Phishing tests, the bane of work life, are getting meaner
Summary
The drills have become a standard part of office life. But as IT departments craft increasingly sensational ruses, employees are getting testy.
It was a Sunday morning in August, about a month before the start of classes, when Alicia Riley got the email about an Ebola outbreak at the University of California, Santa Cruz.
“Oh, my God!" thought Riley, a sociologist who studies infectious diseases.
She texted a friend—a former epidemic intelligence officer—to see if they’d heard anything. Then she clicked on the link.
That’s when she learned that Ebola wasn’t the problem; she was.
The email was a phishing test. A ruse crafted by the university’s information technology department to teach gullible workers about the dangers lurking in scam emails.
The tests have become a standard part of work life as companies, universities and health systems strive to protect themselves from ransomware and other forms of online attacks. Phishing, where hackers send deceptive emails in an attempt to steal sensitive information, was the first step in about 14% of cyberattacks in 2024, according to an analysis of data breaches done by Verizon.
But the drills are making workplaces extra testy.
A phishing test at the University of California, Santa Cruz last year raised alarm on campus with the mention of Ebola.
IT departments are crafting increasingly sensational ruses in what they say is a necessary response to increasingly sophisticated scams. Employees say they sow chaos, confusion and shame. Safety is one thing. Tricking a worker into thinking there’s a lost puppy in the parking lot is just cruel.
“There’s just something that makes your blood boil about them," Riley said.
On Reddit, stories abound of employees panicking or becoming enraged after phishing tests—and of IT workers gloating over their ingenious ruses.
“I’m probably the most hated person at the company right now. Happy wednesday," wrote one Reddit poster. He said he’d pushed employees into “full panic mode" with a mass email telling workers their passwords had been changed.
Another user discussed a phishing test that mimicked an open enrollment benefits link. It “was not well received. Lots of clicks though!," the poster wrote. “Dang that’s dirty," another replied. “I love it."
Matt Linton once made a NASA staffer cry with a phishing test that promised employees a chance to win a trip to Kennedy Space Center to view the final launch of the Space Shuttle. “Now everyone hates me," Linton thought after the test.
Cybersecurity specialist Matt Linton says people are more receptive to phishing education if they don’t feel like they’ve just been tricked.
That led to an epiphany for the cybersecurity specialist.
“Phishing education is good," said Linton. “Tricking people to falling for a phish so you can lecture them that they failed, that’s the part that is terrible."
“They’re more receptive to the education if they feel like you haven’t just made them a fool," added Linton, who is now subject to phishing tests himself as a security engineering manager at Google.
Phishing tests have been around almost as long as scammers have been cluttering our email inboxes with Free Prizes!!!, ILOVEYOU letters and moneymaking schemes from Nigerian princes. The companies that sell these testing services say they work—if the phishing tests are done right—by offering valuable user training and giving IT departments a way to gauge how susceptible a company is to hacks.
But a growing body of academic research, based on randomized controlled trials, suggests the tests don’t work. A 2021 study of 14,000 corporate workers by researchers at ETH Zurich university found that phishing tests, combined with voluntary training, made employees more susceptible to phishing, possibly by giving trainees a false sense of security.
Last year, a follow-up study by researchers at the University of California, San Diego, which looked at a wider range of training programs, found the tests led to a measly 2% reduction in phishing success rates.
“These are just an ineffective and inefficient way to educate users," said Grant Ho, one of the authors of the UCSD study.
When phishing tests go truly wrong, they can quickly spiral out of control, creating headaches for IT workers and others.
Grant Ho says research he took part in at the University of California, San Diego showed phishing tests are ‘an ineffective and inefficient way to educate users.’
After the Ebola email test at UC Santa Cruz, Riley sent a complaint to the IT department, saying the effort was undermining trust in the university’s alert system.
The sociologist wasn’t the only one concerned. Ebola can have a 90% mortality rate, with symptoms that include bloody vomiting.
Within hours, the university had taken steps to calm the panic. “Please be assured that there are no cases of Ebola in the campus community," read a note posted to the school’s student health center. “The purpose of this email was to remind the campus community about best cybersecurity practices."
UC Santa Cruz is working to prevent a similar situation from happening again, a spokesman said.
For Luis Taveras, chief information officer with Lehigh Valley Health Network, the tests don’t work unless there are real-life consequences.
The first time employees at the healthcare organization fail a phishing test, they lose external email access for three months. The second time, it gets cut for a year. The third, they’re fired.
His most-successful phishing test: a fake email offering free Philadelphia Eagles tickets. That got a 4% click-through rate.
“People say it is draconian," he said. “I tell them it is draconian until we have an attack and we have to take our medical record systems offline."
Taveras hasn’t fired anyone yet, thanks to an approach that leans harder on the stick than the carrot.
“I’m not sure there’s a carrot," he said. “If you want a carrot: you keep your job."
Write to Robert McMillan at robert.mcmillan@wsj.com
