This article originally appeared on CSO Online.
We’ve all heard the saying “all is fair in love and war,” but what about when it comes to simulated phishing?
Is there a limit to how far we should go in attempting to emulate the trickery and deceptive tactics of the cybercriminals who bombard our employees with increasingly devious emails?
Let me present a couple tactics we’ve seen phishers use to try to break down our employee’s defenses. I’ll then consider the ethical and legal implications of using those same tactics ourselves as we send simulated phishing attempts to try to educate people.
Exhibit A: Tax Time Phishing
Beginning in late January of each year, a familiar phenomenon pops up, just as workers across the U.S. are getting their W2s from employers and starting to think about filing their taxes. Employees of all stripes begin to receive emails allegedly from the IRS, offering information about refunds or overdue taxes or some other item that is sure to alarm and entice taxpayers who already find tax time confusing and a little stressful.
If you paste the IRS logo on the email, it’s even worse. It’s a scourge for the IRS, who has for years been very publicly telling American taxpayers that it will not contact them by email about their taxes, and asks taxpayers to report this fraud. Guess what? This public information campaign has worked, and the IRS gets flooded with reports of these scams.
Exhibit B: Name Brand Phishing
You all remember the Google Docs phishing scam from earlier this spring? Hackers had expertly copied the familiar branding of Google to trick recipients into clicking a link that gave the hacker full access to the victim’s address books and attempted to pass the infection along to others.
Google is certainly not the first name brand to be co-opted by cybercriminals looking to leverage the trust that citizens place in big companies. Amazon, FedEx, UPS, retailers, delivery services, etc. all communicate regularly with consumers via email, with shipping notifications, special offers, you name it. And people want and expect these notifications. This makes them great models for both ethical and unethical phishers to use to either steal from people or educate them.
Exhibit C: Shock Tactics
One of the most effective phishing attempts I’ve seen in the last year started like this: “I don’t know why you unethical fuckers think you can get away with this.” It went on to ask me to explain why my company wouldn’t pay the attached invoice the sender wanted me to review. (The guys in IT confirmed the attachment carried a ransomware payload.)
That red hot, shocking email really pushed our team’s buttons. They didn’t like being called “unethical fuckers,” and they wanted to defend their reputation and that of the company. Several folks told me that this one really tempted them—and it should have. It attempted to use shock tactics to break down the usual defenses, pushing the recipient psychologically off balance, hopefully just long enough to deliver the payload.
What Would You Do?
So, if you’re running a security awareness program and are getting ready to send simulated phishing emails out to your employees, which of the above emails would you send? I offer this hypothetical because using any of these types of phishing emails has consequences you should think through in advance.
Consider the following:
Opportunistic phishing simulation program vendors (my company is one of them) know that these emails work—people are genuinely tempted by them—and are eager to use this apparently plausible bait to raise employee awareness about phishing. What better way to teach people about avoiding this click bait than with stuff shown to work?
But if you listen to those in the IRS (whom I’ve spoken with, though cannot quote), we’re not helping to solve the problem. In fact, we’re part of the problem. What results is a slew of reports to the IRS and further stretching an “underfunded” agency whose primary mission is collecting taxes, not simultaneously battling both cybercriminals and the “good guys” who emulate cybercriminals in the name of education. So every tax season, they have to spend time contacting companies like mine, and also the companies we work with, to point out to us that they don’t approve of the use of tax-related email. It’s a pain in the rear for all concerned, especially since we’re all “on the same side.”
Name brands have a similar reaction: they don’t want to be associated with cybercrime in any way, and they often receive complaints from employees being phished with their logos. To these brands, the use of their logos in simulated phishing only causes trouble.
The risks of using simulated phishing that contains offensive language are different, but they also pose the simulated phisher with a real ethical dilemma: do you want to incur the wrath of those in your company who would find it inappropriate, or even abusive, to use such email to educate? We’ve written a couple of these ourselves but are sincerely debating whether we want to have anything to do with it.
Three Sides of the Same Phish
Wasting taxpayer dollars, impugning the integrity of companies who have spent millions to build their brand, exposing yourself to charges of copyright infringement, deeply angering employees who are offended by coarse language. These are all real risks associated with directly emulating phishing emails that are used CONSTANTLY by the cybercriminals who are hammering your organization and tricking your employees.
I think a good case can be made on either side of this difficult issue. It’s logical to claim that you’re only using the tactics employed by the criminals, and you’re doing it with the benevolent aim of teaching employees how to resist. It’s not your fault that these types of phishes work, right? Think of how vaccines work: a benign (dead) virus is administered to allow the human body to inoculate itself against living ones in the wild. Just the same, benign phishing emails emulating seen-in-the-wild tactics can be deployed to employees to help them inoculate themselves against real phishing attempts.
But there’s a powerful case to be made that the “good guys” need to be above such tactics. That is, they should pull their punches by never directly using the brands of real companies or agencies, and following standard HR advice about appropriate communication. Sure, more people will recognize that your emails aren’t real, but you will have followed the law and not offended.
There is a third position I’ve heard one CISO make. He tells all his employees that his team will never attempt to fool them with fake emails. Any suspicious email they receive should be viewed as a real risk and reported immediately. This CISO is very vocal in claiming that he wants no part of deceiving the very people he works with.
So, what would you do?