Should You Go Phishing With Your Employees?

KPM business update header link to blog.

04 Nov Should You Go Phishing With Your Employees?

Every business owner is aware of the threat posed by cybercriminals. If a hacker were to gain access to the sensitive data about your business, customers, or employees, the damage to your reputation and profitability could be severe.

You also are probably aware of the specific danger of ‘phishing.’ This is when a fraudster sends a phony communication (usually an email, but sometimes a text or instant message) that appears to be from a reputable source. The criminal’s objective is either to get recipients to reveal sensitive personal or company information or to click on a link exposing their computers to malicious software.

It is a terrible thing to do, of course, but should you give it a try?

An Upfront Investment

Many businesses are intentionally sending fake emails to their employees to determine how many recipients will fall for the scams and how much risk the companies face. These ‘phishing simulations’ can be revealing and helpful, but they also are fraught with hazards both financial and ethical.

On the financial side, a phishing simulation generally calls for an investment in software designed to create and distribute ‘realistic’ phishing emails and then gather risk-assessment data. There are free, open-source platforms you might try. But their functionality is limited, and you will have to install and use them yourself without external tech support.

Commercially available phishing simulators are rich in features. Many come with educational tools so you can not only determine whether employees will fall for phishing scams but also teach them how to avoid doing so. Developers typically offer installation assistance and ongoing support as well.

However, you will need to establish a budget and shop carefully. You must then regularly use the software as part of your company’s information technology (IT) security measures to get an adequate return on investment.

Ethical Quandaries

As mentioned, phishing simulations present ethical risks. Some might say that the very act of sending a deceptive email to employees is a betrayal of trust. What is worse, if the simulated phishing message exploits particularly sensitive fears, you could incur a backlash from both employees and the public at large.

A major media company recently learned this the hard way when it tried to lure employees to respond to a phishing simulation email with promises of cash bonuses to those who remained on staff following layoffs related to the COVID-19 pandemic. Users who ‘clicked through’ were met with a shaming message that they had just failed a cybersecurity test. Angry employees took to social media, the story spread, and the company’s reputation as an employer took a major hit.

Plan Carefully

Adding phishing simulations to your cybersecurity arsenal may be a good idea. Just keep in mind that these are not a ‘one and done’ type of activity. Simulations must be part of a well-planned, long-term, and broadly executed effort that seeks to empathetically educate users, not alienate them. Contact us to discuss ways to effectively handle IT costs.