Simulated phishing campaigns – goals, forms and their problems
Phishing attacks are nothing new, but regardless of the size of the company, they are a major threat to any organization that uses phishing campaigns to test and improve the resistance of their employees to phishing attacks. But what does a phishing campaign consist of? A phishing campaign is generally a practice in which the institution simulates phishing messages and sends them to its employees. Here you will find the most important information about phishing campaigns, their goals, design forms, associated potential problems and their informative value.
What are the goals of simulated phishing campaigns?
Phishing campaigns can have different goals. The three most important are:
- the survey of the current state of the institution with regard to its resistance to phishing attacks,
- The exploitation of a phishing message as a so-called teachable moment to train the employees and finally
- a scientific evaluation of a security awareness measure.
A possible indicator of employee resistance to phishing attacks is the reporting of detected phishing attacks. The presence of high error rates could, for example, reveal the need for corresponding security awareness campaigns or training and provide a basis for a budget increase in the IT / information security and / or data protection area in order to finance such measures.
When viewing a phishing attack as a teachable momentIt is assumed that someone who falls for a simulated phishing message through this experience immediately afterwards is particularly receptive to security awareness measures. For this reason, exactly when the person has found himself in the role of the potential victim, he receives the necessary information for dealing with phishing messages and in particular how to recognize and report them. At this point, a distinction must be made as to whether the security awareness measure only pursues the purpose of clarification or whether it already includes an evaluation of the security awareness measure by also recording the number of potential victims. Simulated phishing campaigns can also be used to evaluate security awareness measures.
Different Forms and Goals of phishing campaign
What they all have in common: In a phishing campaign, various fraudulent messages are sent to the staff of the institution over a certain period of time. We often associate phishing messages in a corporate context with communication via email. Phishing messages can, however, be sent via different message channels and so the execution of the phishing campaigns also differ depending on the channel. The distinguishing criterion can thus be the news channel on the one hand, but also the type of dangerous content, the degree of difficulty of phishing attacks and the strategies pursued by attackers. The content of the message and the sender type (e.g. the sender is a person or an institution) can also vary.
It is also important who is responsible for running the campaign. The campaign can either be carried out by people within the institution or by external third parties commissioned by the institution. If external third parties are commissioned, the decision remains whether the messages are sent internally or externally. Further important differentiation criteria are the period of execution and the number of messages sent in this period. In addition, the different ways of dealing with a phishing message and the form of the announcement of the phishing campaign itself must be taken into account. The announcement can be more or less detailed. Among other things, contexts are also conceivable in which the campaign takes place without notice.
Depending on the ultimate goal of the phishing campaign, the collection of the data would refer to different values. Examples of this would be the survey of the number of people who carry out the corresponding undesired action per phishing message (e.g. providing sensitive data) or the survey of the number of people who report or delete a phishing message.
Finally, the results can also be reported in different ways and relate, for example, to all employees, individual groups or individual message types.
What problems can phishing campaigns pose?
Phishing campaigns generally aim to increase the security level of the organization in the long term. But especially for the period during which the campaigns are carried out, they massively reduce this. There are special risks if
- the messages are sent externally,
- the security check is adjusted (and thus reduced),
- there are no clear reporting and inquiry processes in the institution,
- the phishing campaign and the associated tasks and expectations of employees are not clearly communicated and
- the reporting and inquiry system is not adequately prepared for the additional burden of the campaign.
From a legal point of view, it should be noted that the staff or works council must be included in the design of a phishing campaign and, under certain circumstances, information must be kept secret until the campaign is completed. In addition, it must be clarified whether an anonymous evaluation of the results is necessary or whether a pseudonymized evaluation is sufficient under labor and data protection law. The question also remains to be clarified whether it is necessary to inform employees in advance. The consequences of extensive prior communication with employees could have a negative impact on the informative value of the results. On the other hand, a small amount of information can have a negative effect on trust in the organization and even exacerbate individual security problems.
An essential aspect to be considered is that a bad result must not have any consequences under labor law. It is important that the employees are fully informed at the latest after the end of the campaign.
In addition, copyrights must be checked in the case of simulated phishing messages, especially if phishing campaigns are not carried out exclusively in-house. Here, too, the effects on the informative value of the campaign must be taken into account.
Last but not least, the effects on the working atmosphere should be taken into account. As already mentioned, running a phishing campaign can have a negative impact on the culture of trust and error.
Taking security considerations into account, it can be stated that employees should be informed in detail in advance. Phishing messages should not be simulated by employees themselves or by external providers. Functioning reporting and inquiry processes are required. Likewise, employees must be given sufficient time to process their messages and handle any security issues that may arise, even if this can reduce employee productivity.
How meaningful are phishing campaigns really?
One of the most important factors influencing the informative value of phishing campaigns is the amount of information provided to employees. It is inevitable that a large number of employees will be more skeptical than usual in anticipation of a phishing message and will seek advice from colleagues more often. Others may be so averse to the company “attacking” its employees that they deliberately respond to phishing messages (including not just simulated ones).
It is important that an established reporting and inquiry process is in place before the phishing campaign begins. This process must involve reporting, not deleting messages. Because there can be numerous reasons for not interacting with phishing messages and is therefore not a clear indicator of negative interaction. For example, the message was not seen at all because the person was on vacation or sick or because it was not relevant to them or a colleague had already made them aware of this phishing message. Employees should also not be told that they should not inform their colleagues, because that is exactly what is necessary in reality.
The number of false positives should also not be ignored. In other words, messages that were considered phishing messages, even if they were legitimate.
In particular, the informative value of a phishing campaign depends on the simulated messages. A basic principle is: the easier it is to recognize it, the “better” the results. In order to represent reality as precisely as possible, the simulations would have to depict real attacks. For this, however, messages from employees and external providers would have to be used, the disadvantages of which have already been described. Overall, the meaningfulness should always be seen in relation to the simulated phishing messages as well as in relation to the changes to the infrastructure.
In summary, the expressiveness is extremely controversial in general and especially in specific forms. At the same time, the effort for a phishing campaign, in which the newly generated security problems are minimized and which is legally compliant, is extremely time-consuming. It should not be forgotten that with every simulated phishing campaign the problems regarding the relationship of trust and self-efficacy remain. Therefore, the different costs outweigh the benefits that have not really been proven. Accordingly, it is recommended to implement other measures to increase IT security in your own organization.