Skip to content

Hit enter to search or ESC to close

Is it Acceptable for Companies to Send Fake Phishing Emails to their Employees?

Phishing emails are, unfortunately, part of everyday life. Phishing isn't just a threat to our business; phishing impacts our daily lives. Black Friday is a case in point; in 2022, more than half of emails promoting Black Friday were scams. Phishing is now so prevalent that CISA.gov reports that 80% of businesses have fallen victim to phishing. With figures this high and phishing volumes set to reach new records, is it ethical to send phishing emails to employees to train them to spot phishing attacks?

This is an important question when developing a culture of security and one that TitanHQ explores here.

Did You Know?

92% drop

in phishing susceptibility with SafeTitan

62%

of employees share passwords

$10.5 trillion

estimated global cybercrime cost

82%

of data breaches involved a human being

Ethical Fake Phishing of Your Employees

Phishing simulations or ''fake phishing'' is a method used to train employees to spot the signs that an email is phishing. Simulated phishing exercises aim to change behavior so that when an actual phishing email enters an employee's inbox, they know how to react safely.

Phishing simulation platforms allow an organization or an MSP to deliver the capability to create realistic but fake phishing emails that are then sent out to employees to test their responses. Advanced phishing simulation platforms have various features, including pre-configured templates, tailoring of phony phishing emails to specific job roles, and automation. The phishing emails generated by a phishing simulation platform are meant to look realistic and reflect the typical phishing emails an employee is likely to encounter. However, the problem with sending out a fake phishing email to an employee is that it could be seen as misleading employees. However, some core principles of ethical fake phishing will ensure the process is successful:

Informed Consent and Transparency

Building a culture where collaboration and trust are shared with your employees is essential. Involving employees in simulated phishing training makes you less likely to have complaints and more likely to have interactive and focused training. Informed consent is intrinsic to the success of simulated phishing training. By obtaining consent at the start of security awareness training and fake phishing, you include your employees in the process and help to establish cultural bridges. This level of transparency is part of the overall process of building a culture of security that makes your employees an essential part of your cybersecurity strategy.

Real-Time Interactive Training

A fundamental part of effective phishing training is to educate. One of the most powerful ways to educate is through interactive sessions, with research showing that interactive learning is more effective. When choosing a simulated phishing platform, ensure it has proven interactive and real-time training. This interactive training provides feedback to employees when they perform an action that would result in a successful phish. This helps employees understand what went wrong, why, and how to prevent doing this in actual phishing attacks.

Train People; Don’t Try to Catch Them Out

Cybercriminals use emotional triggers to elicit behavior that results in an employee performing an action that benefits the fraudster, like clicking a link. However, an ethical simulated phishing campaign should not exploit emotional triggers, such as promises of bonuses. The result is usually unhappy employees. Simulated, ethically considered phishing campaigns can achieve the same result without resorting to underhand emotional tactics. Avoid fake phishing emails that contain sensitive or personal triggers.

Create a Positive Security Culture and Avoid Blame

Simulated phishing training is about education and behavior change. One of any employee's most negative educational experiences is being involved in a blame culture if they click a phishing link. Cultivate a safe, simulated phishing test that educates and changes behavior, not one that makes employees nervous or angry.

90% of data breaches begin with a phishing email.

The Benefits of Phishing Education for Employees and Businesses 

By performing ethically driven fake phishing campaigns, both the business and the employee benefit:

Company Safety

Phishing severely damages a business: phishing results in malware infection, ransomware attacks, Business Email Compromise (BEC), and personal data and credential theft. According to research by Cisco, 90% of data breaches begin with a phishing email. The ransomware attack cost was $4.35m in 2022, according to IBM - this did not include the ransom. BEC scams are similarly damaging; while costs vary, the total costs to global businesses of BEC crimes come to around $50 billion, according to an FBI report.

Ultimately, it is essential that employees feel comfortable reporting a cyber-incident, so ethically designed phishing simulations that use real-time interactive education should help to establish this behavior. Timely incident response can help prevent an incident from becoming a full-blown attack.

Fake phishing training works. When SafeTitan is used to train employees using phishing simulation, there is an average decrease in employee phishing vulnerability of 92%.

Read about reducing phishing vulnerability in TitanHQ’s "2023 Automated Phishing Simulation Success Report.

Employee Safety 

When performed ethically, fake phishing simulations are a positive experience for an employee. Not only do they help to protect a company, but they also help to prevent personal phishing attacks. The phishing training an organization provides will also benefit the person in their personal life, helping them avoid scams. Also, regularly trained employees to spot phishing emails will feel part of a broader security culture. 

How to Fake Phish Your Employees Safely

Phishing simulations are used to train employees on the subtleties of modern phishing and to know how to deal with real phishing emails. Fake phishing is about changing behavior that cybercriminals exploit, such as the urge to click on an urgent request. Performing ethical fake phishing requires planning and execution with a moral stance. The following considerations will help you to develop your ethically driven phishing simulation program:

Plan the Fake Phishing Campaign

Think ethically when planning your campaign. Remember to train; don't trap. Phishing training is about understanding how cybercriminals exploit behavior and changing that behavior. Use phishing templates to generate realistic phishing campaigns, but don't use the same low-hit emotional triggers that cybercriminals do - avoid emotional triggers and underhand tricks such as salary increases and promotions - there are better ways to elicit and change behavior.

Co-Opt Your Employees into the Campaign

Tell your staff that you will be sending out fake phishing emails and take their informed consent. By being transparent with your team, you will help to build trust. Group cooperation is an instinct in humans; use known encouraging behavior such as feeling part of a group and conforming to a social norm.  

Use Real-Time Educational Interventions

Make the training interactive and informative. Advanced phishing simulation platforms, such as SafeTitan, provide interactive training sessions. For example, suppose an employee clicks on a phishing link in a fake email. In that case, the simulator will pop up an on-screen training exercise explaining to the employee what they did to trigger the incident and what would have happened if this was real. It also explains how to avoid this behavior in real-life phishing incidents.

Do a Post-Training Analysis

After the training sessions:

  1. Offer a post-training analysis with feedback.
  2. Offer employees further help understanding the subtleties and complexities of sophisticated phishing threats.
  3. Encourage them to report any incidents, explaining that you have a no-blame security culture. 

By providing fake phishing training that has been well-thought-through and includes ethics as a foundation stone, your employees will feel part of a team. This feeling of being part of a coherent group will help to make the training effective, ultimately protecting your company and the staff.

Find out how SafeTitan can give you the tools to conduct ethical phishing training.

Book a Demo

J.P. Roe

J.P. Roe

  • SECURITY AWARENESS TRAINING

Talk to our Team today

Talk to our Team today