In Support of "Evil" Phishing Tests
December 29, 2020
By: William CrumplerThe week before Christmas, GoDaddy sent out an email to its employees, thanking them for their hard work throughout 2020 and announcing that they were eligible to receive a one-time $650 holiday bonus. All they had to do to get their money was follow a link in the email and enter their personal information in a form. More than 500 employees did exactly that. But the email was a fake. GoDaddy’s security team had devised it as a way of testing how the company’s workers would respond if they received a similar email as part of a phishing attack by cybercriminals.
The reaction from many online was swift and severe. Arguing that sending out false promises of holiday bonuses in the midst of such economic uncertainty was cruel, some outlets went so far as to name the phishing test as 2020’s “most evil company email.” This is not the first time a phishing test has attracted criticism. Tribune Publishing faced similar objections this past September, after its own phishing test enticed employees with potential bonuses of up to $10,000.
Rallying sympathy and attention for those workers who have been struggling in the wake of recent economic disruptions is a good and important goal, but the negative commentary surrounding these phishing simulations does more harm than good. The costs of cybercrime are growing, and sending a message to companies that they will face a PR backlash if they adopt one of the most important and successful cyber hygiene practices we know of will only make workers and companies more vulnerable.
Phishing is one of the most common tactics used by cybercriminals today, and involves convincing someone to click on a link or file that is infected with malware. Cybercriminals frequently use phishing as a way to gain initial access to a network, where they can then harvest sensitive data, steal credentials, or inject ransomware onto devices. The scale of the threat posed by phishing is difficult to overestimate. According to Google’s Safe Browsing Transparency Report on unsafe websites, by December 2020 more than 2 million phishing sites had been detected online. GoDaddy itself is intimately familiar with the risks posed by cybercriminals, having suffered a data breach in late 2019 that exposed the account credentials of 28,000 customers.
Protecting against these threats means finding ways to make employees more aware of the threat posed by phishing, and more cautious about clicking on suspicious links. One of the best ways to do this are phishing simulations where security teams design fraudulent emails similar to those used by cybercriminals, send them out to employees, and then require anyone who falls for the email to undergo security training that will help them identify suspicious emails in the future.
The fake GoDaddy email replicated many of the most common tactics used in email phishing campaigns. It offered recipients free money that they would lose if they didn’t reply by a certain time (not usually how company bonuses work), and told them that they could only get their bonuses by following a link and filling out their personal information (an odd step for a process that most would expect to be automatic). These tests are meant to help employees be on the lookout for small things like this that may seem off about the messages they receive. Judging by the fact that 500 employees clicked on the link, it seems like the test was both necessary and successful. The people who followed the link will probably be more mindful of what they click on in the future, and can be targeted with security training that has been demonstrated to improve people’s ability to identify phishing messages.
Though critics have taken issue with the particular content and timing of GoDaddy’s email, it is important to remember that these tests are most successful when they expose workers to the same kinds of tactics that cybercriminals would use. Today, everyone knows that if a Nigerian prince promises you millions of dollars in exchange for your bank account information, you shouldn’t give it to him. But that is only because we have been trained through years of news reports and comedy routines to understand that this is a common scam.
An offer of free money is one of the most consistently successful tactics cybercriminals have, especially when it comes under the guise of a trusted organization. Today, a well-crafted phishing email offering employees a holiday bonus if they follow a link is almost guaranteed to get at least a few clicks. That is why it is so important for security teams to simulate exactly that kind of message, so that people will learn not to turn off their natural skepticism to offers of free money just because it is well timed and seems to come from a source they trust.
Cybercriminals will not care if a phishing email comes across as insensitive. They will do whatever it takes to get you to click on the link. If a company decides to make certain tactics off-limits in their tests despite the fact that they pose large risks to the organization, they are not helping their employees. They are only making them more vulnerable by increasing the risks that a large-scale ransomware attack or data breach could cripple the organization and saddle them millions of dollars in costs. If this were to happen, it wouldn’t just be bonuses that were threatened, but the jobs of everyone at the organization. The pain felt by workers this year has been real, but that should not be used as an excuse to criticize valid and important security practices that help to protect organizations and their employees.
The Technology Policy Blog is produced by the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).