I failed a phishing simulation
There’s quite a bit of humble pie eating required here, as in my previous role — I was guy running the simulations (along with a partner in crime, who shall not be named).
In that previous role, I would sometimes get push back on the simulations I ran as people found them too accurate, or too relevant.
Diary of a phishing simulator troll
The email from Microsoft
In one scenario we crafted an email to look like it was from Microsoft, warning them about their account.
When staff felt that the email was too close to the truth, we had to explain that we had used a real phishing email that had been sent to my colleague, and made some of the tells more obvious so as not to be so hard on our colleagues.
The email from HR
In another scenario I sent an email from the HR manager to notify all staff about receiving a return to hybrid work bonus payment. Before sending the email, I obtained her consent, and we actually worked together on crafting the message and language to seem unrealistic.
Some of the comments I received were:
- If it’s sent from an internal person, it’s not a real test
- For a message to be sent from her email, several layers of security protections would have had to fail first
- There was too much bait provided
My response to these was that “if it’s too good to be true, then it is”.
Nowhere else had this been communicated, and any of these kinds of things would normally be shared via a SharePoint news post along with announcement in a company-wide Team.
And fundamentally, what I would hope is that they would validate with someone first (e.g. HR) before clicking on the link.
The email from payroll
I had sat on this one for a while, but I really wanted to run a simulation with a fake payslip.
Originally, I thought I’d do it from a completely different payroll system to see how many it caught, but in the end chose to fake an email from our actual payroll system.
I also did it on payday.
However, I had the approval of both our CEO as well as finance controller.
Of course, many people clicked it and again complained about how close to reality it was — despite several glaring issues (such as wrong email address, wrong month, etc.).
Phishing simulations are based in reality
While people complain about how close to reality some of the phishing simulations are, they have to understand that it’s not that hard for real phishing attacks to do exactly the same thing.
Email addresses can be harvested from public sources such as LinkedIn.
Staff lists can also be sourced from similar places.
Send emails from someone authoritative can again be determined from LinkedIn. Do a search for titles like “People & Culture Lead”, “HR Manager”, “Finance Controller”, “Payroll Officer”, and of course “Managing Directory” or “CEO”.
There’s plenty of useful nuggets of information out there, especially when you piece them together.
And the payroll email? That’s just a case of throwing something against a wall to see what sticks. Many organisations pay monthly, most likely at either the middle or end of month.
It’s not rocket science.
We often joke that phishing emails have poor grammar or spelling. Imagine if they used a spell checker, or even AI to help craft the message to look more accurate?
Different levels of phishing
When I was previously running those phishing simulations, I had a plan to work my way up in terms of complexity.
I was starting with simple simulations to just catch people clicking links.
Then I started moving up to harvesting credentials (which, MFA helps with — but doesn’t stop entirely).
I had planned to get to app authorisations down the track but never made it that far due as the behaviours weren’t improving as quickly as I’d like.
Who got caught will surprise you!
(Yes, a clickbait-styled title for a topic that is literally about clickbait.)
It’s easy to assume that IT people should be able to spot phishing emails more readily than non-IT people — but that’s very bad assumption.
Some of worst offenders who clicked links in phishing simulations were IT people. And not just once — some of them were repeat offenders.
How do you stop repeat offenders?
It got to the point where we started putting in place an increasing level of repercussions for failing the simulations. One concept considered was:
Fail once: automated training via phishing simulation system
Fail twice: conversation with your people lead
Fail three times: formal warning & performance management
Fail four times: dismissal
Now, this might seem harsh — but you need to think of the consequences.
If someone’s credentials are harvested, and the attacker has access to systems — they can potentially access sensitive information or even breach related systems such as those of clients, suppliers, or other partners.
Depending on what is accessed, there are financial impacts to the organisation. Not just the clean-up process and remediation, but potential brand damage which can result in a loss of revenue.
The worst case would be legal action, and, depending on the country — there may not be cybersecurity insurance available (or it may not cover enough of the financial impact).
And finally, this could ultimately result in job losses — not just of the offender, but of numerous staff due to negative financial impact. Including you.
And you didn’t even click on the link. Someone who you don’t even know clicked on it.
Because that’s all it takes, a single click.
Why did I fail the simulation?
Normally, I’m quite good at spotting phishing emails. And if I’m not sure of the email, then I will just ignore it until I’m ready to review it thoroughly.
In this instance, I was distracted.
I had been travelling for a conference and jumped in an Uber to take me home from the airport. Because I was playing catching up on work and had a number of things on the go, I was using my laptop in the back seat of the car.
The email in question looked related to another email I had received the prior day, and the sender’s name also looked similar. I very much doubt they were connected, but my brain made a connection, and it instructed my fingers to open the attachment.
It was only then I noticed the email address of the sender didn’t look right. I rapidly closed Outlook, hoping nothing had been registered.
I reopened it a minute later and tried to report the simulation, but it was too late.
Why am I sharing my failure with you?
Last week, the Yarra City Council IT department received quite a bashing about its ill-timed phishing simulation.
They don’t deserve it. They were protecting their staff and the organisation from legitimate threats. Real phishing emails don’t care about your feelings or societal sensitivities. In fact, they prey on them.
People said they felt stupid because they clicked the link, only to find it was a simulation. Imagine if it was a real phishing attack and they clicked the link?
Imagine if sensitive, personally identifiable information was leaked as a result of one person clicking the link.
Imagine if the council had to spend hundreds of thousands of dollars cleaning up the mess because one person clicked the link.
Imagine if more people were now vulnerable to a more targeted attack thanks to this rich vein of data, because one person clicked a link.
When I shared this image of my failed simulation with my previous CEO and operations manager, we had a good laugh at my expense. Why? Because it showed them that even the creator of phishing simulations was himself vulnerable — because I’m human, and human make mistakes.
If you fail a phishing simulation email this holiday season, or really any time of year — don’t feel embarrassed and get angry at your IT department. Be thankful it was just a simulation, and not a real attack.
Originally published at Loryan Strant, Microsoft 365 MVP.
