they should do whatever it takes (no matter how mean-spirited) to get the job done. Yuck.
A kinder way of looking at this is to recognise that this approach can create hurt and confusion, and may lead to resentment that’s hard to get over. If all phishing simulations are doing is catching people out to teach them safer online behaviours, there’s got to be a better way.
Is battling tech a good use of time?
On another note, making sure our Spotted messages got delivered came with a healthy dose of technical challenges — but as it turns out, that’s not such a bad thing.
Good news: services like Google Workspace are doing a first-rate job of protecting their customers from dodgy emails. Their spam and phishing identification systems are complex and, as we learned, very effective.
To make sure we could get our simulated phishing messages through to our customers, we needed to get our domains and IP addresses whitelisted — and that caused a lot of extra work for their already busy teams.
We realised fighting Google wasn’t a good use of our customers’ time (or ours), and that it only served to make their built-in security controls less effective — which was definitely not something we wanted to do.
Are phishing simulations teaching the right things?
Our Spotted simulations used the same model as other services, but after a few months we started wondering whether they were teaching our learners what they needed to know.
While encouraging people to take time and care with emails is important, it doesn’t address the fact that most successful phishing attacks look a lot like marketing emails and are intentionally very difficult to spot.
Were we just teaching people not to click on links?
The message of most phishing simulations is something like “Don’t click on links — bad things will happen if you do.” And those bad things might now include your boss getting mad at you for bringing the team’s phishing simulation success rate down.
We all have links we need to click on for a range of reasons. Rather than just teaching people not to click on them, it would be better if we all had some tried and tested ways of knowing whether those links were safe.
Depending on the kind of culture your organisation has — both around cyber security and in general — there’s a chance that fake phishing attacks could just leave some of your team feeling embarrassed or excluded if they get tricked by the simulation.
It could also make them feel wary of all emails from that point on, second-guessing their instincts about what they can and can’t trust. You can imagine the effect this could have on their enjoyment of their work, not to mention their productivity.
This was the last piece of the puzzle for us in realising that it was time to close down Spotted and send Sam the Salamander off into early retirement.
Plus, we already had an alternative that was much more in line with what we wanted to teach: our Security Awareness training programme.
It ticked all the boxes we’d come to realise were most important to us in helping people stay safe from phishing attempts.
- Everyone knows how to spot phishing attacks.
- Everyone knows what to do if they get a phishing email, including how to report it.
- Everyone knows about targeted phishing attacks and how they can reduce their risk.
- Everyone feels safe and confident reporting if their credentials were stolen.
- Everyone practices security fundamentals like multi-factor authentication and keeping their browsers and operating systems up to date.
- Everyone can practice these security actions in a fear-free and safe way through our interactive courses, with no risk of embarrassment.
SafeStack Academy Security Awareness training
Whether you just want to protect your organisation’s sensitive information or you have specific compliance needs, our Security Awareness training can help.
Building on our years of expertise in cyber security, we make sure every course teaches essential security knowledge, skills, and behaviours, and gives you and your team practical advice you can use right away.
Our courses are short (ranging from 5 to 12 minutes) and engaging, and releasing new ones regularly guarantees we’re keeping up with the realities of our ever-changing online world.
What makes security awareness training better than phishing simulations?
Like we mentioned earlier, phishing simulations can easily veer into “don’t click the links” land. And there’s so much more than that to learn about cyber security.
Our Security Awareness training focuses on teaching positive behaviours that people can build into their daily routines. This keeps them safer while they’re at work, while also helping them navigate the online world more confidently in other parts of their lives.
By weaving fear-free cyber security awareness into your organisational culture, you’ll soon see the positive effects — and all without having to make anyone feel bad for clicking the wrong thing.
Because even if someone does accidentally click a link, there are other actions they can learn and take to keep themselves and the organisation safe — like alerting their manager quickly so their account can be reset, or knowing how to apply updates so their device is safer from malware.
Our training programmes are ongoing, so learners build up their toolkit of secure online behaviours over time, reinforcing the fundamental principles as they go. And to really underline their knowledge about phishing, we have a whole course on it.
We’ve had great feedback on our Phishing, Vishing, and Smishing course, with customers appreciating that it provides key learning actions and helps learners develop the skills they need to spot phishing attacks. Our interactive activities highlight what red flags to look for and what steps learners can take to keep themselves safe.
Another important element we cover is building people’s confidence in reporting phishing attempts when they come across them, even if they’ve already interacted with the email. Anyone can be taken in by a phishing scam, even cyber security professionals.
Making sure your team knows who to tell, what process to follow, and that they won’t get in trouble if they’ve already taken some action from the email are all vital for creating a healthy culture around cyber security.
It’s also important to remember that phishing doesn’t exist in isolation. It connects to all sorts of other cyber security topics, like passwords, ransomware, data handling, remote working, and device security — all of which we cover in our Security Awareness programme.
The combination of interactive courses and short knowledge checks in all our courses helps learners practice their new knowledge and test that they’ve understood what they’re learning. Not only can they feel more confident, but their team leaders can see their peoples’ progress and know this training is boosting cyber security awareness across the whole organisation.
Try our SafeStack Academy Security Awareness programme
With remote working looking very much like it’s here to stay and the ever-changing types of phishing emails doing the rounds, staying up to date with security practices has never been more important. We’d love to help you build a culture where everyone feels confident and empowered to stay secure online.
Grab a 14 day free trial today to see how you can build your team’s cyber security superpowers.
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us. Drop us a line at firstname.lastname@example.org and let us know what you think.