Evil doesn't play a part in this equation. That implies a phishing program is designed to "get you" and not help you. This is no more evil than fire-team training the U.S. Marine Corps go through.
The malicious actors really don't care about your feels, and in order to condition/train individuals properly you need to utilize the same tactics that they are going to use... otherwise your security program is literally checking a box, and nothing to do with actual hardwning your userbase.
If evil or good is the general consensus from those enrolled into the program both leadership and the education team have their work cut out for them. It's a culture problem, and fundamental misunderstanding of why you have a program like this. It's to help them, not hurt them.
OH DEAR. THIS POST WAS SET TO SELF-DETONATE 💣 💥 🔥
Ą̷͇̀l̵̩̓̕l̸̩͘ ̸̭̪̈́ť̷̝̍̆h̶̡̛̰̯̏͌a̷͕̞͋̂t̵̩͙͑̈́͝'̵̛̍́ͅͅş̴̬̱͝ ̷̗̊͠l̵͚̕͠ē̸̻͓̐͝f̷̧͙̀̑͝t̶͓̓͊̚ ̶̜̱̓͌́a̴͉͊r̶̡̩͛̀é̵̦̞͕ ̶̮̾ṫ̷̡͈̍ḧ̸̛͍́̊e̴̫̅ş̶̥̰̓e̴̟̪͌͂̇ ̷̞̅͊̚h̷̰͕͈͂e̶̡̹̜̚ŗ̸̗͈̾̇e̴̩̍͐ ̷̪͉̩̀a̵̡̱̐͑͝s̴͎͖̈́h̸͈͌́͜e̴͕̝̐̌ś̶͓̆ͅ.̵̩̉ ̵̱͊͑̀
That is a problem, and a reason I stress in my programs that you need to create a reward-based program if you honestly want to protect your users.
Fear is a great motivator in many things, it's also the mind-killer. The point is not to be afraid, but to be confident in your ability to identify that not everyone in this world has your interest in mind and respond rationally and effectively to the threat.
OH DEAR. THIS POST WAS SET TO SELF-DETONATE 💣 💥 🔥
Ą̷͇̀l̵̩̓̕l̸̩͘ ̸̭̪̈́ť̷̝̍̆h̶̡̛̰̯̏͌a̷͕̞͋̂t̵̩͙͑̈́͝'̵̛̍́ͅͅş̴̬̱͝ ̷̗̊͠l̵͚̕͠ē̸̻͓̐͝f̷̧͙̀̑͝t̶͓̓͊̚ ̶̜̱̓͌́a̴͉͊r̶̡̩͛̀é̵̦̞͕ ̶̮̾ṫ̷̡͈̍ḧ̸̛͍́̊e̴̫̅ş̶̥̰̓e̴̟̪͌͂̇ ̷̞̅͊̚h̷̰͕͈͂e̶̡̹̜̚ŗ̸̗͈̾̇e̴̩̍͐ ̷̪͉̩̀a̵̡̱̐͑͝s̴͎͖̈́h̸͈͌́͜e̴͕̝̐̌ś̶͓̆ͅ.̵̩̉ ̵̱͊͑̀
It's also why I tell people not to utilize 3rd party phishing programs like KnowBe4.
KnowBe4 wants a paycheck, to do that they need to prove effectiveness. More often than not that means being really hard in the beginning, and then scaling back to coast easy mode.
Your phishing program should always reflect the same failures, because you should be raising the bar every phish as the education begins to sink in.
That's conditioning. You don't start at 200 lbs lifts then go to 10 lb lift
@White_Rabbit Sage advice. Right on target. 🎯 @0x56
@White_Rabbit @0x56 has this type of phishing attack been observed in the wild? Cause if it's actually occurring, then it's appropriate to include in training.
If this is purely hypothetical then it sucks. Neither evil nor brilliant, just pointless and aggravating.
I promise you, someone has done this somewhere. I have no proof currently, but there's no doubt in my mind that it has occurred.
The funniest thing to me is when "good" people think they are more clever than career criminals and state-sponsored actors.
@White_Rabbit the goodwill of ppl being trained is a precious resource tho and this type of training by its very nature erodes that goodwill. Clever tricks like emulating anti-phishing training to simulate a theoretical phishing attack are not worthwhile for the vast majority of trainees.
Which is why they will use it.
Here are some similar tactics utilized in the real world and have been involved in real compromises:
-Sending yearly bonus information in the 4th quarter
-Sending training/education emails also during 4th quarter (most companies do theirs around November)
-Disciplinary action being taken, click here (this is good year round)
@White_Rabbit those leverage fear of punishment and greed. They're much better imo.
@0x56 I'm gonna stick with "meh".
Phishing disguised as anti-phishing training lacks the emotional hooks that characterize good scams/tricks. What emotion does this actually leverage? Fear of not completing an assignment? Annoyance? All thoroughly mid as far as motivators go.
@White_Rabbit @0x56 I should be clear I'm assuming we're talking about training for like xerox or citibank employees and not national security stuff.
I choose to disagree. If I were a malicious actor phishing anti-phishing simulations would payout two-fold.
1) Compromising the effectiveness of your phishing program, even if you are doing it "right" -- may help for future phishes if I am targeting you
2) If your company has a phishing program you likely will let your guard down and trust the message as it is relevant to you.
Both fear and anger are used in a phishing simulation phish. Fear you got caught, or angry you got accused of being caught. Annoyance works too, that's an emotion very easy to manipulate (associated with anger), take a look at the firehose
@White_Rabbit engaging in this microcosm of a much wider security debate is peak coso but I will not be taking a look at the firehose lol I don't need that kinda drama.
@White_Rabbit @Expecting_Words @0x56 One of my most effective phishing samples was: "Building facilities here, we found mold in your workspace! Contact us on this 'internal' form to arrange cleanup!"
@White_Rabbit lol i said both, i kept "evil" because they snagged me once lol @0x56
@0x56 , do we work for the same org? J/K. 🙃😉