How to NOT run Simulated Phishing Campaigns: Avoid These Seven Mistakes

Simulated phishing campaigns run by GoDaddy and the Tribune show how easily you can upset your colleagues if you don't pay attention to the details. Here is what to avoid.

February 01, 2021

In 2020 the Covid-19 pandemic struck companies world wide. With the sudden move to the home-office, Bring Your Own Device (BYOD), and even more internal communication going through e-mail, phishing attacks saw a new all-time high .

Companies tried to raise awareness to the issue with their employees by running simulated phishing campaigns. This is a good idea to prepare your employees, but there are some mistakes to avoid. In this article we list seven key mistakes seen in the campaigns conducted by GoDaddy and Tribune Publishing in 2020 which must be avoided.

Disclaimer: These campaigns were not provided by mStorm. This list is not complete but might give you an idea of what to avoid.

Frustrated user working on a laptop

GoDaddy and its Holiday Bonus Fiasco

GoDaddy is a well-known Internet registrar and web hosting company with more than 20 million customers and employing over 7,000 employees worldwide. In early 2020 one of their employees fell victim to a spear-phishing attack as reported by KrebsOnSecurity . This led to one of their customer’s websites (Escrow) being compromised as stated in an official statement . This probably triggered the IT Security team at GoDaddy to work on cybersecurity awareness with all employees to prevent further breaches.

At the end of the year GoDaddy employees received an e-mail informing the recipients of a “$650 one-time Holiday bonus” and asking them to submit personal information as reported by the Business Insider . Two days later around 500 employees were approached by the CISO and told that the holiday bonus e-mail was a fake and part of a simulated phishing campaign to check the employees’ resilience against these attacks. The employees were also told to “retake the Security Awareness Social Engineering training”.

This awareness campaign caused a severe backlash and the CEO of GoDaddy had to acknowledge that the test did “hit a raw nerve” in a follow-up company internal Townhall meeting, as reported by the Copper Courier .

We put together our thoughts on the key learnings from this campaign here.

1. Employees should be given a chance to spot discrepancies in simulated phishing e-mails.

Looking at the simulated phishing e-mail, it can be seen that the “From” address reads happyholiday@godaddy.com. Even at a second glance, it still looks legit and seems to come from the company domain. This would lead the employee to trust the contents as it seems to originate from a company internal, rather than from an external source.

The e-mail further has no identifying features to help differentiate it between being real or fake. The main idea behind phishing campaigns is to leave little hints to ensure that the employees spot the ambiguities, pay attention and learn to identify untrustworthy e-mails. We do not know for certain if there were other hints in the e-mail, but give your colleagues a chance to spot the phish.

This led the employees to feel that they were forcefully tricked by a much to real looking e-mail and they were not given a fair chance to recognize the scam. It is important to craft simulated phishing e-mails to be a source of learning rather than trying to get everyone to fall victim.

2. Anonymity is crucial!

The employees were completely oblivious to what had happened until the Chief Information Security Officer (CISO) sent a follow-up e-mail informing them to retake the security awareness training. This gave the employees the impression that they have been targeted by the CISO personally. The follow-up e-mail also fails to mention anywhere that the identity of those who failed in the campaign will be kept anonymous or that they would not face any negative consequences. Failing to provide assurance sends out the wrong message that the employees are being punished rather than being trained.

Likewise, the employees now have a bias towards the CISO whom they hold responsible and accountable for tricking them.

This can be avoided by keeping all the stakeholder parties anonymous through partnering with an external IT Security company, who can be a neutral third party. Also notification of the tricked employees should be done through a piece of software, not a human, as this saves the employees some embarrasment.

3. Inform the failed employees immediately!

It was only after two days that those employees who gave out their information were informed of the simulated phishing campaign. In the meantime they might have already made plans to use the promised bonus and would also be looking out for the bank transfer. Imagine the anger, dissapointment and frustration that was caused when it was revealed that not only the bonus was a lie but also the users were penalized by having to take the training again.

Having your employees know about the campaign as soon as they have fallen for it avoids all the confusion. Informing them right away about the simulation e-mail so that it does not hinder or surprise them later should be one of the main priorities while conducting any sort of phishing campaign.

4. Testing should be followed by immediate web-based training.

The goal of conducting simulated phishing campaigns is to train the employees and raise awareness. In the current scenario the CISO invited the failed employees after two days to take up the training again. This delay probably caused a loss of context for some employees if they were away on vacation or occupied with other urgent matters. The training might also be received as tedious or seen as counterproductive.

Hence redirecting victims to a short crisp interactive web-based training right away ensures that they learn and remember the relevant actions while still being in context.

Tribune Publishing’s Disastrous Bonus E-Mail

Tribune Publishing is a popular American newspaper and online media publishing company having many subsidiaries such as the Chicago Tribune, the New York Daily News, the Baltimore Sun, and so on. In September 2020 The Vice reported that around eight of the publishing houses had received e-mails promising executives “targeted bonuses between 5,000 and 10,000 dollars”. This was a simulated phishing test.

Though the e-mail had identifying features of a phishing e-mail, it incurred the wrath of the employees and forced the company to issue a public apology for being insensitive. It was also reported by the Head Topics that the “community-submitted (phishing) template” of an external security awareness platform was used to create the phishing campaign.

The Tribune publishing also offered bonuses just like the GoDaddy example above, the key learnings from us are as follows.

5. Inform employees about phishing campaigns!

It makes sense to use the element of surprise in a simulated phishing campaign. But it is also equally important to give a generic warning to employees beforehand that they should expect such campaigns in the near future. Out of the blue campaigns might lead to the employees being at crossroads and not knowing how to act.

Informing them in advance to watch out for such campaigns keeps them aware and alert against real phishing attacks that might be carried out by cybercriminals.

6. Train before testing.

Employees might not be aware of what phishing is and hence might be unaware of how to spot attacks. They might be even unsure about what steps to take if they feel that the e-mail, they have received, looks suspicious.

Thus, it is recommendable to address these issues by educating the employees in advance so that they are well prepared for any phishing tests or real-life attacks sent their way.

7. Context and situation of phishing campaigns are important.

One of the main reasons for the employees of Tribune being angry was the context of the e-mail. It was reported that there were widespread job cuts, reduced funding, and other actions carried out by the company before the simulated phishing e-mail was sent. Thus, when baited with fake bonuses, it was received with ill taste and hurt the feelings even more leading to severe backlash and forming the opinion that the management was insensitive towards the employees’ situation.

This could have been avoided by not simply using custom templates for phishing but by talking to experienced experts in IT Security and having them run the entire campaign.

Conclusion

The above are only a couple of examples picked arbitrarily over the last months and this list is not complete. They show, that if done incorrectly simulated phishing campaigns can be very counterproductive and can seriously upset your employees.

The question for IT managers boils down to if they want to run simulated phishing campaigns themselves or hire experts to conduct them.

If you want to run your own campaigns please keep the hints above in your mind. On the other hand if you are thinking about hiring experts to do it, or you just have a question, we are looking forward to hear from you .

Click here to learn more about our service for running simulated phishing campaigns (mStorm-AM) .