On UFOs, Bonus Checks, and Nigerian Princes: Phishing Gets Complicated
I was thinking about UFOs the other day.
I don’t do this often, mind you! But I had received a press inquiry about UFOs and phishing.
The question: would social engineers build scams and phishing attempts off recent UFO stories? My reply: Of course they will … and how nice to have an uncontroversial topic to phish employees about! (I’ll admit my third thought was, is this even a serious question?)
Unidentified Flying Phishing Attempts
Turns out there can be serious questions about UFOs. After all, reports Becky Bracken in ThreatPost, a recently passed piece of legislation charges the Pentagon with releasing a report on data the government has gathered about UFOs, and a watchdog site called The Black Vault just released a treasure-trove of CIA documents about its investigation into sightings of unidentified flying objects.
Soon enough, we’ll learn what the government knows about UFOs. And soon after that, I’d wage we’ll see the phishing emails begin.
You can picture how these phishing attempts will go: “Click here to see UFOs that have been sighted near you,” or “Enter your Social Security number here to see whether your data has been accessed by aliens.”
If you can’t imagine that you’d click on such a prompt, that’s okay: it’s not for you. A lot of the phishing out there isn’t even trying to catch skeptical people. It’s trying to catch the gullible, knowing that the person gullible enough to click that link is likely also gullible enough to cough up some money, financial information, or credentials.
For me, it’s not a question of IF we’ll see UFO-related phishing and social engineering, it’s when. Because we know that scammers are going to use anything that triggers an emotion or enough curiosity to override people’s innate skepticism. It’s why we see so much phishing around COVID, elections, taxes, and sex. The very things that make us scared or apprehensive or horny break down our caution and make us a little stupid. And we click.
UFOs and Other Things You Can Phish Your Employees About
The good news is, if you’re running a simulated phishing program at your company, it’s probably safe to create phishing prompts about UFOs. In fact, I’ll add UFOs to my short list of topics that are probably safe to phish about:
- UFOs (my newest addition to this list)
- View the latest celebrity pictures here
- Claim your free vacation package
- Claim your gift card
- You just won X
These are safe because they generally fall into the “too good to be true” category or because you just don’t expect them to show up in your work inbox. You’re unlikely to get complaints from employees that you’re playing dirty with your phishing program on these; they’ll be too embarrassed. It’s a pretty short list and I’m sure you could add to it.
10 Steps to A Successful Simulated Phishing Program
This guide walks through the steps to take to establish a simulated phishing program and provides ideas for your communications plan, individual phishing campaigns, and supporting communications.Download White Paper
The Great Gray Area: Phishing Gets Complicated Fast
But get past these easy few, and phishing employees starts to get ethically complicated and, let’s face it, risky.
You’d think, for example, that it would be safe to send out a password phish–maybe “Update your password” or “Check your password strength”—but you better not make it look like it comes from your IT team, who employees are supposed to trust.
You’d think you could ask people to “Click here to claim your tax refund,” but don’t be surprised if you get a nasty-gram from the IRS telling you that it’s illegal to masquerade as a government agency and, by the way, they’re understaffed and underfunded and overwhelmed with real phishing to deal with simulated phishing.
You’d think you could send a “Nigerian Prince” email—you know, the one where you are promised a cut of a fortune if you can help out a wealthy Nigerian prince. The Nigerian prince email scheme is among the most common phishing schemes ever deployed—but if you don’t handle it carefully, it could be perceived as racist.
No matter how you justify it—arguing that real cybercriminals are trying to trick people all the time and all you’re doing is trying to harden people to the real attacks—you’re going to ruffle some feathers, and the intensity of the response may correlate to how senior they are. It’s inevitable, and you can communicate your intentions in advance and be kind when you notify people that they’ve been “caught” all you want, but you’ll never get over the fact that people don’t like being tricked.
Many people continue to phish their employees, fully aware of all the dangers identified above. Personally, I don’t have a problem with it as long as it’s done with a high degree of communication, transparency, and kindness. I think of it like climbing dangerous mountains or racing on a track: you’re aware of the risks and take them on advisedly because of the inherent rewards. Ultimately, though, you are playing a game with complicated ethical quandaries that you better face head on.
Bonuses and Other Things You Shouldn’t Phish Your Employees About
I believe you can run the ethical gauntlet of running a phishing program without getting yourself in too much trouble. But, I think you also need to keep a sharp eye out on certain “third rails” of phishing, topics so sensitive that they can blow up in your face and put you in the national news.
The clearest example of “too hot to phish” topics is the employee bonus. Twice this year, bonus-based phishing campaigns blew up into headline news.
First, the troubled Chicago Tribune sent out emails tempting those employees who had not been laid off to click here to learn how big their bonus was. Second, web services provider GoDaddy asked employees to enter their address to claim their year-end bonus. In both cases, employee outrage prompted a storm of press coverage and hasty apologies from the companies.
If you’re running a phishing program, stay away from employee bonuses! But you better tread carefully with these topics as well:
- COVID-related content (this was a hot discussion topic in the early months of the pandemic, which Forrester analysts covered well here and here)
- Sexual topics (the “you’ve been identified as an adulterer” phishes seem particularly risky and risqué)
- Confrontational messages (there was a brief flurry of “hey &*^%*” phishes a while back that really got people’s attention)
- Impersonating executives (with or without their permission)
Perhaps you’re beginning to suspect that phishing your employees is a pretty complicated business.
Think about it: you’ve got control of a communication tool that you require employees to use, and you are intentionally seeding it with dirty tricks, daring people to react to them. You are trying to trick your employees!
In the end, when you run a phishing program, you’re always just one offended employee away from an incident, so the best thing you can do is either stay out of the kitchen or be prepared to withstand a little heat. Or, send an innocent UFO phish. Who could object?