Simulated phishing
{{Short description| Cybercrime}}
Simulated phishing or a phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks. The emails themselves are often a form of training, but such testing is normally done in conjunction with prior training; and often followed up with more training elements. This is especially the case for those who "fail" by opening email attachments, clicking on included weblinks, or entering credentials.
Typically, phishing simulations are conducted on a recurring basis to measure long-term improvement in user behavior and to maintain heightened awareness among staff. Regular simulations also serve to identify employees who may need extra support in understanding cybersecurity threats.{{Cite web |title=Wayback Machine |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf |archive-url=http://web.archive.org/web/20250213214340/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf |archive-date=2025-02-13 |access-date=2025-03-04 |website=nvlpubs.nist.gov}}
Rationale
There is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks, and that good training of staff is necessary.{{citation needed|date=September 2018}}{{Cite journal|last1=Jampen|first1=Daniel|last2=Gür|first2=Gürkan|last3=Sutter|first3=Thomas|last4=Tellenbach|first4=Bernhard|date=2020-08-09|title=Don't click: towards an effective anti-phishing training. A comparative literature review|journal=Human-centric Computing and Information Sciences|volume=10|issue=1|doi=10.1186/s13673-020-00237-7|issn=2192-1962|doi-access=free|hdl=11475/20346|hdl-access=free}} Simulated phishing allows the direct measurement of staff compliance, and when run regularly, can measure progress in user behavior. Phishing simulation is recommended by various official agencies, who often provide guidelines for designing such policies.{{cite web |title=Designing Phishing Simulations |url=https://www.cpni.gov.uk/system/files/documents/51/d7/phishing_simulations_guide.pdf |website=Center for the Protection of National Infrastructure |accessdate=12 September 2018}} Phishing simulations are sometime compared to fire drills in giving staff regular practice in correct behaviour.{{Cite web|last=Fischbein|first=Jonathan|title=Council Post: 2021 Cyber New Year's Resolutions|url=https://www.forbes.com/sites/forbestechcouncil/2021/03/24/2021-cyber-new-years-resolutions/|access-date=2021-10-03|website=Forbes|language=en}}
In some regions, legal frameworks exist to support the implementation of phishing simulations as part of a broader cybersecurity compliance strategy. These regulations often emphasize the need for regular employee training and awareness programs as a preventative measure against cybercrime. Phishing simulation programs are recommended by various official bodies, including ENISA{{Cite web |title=Emerging technologies make it easier to phish {{!}} ENISA |url=https://www.enisa.europa.eu/news/emerging-technologies-make-it-easier-to-phish |access-date=2025-03-04 |website=www.enisa.europa.eu |language=en}} and NIST,{{Cite journal |last=Dawkins |first=Shanee |last2=Jacobs |first2=Jody |date=2023-11-15 |title=NIST Phish Scale User Guide |url=https://www.nist.gov/publications/nist-phish-scale-user-guide |journal=NIST |language=en}} as part of a comprehensive approach to improving organizational cybersecurity.
Ethics
Such campaigns need to be authorised at an appropriate level{{cite news |last1=Kovacs |first1=Eduard |title=Attack on DNC Part of Simulated Phishing Test |url=https://www.securityweek.com/attack-dnc-part-simulated-phishing-test |accessdate=12 September 2018 |work=Security Week |date=23 August 2018}} and carried out professionally.{{cite news |last1=Cheng |first1=Joey |title=Out-of-control Army phishing test results in new guidelines |url=https://www.defenseone.com/defense-systems/2014/03/out-of-control-army-phishing-test-results-in-new-guidelines/194265/ |accessdate=12 September 2018 |work=DefenseSystems |date=18 March 2014}} If such a technique is used carelessly, it may breach laws, attract lawsuits, and antagonise or traumatise staff.
