Are Phishing Campaigns Worth It?

Phishing campaigns are often touted as a complementary exercise to security training as a way to measure training effectiveness. The thought is, if your training is effective, users will be less likely to fall for and click on phishing emails, which will correlate to a decrease in the number of phishing incidents at your company. This sounds great in theory, but phishing campaigns have a lot of downsides that need to be considered before you hit the send button.

What Is Phishing?

The Cybersecurity and Infrastructure Security Agency (CISA) defines phishing as:

“a form of social engineering where malicious actors lure victims (typically via email) to visit a malicious site or deceive them into providing login credentials.”

What does this mean for a CISO in practical terms? It means your employees will constantly receive emails that look legitimate, but are actually scams. They are trying to get your employees to click on links in the email so they can steal credentials, install malware, get access to sensitive data, or steal money. Phishing campaigns are often one of the first methods attempted in a more targeted attack that can use the phished credentials to allow the attacker to gain a foothold into your environment.

What Are The Common Defenses Against Phishing?

User Awareness Training

One of the most effective ways to counter the threat of phishing attacks is to educate your users. Regular user awareness training on how to recognize and take action against phishing emails has proven to be highly effective. Why? Phishing is trying to trick your users into performing an action they wouldn’t normally perform. This is a form of phycological or social engineering and the best way to instill the proper mindset in someone is through regular training. This training should test for understanding and the ability for users to recognize and report phishing emails. When in doubt, report it and delete it.

DMARC, SPF and DKIM

Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) are technologies that can be implemented by businesses to verify the sender of incoming email and authenticate that incoming messages are valid (not spoofed). Technologies such as SPF allow domains to publish lists of IPs and servers that will send emails, and DKIM allows domain owners to digitally sign emails coming from their domain so recipients can cryptographically validate the messages. SPF and DKIM are forms of authentication in the email world and help prevent spammers from sending mail on domains they don’t own.

DMARC is the enforcement arm in the email world. It takes the output from SPF and DKIM and takes action. This action can be configured based on your organizational preferences, but typical actions for messages that fail SPF or DKIM checks are to deliver the message, mark as SPAM or reject the message entirely. When configured properly, all three of these technologies will help filter and reduce potential phishing emails that make their way into your user’s inboxes.

MFA

Another technology that is critically important to protect against phishing attacks is to enable Multi-Factor Authentication (MFA). This is another form of defense that will protect your user accounts if a phishing email makes it through the filters and your user clicks on the phishing link in the email.

For example, a typical phishing email may impersonate a legitimate business website that requires authentication. The formatting, graphics and appearance may all look exactly the same. The only way to tell the email is a phishing email is by looking at the sender domain or email headers to detect subtle variances in spelling or formatting. If a user falls for this phishing email, clicks on it and enters their username and password, MFA will help prevent their credentials from being fully compromised. Yes, the user will need to have their password changed, but MFA such as one time passwords, tokens or passkeys, will prevent the attackers from using the phished credentials.

What Are Phishing Campaigns?

Phishing campaigns are controlled email campaigns sent by your own organization or a contracted third party to send fake phishing emails to your users to test how many open and click on the phishing links. Phishing campaigns allow organizations to directly test how well their user awareness training is working to recognize and avoid phishing attacks. Phishing campaigns can be stand alone events or they can be tied into other security testing like penetration tests.

What Are the Downsides To Phishing Campaigns?

Phishing campaigns, while popular, have questionable morality and effectiveness for a few reasons.

