Phishing continues to be one of the biggest threats to network security, which has led to “ethical hacking” being used to protect against it. If you’re wondering why methods like ethical hacking and pen testing are necessary to stop phishing, just take a look at the sobering phishing statistics. According to some of the more recent numbers:

    • Phishing attacks account for more than 80 percent of reported security incidents
    • $17,700 is lost every minute due to phishing attacks

“Fake phishing” emails are a valuable training tool for managed service providers (MSPs). This type of simulation is common across many disciplines. For instance, sometimes, a property owner will donate an old barn or house to a fire department, which will then set it ablaze (with safety protocols in place), and practice putting it out.

Such a “controlled burn” or real-world simulation can prove to be invaluable in terms of gaining data and insights that textbooks or online simulations can’t replicate. Like a “controlled burn,” real-life replicas of phishing emails provide some of the best insights into what type of emails employees are clicking on and which ones people are more prone to “falling for.”

Still, there are best practices that must be followed when setting up phishing simulation encounters with employees.

For instance, sending out an email telling an employee that they will lose their home if they don’t resolve a debt could cause psychological stress. You don’t want to be in a situation of causing an employee to experience medical issues, simply so you can test your phishing training’s effectiveness.

Q&A on ethical hacking and pen testing

Smarter MSP caught up with Dr. Paul Witman, Director, and Professor, Masters in Information Technology at California Lutheran University, to ask him about the dos and don’ts of setting up fake emails.

Q: The term is “ethical hacking” has been used to describe the deliberate transmission of fake emails to test employee training, but what are some of the ethical pitfalls of sending a phony email to an employee?

A: Certainly, those fake emails should not be designed in terms of their content to cause personal injury or damage to the individual – they’re used to test effectiveness of the company’s cybersecurity awareness training. However, it is important to know that your employees are alert to potential threats and that they have an opportunity to learn (in a reasonable way) the potential cost of inattentiveness. Punishing an employee severely for a first mistake would be one example of where an ethical line might be crossed.

Q: When a company or their MSP wishes to do pen testing, what are some do’s and don’ts of ethical hacking? (i.e., is it like a DUI checkpoint where you have to announce ahead of time when/where are things you shouldn’t put in a pen-testing email to get a person to click)

A: There may be guidelines for “when” provided by management for the testers to help prevent any impact to productivity. Still, criminals don’t announce their activity to potential targets, so it’s unlikely to be a good idea to tell employees when the phishing test will happen. One might do that for a fire alarm to prevent injuries, but a phishing test carries a different set of risks.

Depending on the management’s relationship with employees, policies, legal structures, etc., the pen test could pose a (justified) risk to the employee’s job status. Depending on the nature of the test email (they often try to create a sense of fear, urgency, or greed to provoke quick action. Some of those things may trigger psychological stress for some people.

Q: And what are we trying to accomplish with this type of testing? (i.e., find out which employees are most susceptible? What kinds of emails do people tend to open? The types of senders successful phishing emails come from? All of the above?) 

A: In the broadest sense, we’re trying to test whether our SETA training (building sensitivity to security risks) is working, and if not, how to fix both the training program and employee’s response to it.

Q: When done correctly, is pen-testing using fake emails a reliable/valuable tool for educating workers about phishing dangers?

A: Valuable, yes; reliable, maybe. People are always under stress in the workplace, and both criminal hackers and security trainers/testers can be creative and clever. There’s a lot of activity in this space to deliver training and test for compliance. Companies should assess their risk, train, and test appropriately.

Q: How should a company or an MSP communicate with an employee who “falls for” a fake pen-testing email?  

A: That begins with policy and training – employees have to know in advance what the rules are and what the stakes are. It’s not reasonable (in my view) to discipline someone if they fall for a test that they were never educated on. The discipline needs to fit the error.

Q: Do you think of “phishing testing” as more of a disciplinary tool, teaching tool, or research tool? What is its primary value?

A: Primary value is the assessment of training effectiveness and policy adherence. It could be considered a research tool if you’re in the business of delivering security training. But for the target company, the primary goal “fake phishing” is to ensure that training is effective and that risk of phishing success is reduced.

Photo: por_suwat / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *