Does Simulated Phishing Really Work?

Is it time for employers to accept the complete burden of combatting phishing emails, or should employees be accountable as well?

For years businesses have either considered or adopted the practice of simulating harmful emails to employees, typically the type seeking to insert malicious code or gain sensitive information. Cybercriminals have successfully used this social engineering tactic with both citizens and businesses, often times being the root cause of much larger and more harmful attacks carried out, such as ransomware or widespread breaches of both corporate and/or customer data. This issue has become so large, in fact, that an estimated six billion attacks are expected to take place by the end of 2022.

Of the estimated six billion attacks anticipated by the end of 2022, it is also estimated that roughly 30% of these emails will be opened, meaning organizations will find themselves in a potentially harmful situation roughly 1.8 billion times this year alone. Unfortunately, many are vulnerable to a major security incident if just one of these attacks is successful.

The numbers are staggering and the odds overwhelmingly favor cybercriminals in this ongoing battle. In an attempt to thwart these attempts to compromise businesses and take advantage of its employees, organizations have deployed a number of preventative and protective controls, such as email gateways for advanced filtering, endpoint protection, ongoing monitoring of systems for expedited identification and response times, and among other controls not mentioned here, security awareness training for all employees.

While security awareness training is an effective tactic and offers employees the education needed to identify and report attempted phishing, it's extremely far from a silver bullet and rarely reduces the risk of phishing to an acceptable level. For this reason, businesses have turned to an additional level of security awareness training, which is the process of simulating common phishing attacks with their workforce. Often times these campaigns are sent to all employees and if an employee takes certain actions with the email (e.g., clicks an embedded link) the characterization of their actions is a failure of the campaign. The intent of these campaigns is to show employees examples of phishing emails in a controlled manner, ideally prior to them potentially receiving one similar by a criminal.

Do these campaigns work?

The short answer to this question is - sort of. While employees are certainly an asset to combatting phishing attempts by cybercriminals and simulated phishing can improve general awareness, the burden falls on the employer to implement technical controls to both filter phishing emails out of their mail systems prior to delivery, as well as to implement protective controls to either prevent the sharing of sensitive data or the execution of malicious code. Furthermore, punishing employees who may repeatedly fail a simulated campaign is unproductive and harmful to overall morale.

It's well-known that it only takes one employee's mistake with a phishing email to cause a significant security incident and unreasonable to assume any organization can provide enough education to prevent even a single mistake. Therefore, it's time for employers to stop relying heavily on employees to identify and report phishing emails and rather properly invest in their own technical infrastructure to combat the issue independently.

For more information about preventative controls and phishing defense techniques, please contact info@advosec.com