Phishing Tests – Why we’re missing the point

It is estimated that up to 85% of all successful cyber attacks attributed to spear phishing of as an initial attack vector it is only logical that more organisations conduct phishing tests to determine the risk levels within their own organisation. Yet, increasingly we see that organisations are missing the crucial points of phishing tests and actually causing more damage by misrepresenting the true level of risk. We have been lucky enough to deliver the Cyber Stars Initiative in over 25 countries in the last 12 months, yet approaches to phishing testing and the questions that we get are concerningly similar whether it be the UK, US, Australia or Brazil. So, what are we misunderstanding and how do we get it right:


  1. The false perception that the aim is to achieve as low a click rate as possible, as soon as possible. High click rates are far too often seen as a failure. We work with so many organisations in regulated sectors that work towards minimal click rates to prove that their risk is low for the benefit of the regulator, regardless of whether it reflects the actual risk. First and foremost, phishing testing should be about replicating how your organisation would respond to a phishing based attack from a mature and capable threat group. The most frequent responses we get to our campaigns are: “We thought that the emails were difficult to spot” or “can you make them easier to spot next time”. As we all know, threat actors are not sat out there contemplating how to make it easier to identify malicious activity, therefore our campaigns should not be easy either, they should reflect realistic levels of threat and only then are we in a position to profile actual risk. Our campaigns are developed by social engineers and accurately reflect a realistic attack. In addition, education and culture change takes longer in the cyber world than it does with physical risk as we are not conditioned in the same way to accept it and change behaviours. We don’t physically see cyber risk in the same way as physical risk and as such our behaviours are slower to adapt. Phishing campaigns should be conducted regularly and improvements expected, yet it is unrealistic to expect a 0% click rate following a small internal awareness campaign, cultural change takes time.


  1. The process of sending one mass email to everyone does not replicate a targeted spear phishing campaign against a business. Many organisations fail to see the difference between phishing and spear phishing. Spear phishing involves sending specific emails to targeted individuals and almost always involves an element of social engineering or exploitation of digital footprint. Most mass phishing campaigns will be picked up by spam filters and email based infrastructure, yet spear phishing is far more successful because it is much more personal. Campaigns should reflect how criminal groups operate. Other than the obvious “whistle blowing” when the first person receives their email, it does not reflect the protection that your infrastructure does provide. Campaigns should be developed around specifically developed email themes, focusing on individuals that are the most exposed and testing a range of greed and grievance based motivators. It would be rare for effective criminal groups to even consider mass emails to everyone within a business, therefore it makes little sense for us to conduct tests in a way that do not replicate threat.


  1. We are obsessed with click rates. Yes, click rates matter and over time we all want to see that exposure reduced, yet there is far more risk analysis that can be done with effective phishing campaigns. We can profile demographics within our business by department, seniority, education levels and other demographics to really drive training needs analysis. We estimate that about a third of organisations do that and it’s a good start. Yet what about considering geographic location and system access. As we are increasingly connected to wireless networks we need to think more about how and where people may be executing malware. As an example, a business may have a 60% click rate in it’s call centre, yet there are no critical systems in that call centre and as such the impact of malware may be less severe. The same business may however have a 25% click rate in a centre in which systems that are critical to it’s operational continuity are located. If networks are not effectively segregated (which they rarely are) then those 25% could be far more of an operational risk to the business than the 60% in the call centre. We also need to think about devices, increasingly we see “bring your own device” and remote working cultures, yet often without policy. The cross over between professional and personal risk is greater than ever. The risk analysis from phishing campaigns should provide far more insight that click rates.


  1. Education focuses on short term solutions and not long term behavioural change. Unfortunately, there are far more ineffective cyber awareness training programmes out there than effective ones, as they focus on short term solutions and business perspective. A common mistake is that business focus solely on how people should interact with email and not enough on them as individuals, or why they may receive spear phishing emails in the first place. The most common negative messages include, “be suspicious of emails you do not recognise” or “do not click on email links or attachments”. Spear phishing emails are increasingly difficult to identify and for many people, links or attachments are received hundreds of times a day and therefore guidance is absorbed is impractical. We need to focus far more on the social engineering aspect of phishing. Encouragement to use the internet in a responsible way, minimising digital footprint risk and reducing individual vulnerability to social engineering enabled attacks is the most effective way to encourage engagement from the wider workforce. Nobody like to be seen as vulnerable and by highlighting that vulnerability we see the greatest levels of positive behaviour change. Enabling people to engage with personal exploitation and risk is a far greater motivator for behaviour change than “if you click a could be fined”.

We are getting something right, we do need to conduct email based tests to measure the level of risk within our organisation. These tests should drive policy, risk assessment and training needs and therefore need to be an accurate representation of that risk, not just the lowest figure we can achieve for the regulators.  Cyber Awareness month is approaching us in October and as well as our campaigns with large multinationals we are offering 33% off any initial spear phishing campaigns and analysis for new clients that are classed as small or medium businesses looking to reduce their cyber risk.


by Barry Searle

Director of Cyber Stars Initiative

Back to Our News