Should You Go Phishing With Your Employees?

Every business owner is aware of the threat posed by cybercriminals. If a hacker were to gain access to the sensitive data about your business, customers or employees, the damage to your reputation and profitability could be severe.

You’re also probably aware of the specific danger of “phishing.” This is when a fraudster sends a phony communication (usually an email, but sometimes a text or instant message) that appears to be from a reputable source. The criminal’s objective is either to get recipients to reveal sensitive personal or company information or to click on a link exposing their computers to malicious software.

It’s a terrible thing to do, of course. Maybe you should give it a try.

An upfront investment

That’s right, many businesses are intentionally sending fake emails to their employees to determine how many recipients will fall for the scams and how much risk the companies face. These “phishing simulations” can be revealing and helpful, but they’re also fraught with hazards both financial and ethical.

On the financial side, a phishing simulation generally calls for an investment in software designed to create and distribute “realistic” phishing emails and then gather risk-assessment data. There are free, open-source platforms you might try. But their functionality is limited, and you’ll have to install and use them yourself without external tech support.

Commercially available phishing simulators are rich in features. Many come with educational tools so you can not only determine whether employees will fall for phishing scams, but also teach them how to avoid doing so. Developers typically offer installation assistance and ongoing support as well.

However, you’ll need to establish a budget and shop carefully. You must then regularly use the software as part of your company’s wider IT security measures to get an adequate return on investment.

Ethical quandaries

As mentioned, phishing simulations present ethical risks. Some might say that the very act of sending a deceptive email to employees is a betrayal of trust. What’s worse, if the simulated phishing message exploits particularly sensitive fears, you could incur a backlash from both employees and the public at large.

A major media company recently learned this the hard way when it tried to lure employees to respond to a phishing simulation email with promises of cash bonuses to those who remained on staff following layoffs related to the COVID-19 pandemic. Users who “clicked through” were met with a shaming message that they’d just failed a cybersecurity test. Angry employees took to social media, the story spread and the company’s reputation as an employer took a major hit.

Plan carefully

Adding phishing simulations to your cybersecurity arsenal may be a good idea. Just bear in mind that these aren’t a “one and done” type of activity. Simulations must be part of a well-planned, long-term and broadly executed effort that seeks to empathetically educate users, not alienate them. Contact us to discuss ways to prudently handle IT costs.