Frequently, when a cybersecurity training manager sends out a controversial simulated phishing attack message that angers a bunch of employees and ends up making headlines, we get called by the media to comment on the story.
Here are some examples of potentially controversial simulated phishing messages:
- You're fired!
- Pending layoffs
- Company is closing
- Company was bought out by a close competitor
- Benefits are being taken away
- New bonus announced
- Common bonus cancelled
- Christmas bonus
I have read many stories of security awareness training managers sending simulated phishing emails with these types of messages, often around Christmas or other national holidays. And they work, if your main goal is getting lots of recipients to respond with a negative action (i.e., provide a password, download a document, run executable code, etc.).
Lots of recipients will open them and click on the links inside. Super controversial topics also almost always make a lot of recipients mad. I have heard of senders being disciplined and even fired over them.
Your main goal should not be to see how many people you can “trick” into responding to a particular email test. Your main goal is to most efficiently decrease human risk.
If you are making a lot of co-workers mad or getting disciplined, you are not doing it right.
Security awareness training is the art of addition. You are trying to educate people about human-targeted threats (i.e., human risk management) and get them and senior management to believe in that message and support it. You are trying to decrease human risk by increasing the odds that someone will recognize a potentially malicious message, not respond to it, and appropriately report it. It is harder to do that if you are making many people mad.
One simulated phishing test cannot improve a culture by itself, but it can significantly set back a security awareness training program.
There are one thousand other ways to send good, value-driven simulated phishing campaigns that do not make recipients mad and make senior management question your judgment. When in doubt, chicken out, and send something else. Or at least ask senior management for their thoughts on it before sending it.
If you are making your users angry and creating angst against the entire program, you are not being as efficient as you can be. You will then spend far too much time trying to win back people who are now against the program. And I have never heard of a person who was super mad about a security awareness program that later on went to sing its praises.
Most Attackers Do Not Use Anger-Causing Phishing Lures
Something to keep in mind is that most attackers do not use the most controversial phishing messages that could possibly generate the most clicks. Why? Because those types of messages generate a lot of anger and quickly get shared across the organization. Fake messages would quickly get debunked, and everyone would be warned. That defeats the purpose of a phishing attack.
Phishers want messages that induce people to click or respond…potentially even angering them a little…but not so disproportionately that it actually decreases the effectiveness of the message. They want someone to respond with the requested action who does not figure out that they have been tricked right away. The longer the person who responds does not report the message, the longer the hacker likely has to act on the response. Making people mad and having a very quick organizational response is not helping them to break into places or steal money.
Real World Controversial Subjects May Be Fair Game
Controversial phishing messages are used by real-world phishers. If your organization has experienced similar controversial phishing messages from real-world attackers, this argues for the use of the same type of messages in a simulated phishing campaign.
Here are some examples of messages used in real-world phishing attacks:
Controversial messages are used in real-world phishing campaigns, but not super often. But I can see if your organization has been threatened before via a phishing attack with the same (or nearly the same) campaign message in a simulated phishing campaign having value.
Note: KnowBe4 customers can use PhishFlip to harmlessly defang real-world phishing attacks into simulated phishing tests. It is always great to learn who in your population would have clicked on a rogue link had the phishing test been real.
Again, if a controversial phishing message, even if used in the real world, is going to cause significant anger with your co-workers or senior management, we would rather you avoid it. Anger in the organization creates inefficiencies that can take time to get back to even. Instead, when you can, as opposed to using a controversial topic, see if you can create/use a simulated phishing topic that helps teach the necessary skills without invoking a ton of anger.
Do not fight yourself. When in doubt, chicken out. There is no need to end up in headlines…at least for this reason.