  1. The primary method of business communication is email. Phishing campaigns are teaching users to mistrust and in some cases stop using email for business purposes. Security organizations should find ways to support and protect the business without unnecessarily impeding it and for this reason I believe phishing campaigns are counter to the mission of an effective security organization.
  2. The top businesses have cultures that support and encourage psychological safety. Being able to respectfully speak your mind, have support from your colleagues and feel valued are all important aspects for job satisfaction and effectiveness. Phishing campaigns go against the idea of psychological safety. They attempt to trick your users into clicking on emails with questionable tactics such as promising bonuses, legitimate business purposes or even funny cat videos.
  3. One large problem with phishing campaigns is they tend to have punitive outcomes. Anyone that falls for the phishing email gets sent to remedial training or may be given a reduced set of permissions for a period of time. These punitive actions punish users for using their primary method of communication, destroy the concept of psychological safety and discourage productivity.
  4. Speaking of productivity, I see a lot of metrics about the percentage of users that clicked on phishing campaign emails along with targets to reduce those numbers after sending people to remedial training. What I don’t see are metrics on the impact the campaign has to productivity. How much longer will it take the person on finance to do their job now that she doesn’t trust anything in her email? How much longer will it take IT support to resolve the help desk ticket when they have been scolded repeatedly for falling for phishing emails? These metrics unfortunately are overlooked or not even captured. Security programs should ground their activities against the overall business strategy and make sure their programs are generating true value for the business that is measurable in the form of reduced risk as a tradeoff to other areas of the business.

A More Effective Solution

Whenever someone asks me for my thoughts about phishing campaigns I tell them honestly that I am not a fan. I’ve been on penetration testing teams that have crafted emails as part of phishing campaigns and I’ve seen the effect it has on users. I think there is a better way.

A lot of this post has gathered inspiration from various sources, but one of the main sources is the Cybersecurity and Infrastructure Agency (CISA). In October 2023, CISA the FBI and the NSA published a joint article on guidance for stopping phishing attacks. You can read their excellent recommendations here. Their article supports my sentiments here because one thing that is not in their recommendations is conducting a phishing campaign against your own users.

What are my recommendations?

  1. Conduct proactive training that tests not only comprehension, but the ability to accurately recognize phishing emails. Give employees the skills to look at email headers and give them the latitude to report suspicious emails or delete them altogether. Accept that email will be a slower and less trusted form of communication and even prevent the use of email for critical business functions (like contracting or financial activities). This training should have hands on practicals that gives the security function and senior leaders confidence they have trained their users to the best of their abilities to minimize the risk.
  2. Put controls in place to protect your employees. DMARC, DKIM, SPF and MFA can protect your users. Endpoint protection, monitoring and logging, ingress and egress filtering, etc. can all provide defense in depth to stop phishing attacks from being successful. The point here is, a comprehensive and well executed security program is one of your best defenses against phishing attacks.
  3. Employees that fall for real world phishing emails should be given a second chance. Assume good intent here. Most employees will recognize when they have done something bad and will feel guilty about it. They will punish themselves so the organization should support them, offer them additional training and help them get back to doing their job. Having proper security controls in place can help minimize the impact of your employees clicking on phishing emails.
  4. As a last resort, I will recommend some sort of punitive action, but this should not be the default and should be used sparingly. For users that just don’t get it and are repeat offenders they should face disciplinary action such as termination or reduced job responsibilities. This ties into organizations that evaluate how well employees support and uphold the security objectives of the organization. Repeated violations of Acceptable Use Policies (AUP) should fall under an HR/Legal action that minimizes the risk of the employee to the business.

Wrapping Up

Phishing is a form of social engineering and is a real business risk. It can lead to credential compromise, malware infections or Business Email Compromise (BEC) resulting in real business loss. A well rounded and comprehensive security program will help counter the threat of phishing attacks through comprehensive security controls and processes. Most importantly, I recommend security teams remove phishing campaigns from their tool chest and instead use proactive techniques to educate users, while protecting the business with a defense in depth approach.

Author: Lee Vorthman

I'm a U.S. Navy veteran and the Global Chief Security Officer (CSO) at a Fortune 100 cloud company where I've built a successful security program from the ground up and have partnered with the business to increase trust and reduce risk. I have over 25 years experience across a wide variety of industries such as technology, government & defense, education and oil & gas. I hold a number of professional certifications such as, EC-Council's Certified Chief Information Security Officer (C|CISO), Digital Director's Network (DDN) Board Certified Qualified Technology Expert (QTE) and ISC(2) Certified Information Systems Security Professional (CISSP). Previously I was the Chief Technology Officer (CTO) for Civilian Agencies and Cybersecurity Initiatives at NetApp U.S. Public Sector and the Chief Information Security Office for an Oil & Gas software company. I am available for consulting and speaking opportunities. Thoughts and opinions are my own and do not represent any employer past or present.

Leave a comment