Fake Email Phishing: More Harmful than Helpful

Posted on by
Negative Reinforcement Phish Testing Looks like this!

Negative Phish Testing

Positive Phish Testing simulations look like this.

Positive Phish Testing

Traditional phishing tests, designed to assess employees’ susceptibility to deceptive emails, have come under increasing scrutiny questioning their effectiveness and potential unintended consequences. A University of Switzerland comprehensive 15-month study involving over 14,000 participants revealed that such tests might inadvertently increase employee clicks rather than reduce their click rates.

Echoing these concerns, Google’s Matt Linton compared early 20th-century fire drills—which often caused more harm than good—to modern phishing tests in this blog post. He argued that these tests focus on individual performance, potentially leading to negative outcomes without significantly enhancing overall security.

These insights suggest that traditional phishing tests may not only be ineffective but could also undermine organizational security efforts and in many reports harm the good will and morale of the companies and individuals being tested. In response, innovative solutions like CyberHoot’s HootPhish offer a more constructive approach, emphasizing education and positive reinforcement to foster a security-conscious culture.

Let’s take a closer look at the traditional challenges fake email phishing contains and some of the benefits of pivoting to a more positive realistic and educational approach that leverages positive reinforcement theory on phish testing simulations.

Major Criticisms of Traditional Phishing Tests

  1. Lack of Effectiveness: A comprehensive study involving over 14,000 participants revealed that traditional phishing tests don’t reduce the likelihood of employees falling for phishing attacks. In fact, individuals were found unexpected to click on more rather than fewer real phishing attacks!

  2. Bypassing Defenses: To conduct these tests, organizations often have to disable or bypass their established anti-phishing measures. This creates unrealistic scenarios with overly simplified domain names for senders and poses security risks if these bypasses are not properly managed post-test.  Few remove X-Header by-pass measures to prevent hacker attack usage.

  3. Operational Strain: Phishing tests can overwhelm IT teams or MSPs/MSSPS with a flood of false reports, diverting attention from genuine threats and straining resources.

  4. Negative Impact on Employee Morale: Employees may feel tricked by these tests, leading to a breakdown in trust between staff and security teams. This erosion of trust can hinder security, collaboration, and seriously degrade the relationship between IT/MSP and employees.

  5. Dismal Metrics:  When conducting fake email attack testing, leadership receives seriously flawed metrics.  Users fall into three buckets as follows: (1) Failures ~5%, (2) Passers ~45% and (3) Unknown ~50%.  Leaving the number one method of company breach to 50% unknown is hardly reassuring.

The Silver Lining: CyberHoot’s HootPhish

Enter CyberHoot’s HootPhish—a refreshing alternative that addresses these criticisms head-on. Here’s how HootPhish stands out:

  1. Better Metrics: Unlike traditional tests that often yield ambiguous results, HootPhish provides clear, actionable metrics for every employee. This comprehensive assessment ensures that no one slips through the cracks, allowing organizations to gauge the effectiveness of their training programs accurately.

    Ofofo Blog

  2. Enhanced Automation: Setting up traditional phishing tests can be a logistical nightmare, often requiring complex configurations and manual oversight. HootPhish simplifies this process with automation, eliminating the need for intricate setups like allow-lists or spam filter adjustments. This streamlined approach frees up IT and Managed Service Providers (MSPs) to focus on more critical tasks.

    Ofofo Blog

  3. Positive User Experience: Traditional phishing tests can leave employees feeling anxious and mistrustful. In contrast, HootPhish adopts a non-punitive, educational approach that users find engaging and informative. With positive ratings often approaching 75%, employees are more receptive to training, leading to a more security-conscious workforce.

    Ofofo Blog

  4. Effective Training Outcomes: By focusing on realistic and educational phishing simulations, HootPhish reduces the number of support emails from anxious employees unsure about potential phishing attempts. This proactive education empowers employees to identify and handle suspicious emails confidently, decreasing reliance on support channels, or worse errors and clicking on malicious links.

  5. Improved Employee Morale: Moving away from deceptive testing methods, HootPhish fosters a culture of learning and trust. Employees appreciate the emphasis on education over trickery, leading to higher morale and better retention rates.  This has a positive outcome on both moral and client retention in the case of MSPs and MSSPs.

Conclusions: Positive Phishing is the Future of Phishing Resilience

In summary, while traditional phishing tests have been criticized for their inefficacy and negative impact on employees, CyberHoot’s HootPhish offers a promising alternative. By providing better metrics, automation, a positive user experience, effective training outcomes, and improved employee morale, HootPhish not only addresses the shortcomings of conventional methods but also enhances the overall cybersecurity posture of organizations.

Individual Training:

CyberHoot’s 6 videos and positive phishing simulation are free for individuals.  Enroll here.

Direct Businesses:
Organizations without an MSP or MSSP can use our positive phish testing solution. To empower your team, enroll here.

Resellers (MSP/MSSP):

Enroll your MSP/MSSP in our free 30-day trial with free powerups for life here: Thrive in 25′ Registration Link

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.