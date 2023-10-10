No, You Aren’t Getting a Bonus. Your Company Is Just Testing You.
Companies are getting creative with phishing tests. Employees are getting annoyed.
JuSong Baek remembers the email all too well.
In early September, he opened his work inbox to amazing news: He was officially off the wait list for Taylor Swift’s Eras Tour—he could buy tickets for her Toronto show.
But just before the 26-year-old product designer clicked on the link, he remembered something: He didn’t use his work email to register with Ticketmaster. It was a phishing test from his employer.
What once began with Nigerian princes asking for help in exchange for riches has become far more sophisticated social engineering, and companies are rising to the threat by getting creative in their training. These simulated phishing emails promise bonuses, gift cards and yes, once-in-a-lifetime concert tickets. The practice has left some employees chuckling, and others wary about the lines companies might cross to test someone’s cybersecurity competence.
Baek recognized the Taylor Swift ticket alert as a phishing email because its urgency about buying tickets seemed suspicious. When he clicked a phishing alert button in his email, he learned it was sent by his own company.
“I’ve never felt more personally attacked by an email," says Baek, who lives in Edmonton, Alberta.
Phishing is a large-scale problem, resulting in more than 300,000 complaints last year to the Federal Bureau of Investigation’s Internet Crime Complaint Center. Americans lost $10.3 billion to online scammers, including phishing and identity theft, in 2022.
Companies try to train their employees to recognize these attacks by sending phishing tests. If workers report an email, they pass. If they fail the test and click a link or download a PDF, they might get sent to additional training.
Sarah Fiete regularly received phishing tests and training at her old job. One email from last December, however, tripped her up. It said the company wanted to thank her for her hard work with a gift card and to click a link to claim it. When she clicked it, it said she had failed a phishing test.
The 33-year-old Fiete, now a director of marketing and communications at an arts investment studio in New York, blames her phone. She normally checks for phishing attempts, but because she opened this on her phone, she couldn’t hover over the link to see where it led. And her company used to give gift cards in the past so it wasn’t entirely unusual to receive such an email, she adds.
She didn’t receive a gift card. She also went to work grumpy. “The phishing emails coming from the company itself really felt like they were hurting morale a lot more than they were doing any good," Fiete says.
The Taylor Swift phishing test was a template created by KnowBe4, a security-awareness company. In the past 30 days, it was sent 17,600 times, with 533 people clicking on it, the company says. It’s in line with KnowBe4’s usual range for its phishing tests.
KnowBe4, founded in 2010 and working with more than 65,000 clients, is part of the security and risk-management industry, which offers businesses compliance training and other tools to safeguard their information. This growing field includes other companies such as Living Security and Proofpoint, which is used by The Wall Street Journal’s parent company.
KnowBe4 has a creative content team of four people who comb through social trends to come up with these phishing simulations. Another pop-culture moment they tapped into was the Johnny Depp defamation lawsuit against Amber Heard, sending breaking-news alerts related to the trial. They also craft seasonal emails, such as a notice of Valentine’s Day flowers being delivered. The team has created 20,000 templates for companies to choose from, says George Kas, the company’s chief product officer.
KnowBe4 has a “controversial" category, with more heartbeat-skipping templates. One email says it’s from a Twitter user alerting people that their information was found on the infidelity website Ashley Madison, which had a data breach in 2015. Any workplace test, such as an email from a company’s human-resources department requesting a meeting or sending a note about updated pay scales, is also considered controversial.
These are only used when a company’s cybersecurity team believes the organization is ready for tougher tests, Kas says. These emails are more alarming and emotional to mimic the behavior of actual attackers who want a user to click and compromise the company’s information, he added.
“That’s what the attackers are doing, they’re trying to get under your skin, they’re trying to get you to react and stop thinking about it because if they can, then they win," Kas says. “It’s much better to figure it out through a simulation than the real world."
According to a report from KnowBe4, after a year of phishing training and simulations, a company’s likelihood of employees clicking on an email or suspicious link drops to 5.4% from 33.2%.
With only two more months to go till the end of the year, some companies are beginning to roll out end-of-year bonuses and other perks to employees as thank-you gifts for their hard work.
Except in Becky Robison’s inbox.
The 35-year-old corporate communications writer received an email in September, with the subject line “your yearly bonus.pdf Has Been Shared With You." Having worked at her company for six years, she knew bonuses weren’t a regular occurrence and suspected it had to be a phishing email.
Robison, who lives in Louisville, Ky., didn’t fall for it—and says she hasn’t failed any others her company has sent through the years. But the tone of this one felt different to her.
“In a weird economic climate, it seems especially cruel to tempt people with the idea of a bonus, especially people who may not know," Robison says.
Some workplace experts believe companies shouldn’t take such drastic measures to teach their employees how to spot phishing attempts. Instead they can hold more traditional training sessions, says Lynne Oldham, chief people officer at Stash, an investing app.
“It helps employees build the ‘muscles,’ which is good for the company and ultimately good for the employee," she says.
Jasmine Lucey, a 27-year-old graphic designer in Irvine, Calif., was deceived twice in 2019 by phishing tests at her previous company.
One was about a gift card. The other had a subject line suggesting the company was addressing drama that happened between two women in the parking lot. Lucey wasn’t aware of any drama but wanted to know what it was, she says. She clicked a link in the email and a cartoon popped up, telling her she failed a phishing test, she says.
“You get so many emails a day for work and for your life that I don’t really have time to sit here and decipher if something is a real or fake email," Lucey says.
