Is Now the Time to Use Coronavirus Phishing Templates?
Just because the bad guys are using coronavirus phishing emails doesn’t mean you should
Cybercriminals kick you when you’re down and try to trick you when you’re at your most vulnerable.
We’re all vulnerable right now: we’re distracted, we’re stressed, and we’re remote.
But shelter-in-place doesn’t mean your awareness program should freeze. If anything, we need to step it up.
For some, stepping it up means being even more relevant and timely with your simulated phishing program.
To Phish or Not to Phish?
But a quiet controversy is brewing around whether or not you should phish your employees with coronavirus-themed templates.
On the side of those who say “yes!” the reasoning is, “the bad guys are doing it so we should, too! How else will our employees be prepared?”
Just because criminals are doing it, does that mean you should too? Is it the best way to educate your employees and to protect your organization?
On the side of those who don’t think it’s a good idea, and see it as possibly unethical, the thinking is this:
- If I cause you to ignore a coronavirus email (for fear of clicking a phish), you may miss critical information in a legit email (possibly from your own HR or benefits department), and that could potentially cause harm to you or a loved one.
- If I phish you and you click (you fail the phishing simulation), instead of creating an educated champion for the cause of security, I may have further stressed out an already overwhelmed employee who just feels “tricked” by the security team and will avoid interaction with them in the future.
What Would You Do?
So should you do it?
I say, “it depends.”
It depends on how your security function is currently perceived.
What’s your “brand”? Are you engaged with your business and them with you? Do people come to you with questions? Is there a healthy demand for your services and very little shadow IT?
Or are you the “Department of No”? Do you have to nudge your way into meetings and projects where you know there are likely security considerations being ignored? Are you the “last to know” about business initiatives that have security implications? (Hint: they almost all have security implications.)
If you’re not already tightly aligned with your business and have good relationships, I recommend against using a controversial phishing template at times like this. It could hurt the cause more than help it. It’s a matter of trust.
The Goal: Build Knowledge and Trust
The goal of training and awareness is to build people up with knowledge in order to strengthen your organization. Everything you do in your program needs to reflect this goal.
That doesn’t mean there isn’t accountability or an escalation process for “repeat offenders.” It does mean that you build people up by adding value, not by tricking them.
“But what about the bad guys sending us actual coronavirus phish? People need to know not to click!”
If you’re relying on your phishing program as the main means to educate your employees, you’re missing out.
It is one tool in your toolbox. It’s a very powerful, effective tool, but it might not be the right tool for these challenging times.
Why Security Awareness Should Not Stop at Phishing
In this on-demand webinar two MediaPRO subject matter experts will discuss why phishing should be an important part of a balanced breakfast when it comes to security awareness and how to expand your security awareness program beyond phishing.Watch Webinar
What We Suggest
If you want to send simulated phishing emails related to the coronavirus, tread lightly and have a comprehensive strategy. Here’s what we suggest:
- If you’re not already phishing your employees but want to start now, don’t start with a coronavirus template. Start with something else that’s also relevant and timely, but less anxiety-charged, like a delivery confirmation and tracking email.
- BEFORE you send a coronavirus phish, run a communications campaign (or a few) to educate your employees on two things:
- Where they can find trustworthy information on coronavirus. The National Cyber Security Alliance (NCSA) has put together a wealth of information here. You may also want to include links to your local and state health authorities’ websites.
- Examples of real coronavirus phish sent by bad actors. Include ones found in your own environment or from security researchers.
Additionally, there are other metrics to gather, aside from phishing, to tell you if your message is landing. Likes and shares on internal social and IM channels like Slack. Look at pageviews and time on page on your intranet site or opens and click through rates on newsletter articles. If you’re not sure how to gather these metrics, talk to your corporate comms folks.
If you do still track simulated phishing open and click through rates, avoid tracking individual performance. Don’t immediately follow your normal escalation process for repeat offenders.
Drive Engagement, Not Fear
Your employees’ anxiety levels are through the roof.
Do you want to add to that with something scary and potentially annoying, or do you want to train them, help them, support them with the knowledge they need to get through these difficult times? Fear makes people withdraw, not engage, and we ultimately want engagement.
What do you think? Reach out to me on LinkedIn and continue the conversation.