However, if employees are advised of a change to policy such that "the company reserves the right to send deceptive 'simulated phishing' email to staff from time to time to gauge staff security awareness and compliance", and training and guidance has been given in advance, then such problems should not occur. Some organisations may choose to require users to give their consent by opting in,{{cite web |title=Simulated Phishing |url=https://commons.lbl.gov/display/cpp/Simulated+Phishing |website=Berkeley Lab |accessdate=12 September 2018}} and others may allow staff the option to opt out.{{cite web |title=Simulated Phishing Email Campaign |url=https://its.ucsc.edu/news/fake-phishing.html |publisher=UC Santa Cruz |accessdate=12 September 2018}}
The standard advice is that "failing" staff not be shamed in any way, but it is appropriate and reasonable to provide supportive followup training.{{cite web |last1=Prendergast |first1=Tom |title=Is all fair in simulated phishing? |url=https://www.csoonline.com/article/3237650/phishing/is-all-fair-in-simulated-phishing.html |website=www.csoonline.com |accessdate=9 September 2018}}{{cite web |last1=Meijdam |first1=Katrien |title=Phishing as a Service: Designing an ethical way of mimicking targeted phishing attacks to train employees |url=https://repository.tudelft.nl/islandora/object/uuid:3134a851-2b40-4af1-896a-41a6ce7a5816/datastream/OBJ1/download |accessdate=10 September 2018}}{{cite web |last1=R |first1=Kate |title=The Trouble with Phishing |url=https://www.ncsc.gov.uk/blog-post/trouble-phishing |website=National Cyber Security Centre |publisher=GCHQ |accessdate=12 September 2018}}
Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons. These would include emails with content likely to cause distress to the recipient or the use of third-party trademarks, although it is also sometimes argued that this is covered by fair use.{{cite web |last1=Calarco |first1=Daniel |title=Stop Phishing with Bad Fake Bait |url=https://er.educause.edu/blogs/2017/6/stop-phishing-with-bad-fake-bait |publisher=EDUCAUSEreview |accessdate=12 September 2018}}
Methods
Such testing can be done in a number of ways.
- Many vendors offer web-hosted platforms to do this, and some provide limited free "test" campaigns.{{cite web |last1=Salla|first1=Sebastian|title=free phishing test campaigns |url=https://caniphish.com/free-phishing-test |publisher=CanIPhish |accessdate=10 October 2022}} {{cite web |last1=Korolov |first1=Maria |title=10 companies that can help you fight phishing |url=https://www.csoonline.com/article/3066532/phishing/10-companies-that-can-help-you-fight-phishing.html |publisher=CSO Online |accessdate=12 September 2018}}
- A wide range of freely-available open-source tools allow more technical organisations to host and run their own testing.e.g GoPhish, King Phisher, The SocialEngineer Toolkit{{cite news |last1=Pauli |first1=Darren |title=Go phish your own staff: Dev builds open-source fool-testing tool |url=https://www.theregister.co.uk/2016/02/04/no_more_excuses_dev_builds_dead_easy_open_source_antiphishing_app/ |accessdate=12 September 2018 |work=The Register |date=4 February 2016}}{{cite web |title=Phishing campaign simulators |url=http://www.phishingcountermeasures.com/tools/22-phishing-campaign-simulators |website=Phishing Countermeasures |accessdate=12 September 2018}}
- Some email service now have such testing as a built-in option.{{cite web |last1=Ghosh |first1=Debraj |title=GA of Attack Simulator For Office 365 Threat Intelligence |url=https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/GA-of-Attack-Simulator-For-Office-365-Threat-Intelligence/ba-p/183954 |website=Microsoft Tech Community |accessdate=12 September 2018}}{{cite web |last1=Lardinois |first1=Frederic |title=Microsoft launches a phishing attack simulator and other security tools |url=https://techcrunch.com/2018/04/16/microsoft-launches-a-phishing-attack-simulator-and-other-security-tools/ |website=TechCrunch |date=16 April 2018 |accessdate=12 September 2018}}
Because organisations generally have a set of multi-layered defences in place to prevent actual malicious phishing, simulations often require some whitelisting to be put in place at email gateways, anti-virus software and web proxies to allow email to reach user desktops and devices and to be acted upon.
In some cases, organizations may simulate phishing attacks across multiple channels, including email, SMS, and social media, to test employees' ability to recognize threats on various platforms. By implementing phishing simulations across multiple channels, organizations can create a more comprehensive cybersecurity awareness program that addresses diverse threat vectors.{{Cite web |date=2024-11-12 |title=Top Phishing Prevention Strategies For Company Security |url=https://www.metacompliance.com/blog/cyber-security-awareness/phishing-prevention-strategies-safeguarding-your-organisations-data |access-date=2025-03-04 |website=www.metacompliance.com |language=en-GB}}
Frequency
{{No sources|section|date=June 2024}}
Most advice is that testing should be done several times per year, to give staff practice in responding correctly, and to provide management feedback on the progress in staff identifying and reporting potentially dangerous email.