Do phishing simulations help?

Are there more effective and simpler solutions?

The purpose of this article is to analyze some aspects of phishing simulation campaigns and to raise some questions about their impact and effectiveness. The intention is to open a debate that will help organizations plan their cybersecurity awareness campaigns to achieve the highest possible level of protection in terms of user behavior.

What is a phishing simulation?

A phishing simulation is a resource used by many organizations to diagnose the degree of exposure of their employees to malicious phishing messages and to educate users on the prevention of this type of risk.

Real malicious messages usually arrive by e-mail trying to trick users. The objectives of cybercriminals who send phishing messages are usually to obtain information about payment methods, obtain access data or acquire personal information for criminal purposes that seriously harm all types of organizations.

Phishing simulation campaigns replicate the behavior of a real phishing attack in its most characteristic aspects such as social engineering techniques, use of links or attachments or referral to fake websites or replicas of real websites.

These campaigns are usually conducted using controlled and innocuous phishing simulation platforms, allowing to measure user reactions and providing relevant statistics such as the number of users who read the phishing simulation message, open the link or download an attachment.

In some cases, users who have taken an incorrect action in the face of the phishing simulation message are invited to receive training that will help them learn how to detect future real malicious messages that may arrive in their email inboxes.

What happens to users who do not open the spoofed phishing message?

It is very clear how to interpret the cases in which users receiving the simulated phishing attack open the messages and their links. But how do we interpret the cases in which users have not opened or interacted with them?

It would be unrealistic to think that all users who have not fallen into the simulated trap have made a conscious decision to ignore, delete or report it. As this is a subjective action, the behavior of users when faced with the hundreds or thousands of messages they receive every day depends on many variables, which we will analyze below:

That the message reaches all users of the organization. The preparation of phishing simulations is extremely complex. One of the difficulties is to configure the filtering systems to let the phishing simulation message pass through and reach each user’s inbox. Even so, corporate email systems also have systems in place that can indicate that a message is suspicious.

The workload and number of messages to be read. The cause of some users not opening the phishing simulation message may be as simple as they had a lot of work to do that day or a large number of messages to read. Those users would not have gotten to see the message and therefore would not have gotten to assess which action is the correct one.

The device with which you check your email. There may be an influence derived from checking the inbox from a mobile device or a desktop device.

Individual subjectivity. The same spoofed phishing message may arouse more or less interest in each person depending on his or her personal situation, interests or hobbies. Thus, the reason for not opening a spoofed phishing link may be due to a lack of interest in the content of the message.

Taking into account all these variables, can we really interpret that a user who has not fallen for the phishing simulation is because he has been able to analyze the message? In such a case, can we infer that you will not be a victim of real attacks?

Or is it more realistic to consider that an undetermined number of the users to whom the simulation was sent did not see the message or did not read it for one or more of the reasons mentioned above?

Other disadvantages of phishing simulations

In addition to the uncertainty derived from not being able to clearly diagnose cases in which a large group of users have not interacted with the simulated phishing message, there are other disadvantages to take into account as a preliminary step to launching phishing simulation campaigns.

Technical complexity. Any phishing simulation campaign is subject to significant complexities. On the one hand, it is necessary to overcome the whole process of generating all the elements of the simulation such as the message and a web landing page, as well as the whole configuration of the simulation platform. Another part of the complexity is that corporate networks and external systems are getting better and better at ensuring that dubious messages do not reach users. Therefore, there is a high level of complexity derived from getting all the filters and firewalls to let campaign messages through.

High Cost. Closely associated with the technical complexity is the disadvantage of high cost. Whether an external service is contracted or the simulation is carried out with internal resources, the cost is usually in the thousands of Euros or Dollars.
Negative employee reactions. A no less important issue is to size up the impact that a phishing simulation campaign can have on the workforce in general and on some members of the workforce in particular. Depending on how the simulation processes are contextualized, individual or collective positive or negative reactions can play an important role in the effectiveness of the campaigns.

Are there alternatives to phishing simulations?

Given all these questions and potential drawbacks, one might ask whether there are more effective alternatives to test and raise awareness at the same time.
These would be the premises that an alternative system would have to meet to overcome the level of effectiveness of a phishing simulation:

  • Ensure that you can raise awareness among the entire workforce.
  • Not dependent on workload
  • No influence of individual subjectivity
  • Optimizing the relationship between cost, complexity and effectiveness
  • To make it a positive experience for users.

In the article on gamified simulators we analyzed in detail one of the alternatives that many organizations value as a more effective method of cybersecurity awareness.