In December 2020, the internet domain company GoDaddy sent 500 of its employees an email promising them a $650 Christmas bonus. All they had to do was fill out a form with their personal information.
That it was a lie.
Two days later, company employees received an email from the company’s cybersecurity manager stating that “you have received this email because you suspended our recent phishing drill.”
A screenshot of the phishing email generated by GoDaddy’s own people. Source: The Copper Courier.
That strategy was not very well received among employees, who felt deceived. The company even apologized that they had perceived that the email had been “insensitive”, but a few months earlier that same company, GoDaddy, had reported a cyberattack in which data from some 28,000 employees had been stolen. The origin of that intrusion was that one of his employees had been the victim of a phishing attack personalized.
Phishing drills have been a common practice in companies for years. One of the companies that provides a service to carry them out, Knowbe4, indicated at that time that 17,000 organizations used its platform to send 9.5 million phishing emails to four million users.
But as indicated in HBR, you have to be especially careful with these types of drills. For example, offering false bonuses can end up damaging the relationship between employees and the company. Studies reveal that to do them properly you have to do drills aimed at groupsand not to specific people, and that it is important not to embarrass anyone if, for example, someone has fallen into the trap.
Not only that: it is important to “gamify” the experience and reward those who detect these emails both on the first attempt and on subsequent attempts to encourage employees to learn to be alert to these types of attacks.
Drills even counterproductive
In fact, Google cybersecurity experts advise against this practice. In an article published in May 2024, Matt Linton, “chaos specialist” at Google, reminded us how when the fire drillsmany people were injured in these drills because they were not well designed and people took them completely seriously. It was improvements in construction and regulations requiring fire extinguishers that helped avoid major disasters in cases of fire.
According to Linton, current phishing drills are similar to those first fire drills. Google itself, of course, carries out these drills, sending emails to those who follow training so that employees are not deceived by these emails.
But Google officials themselves indicate that “there is no evidence that the results of these tests result in fewer incidences of successful phishing campaigns.” In one of the studies cited with 14,000 participants, a counterproductive effect was shown for these simulations, indicating that those who “repetitively click” on these emails fail these tests despite recent simulations.
Furthermore, they highlighted, employees end up having a negative perception of these tests, and believe that their company’s security “is playing with them”, which degrades the trust that employees have in the company’s cybersecurity teams.
So while it’s important to teach people how to spot potential phishing messages and alert them to social engineering, trying to trick your own employees doesn’t seem to work. It is much more suitable educate employeesinform them how to act, and collect data to improve these ways of fighting phishing. Google also highlighted the importance of investing in recommended security measures such as passkeys or two-step authentication.
Be that as it may, these types of tests continue to be used frequently. Companies like Microsoft, for example, provide detailed documentation on how to launch this type of fake email campaigns, and the US FTC even provides a short questionnaire to educate Internet users on how to differentiate a phishing email.
Imagen | The Sun Feyissa
In WorldOfSoftware | Cybercriminals are delighted with AI: this is how they are using it according to a study by Microsoft and OpenAI
