Professor Angela Sasse, UCL

Published as part of the Cyber Readiness for Boards (CR4B) Project.

Many companies are concerned about the threat of phishing – employees leaking credentials or allowing malicious code access by clicking  on embedded links or opening attachments in e-mails of unsafe origin. The response has been to try and train staff not to engage with such messages, mostly in the context of simulated phishing campaign. Employees receive emails that – at a glance – look like a phishing attempt, but clicking instead leads the user to a training page. Such pages usually contain information about the dangers of phishing, and how to spot signs that a mail might be unsafe.  Effectively, these campaigns are a form of penetration testing the staff. Many companies buy toolkits to conduct these, and can also opt for a fully managed phishing-as-a-service from an external provider the likes of Accenture[1] or Deloitte[2] and other major tech consultancies – the global phishing protection market was estimated to exceed $1bn in 2020[7]

To many organisations, this might seem like the only way to counter the threat of phishing. Running such campaigns in an enterprise is not without its problems, however.  Understandably, security providers try to train employees to spot and identify the typical messages the attackers use. These are most often e-mails masquerading as coming from popular online brands and social networks.  Like attackers, the service providers create fake websites with domain names only slightly off – in ways that most people do not immediately notice. We have recently seen reports of a legal dispute between Facebook – which considers fake domains and messages as trademark infringement – and a security service provider[3]

The risk of trademark infringement is one that Melanie Volkamer, Franziska Boehm and I highlighted last year in a paper on the drawbacks of simulated phishing campaigns[4].

Other possible legal issues come from certain stipulations of employment law. Even when a company has the legal right to test its staff, falling victim to an attack (even simulated) coming from their own organisation is something few employees appreciate.  It’s a strongly negative experience, and yet another reason social media platforms don’t want to be associated with phishing messages in any way.  

Those responsible for security in organisations – and those who choose to conduct such simulations – believe being caught out motivates staff to learn more about phishing. However, research on behaviour in security has shown that self-efficacy[5] – confidence in one’s own ability to successfully do something – is a key pre-condition for embarking on behaviour change. And when you have just been phished, your confidence has certainly been zapped. Furthermore, as leading behaviour expert B. J. Fogg puts it, motivation is over-rated: even strong motivation burns out quickly when the task faced is too difficult. 

Distinguishing between legitimate communications and well-crafted phishing messages is extremely difficult – and increasingly so as the perpetrators continue to innovate. As the NCSC guidance on phishing[6] states, it is difficult even for experts. What about senior professionals who often have to work their way through upwards of a hundred e-mails every day, many with embedded links and attachments, most of which are legitimate? How many employees can afford to “Take 5” – (what? minutes?) – as some campaigns advise? Many employees now discard or report perfectly legitimate messages, to the chagrin of suppliers and customers – or the HR department who paid for an external provider to run employee satisfaction surveys, but get few responses.

The attraction of phishing campaigns lies partly in the fact that conducting them gives companies the feeling they are doing something. The other part is that click rates are one of the few quantitative metrics that can be reported to audit and risk committees, and to boards.  The human and productivity costs are less tangible and as such, not so easy to quantify, but are nevertheless real. And that is before you find yourself in court for infringing a trademark.

You can raise awareness of phishing attacks among the staff without attacking them. Training can take place in a dedicated safe space when staff can focus on the message they are presented with, ask the trainers – security experts – their questions, and share experiences with each other. In times of COVID and working from home, companies rely on staff more than ever to actively engage with security issues – to follow guidance, but also report incidents and seek additional information when needed. Effective security requires engagement, trust and cooperation. Constant worrying about being pen-tested and found wanting doesn’t sit well with these.