The IT Pro Podcast: Are phishing tests a waste of time?

Phishing remains one of the oldest and most persistent attack methods for hackers trying to break into an organisation, and potential targets continue to use simulated phishing attacks as one of the primary ways to ensure their staff are ready to defend against it.

However, these spoof attacks aren’t always well-received, and employees can frequently feel unfairly trapped or caught out by these tests. Appearing on this week’s podcast to discuss why phishing simulations are often so poorly received, the value that they offer as part of a wider security strategy and how organisations can deploy them more effectively is Paul Watts, ex-CISO, former IT Pro Panellist, and distinguished analyst for the Information Security Forum.

Highlights

“I'd be lying if I said I haven't been implicated in a couple of phishing exercises that might be maybe cutting it a little bit close. But, you know, you've got to have a sense of emotional intelligence, you've got to understand how your business is thinking and feeling, and there are some areas where you probably shouldn't venture. But what I would say is this: phishing plays on the significance of social engineering to threat actors. And unfortunately, social engineering plays on basic raw human emotions.”

“One of my most favourite phishing campaigns or simulation exercises we did was we wrote to all of the senior leaders to say, your Avios miles are going to expire in the next few days. It was an absolute frenzy. The PAs were mustering to log in and spew their details into this, because God forbid you're going to take an exec's airmiles or airline privilege away from them! It just comes back to exactly what I said; you press the right buttons in the right order, and people will lower their shields and they will fall for it.”

“It's easy to talk about the number of incidents, but more valuable is talking about the times you nearly got caught and celebrating that. And building on that, and that culture that actually, the right thing to do, to be celebrated is to call out when you think something's happened, or you responded to something that you perhaps shouldn't have done, or you're in any way uncertain. To know that you can do that without fear of reprisals, or recriminations or punitive actions is absolutely critical; you can then start to think about what are the most specific threats to your organisation right now, and then focus on those.”

Read the full transcript here.

Footnotes

• What is phishing?
• What makes for the most deceptive phishing attacks?
• Five giveaways that show an email is a phishing attack
• Kaspersky finds most effective phishing emails imitate corporate messages, delivery notifications
• Microsoft unveils wide-scale phishing campaign that circumvents MFA
• LinkedIn phishing attacks have surged 232% since start of February
• One in eight Americans would fall victim to a phishing attack
• 10 quick tips for identifying phishing emails
• Report: IT staff fail phishing tests more often than non-technical workers
• Phishing scam convinces US government to pay $23.5 million to cyber criminals
• Almost half of UK employees can't spot email scams
• Just 3% of employees cause 92% of malware events
• Train firm slammed over 'bonus' phishing test
• Tribune Publishing staff enraged after phishing test promises $10k bonuses
• How to patch your security without unravelling the relationship with your staff
• Panel Profile: Kantar CISO Paul Watts
• IT Pro Panel: Return to sender

Subscribe

• Subscribe to The IT Pro Podcast on Apple Podcasts
• Subscribe to The IT Pro Podcast on Google Podcasts
• Subscribe to The IT Pro Podcast on Spotify
• Subscribe to the IT Pro newsletter
• Subscribe to IT Pro 20/20