At PhishMe, we feel like we’ve done a pretty good job of debunking the idea that you can address the spear phishing threat using the pentest model, but after reading this Washington Post story about a phishing test gone awry, it looks like we still have some work to do.

In this test, an Army combat commander sent an email to a “small group” of Army employees disguised as an email from their retirement plan provider urging them to log in to their accounts. The email used the name of Thrift Savings Plan, the actual 401(k) account provider for most federal employees, and provided no indication that it was a simulated phishing exercise, causing a panic across the DoD as concerned recipients shared the email with colleagues and flooded the Thrift Savings Plan customer support line. It took nearly three weeks for the Pentagon to trace the origin of the email.

This exercise committed every cardinal sin of simulated phishing by lacking defined goals, failing to consider the ramifications the email could have, failing to communicate to all potentially involved parties, and perhaps abusing trademarks/trade dress or copyrighted material.

“This exercise committed every cardinal sin of simulated phishing.”

Without defined goals, what is the point of simulating a phishing attack in the first place? If the commander’s goal was to demonstrate susceptibility, a simulation isn’t necessary. The security industry has continually traced enough attacks back to spear phishing that we know it’s a problem for everyone. To be effective, a simulated phishing attack needs to provide the recipient with information about how to improve in the future. An easy way to do this is to let recipients know that the attack was a training exercise, and provide training immediately after they interact with the email. This kind of notification also eliminates confusion about the authenticity of the email.

Letting recipients know that it was a training exercise is just part of effectively communicating a scenario. When simulating a phishing attack you need to communicate with the entire organization. If your email could generate backlash toward a specific department, you need to clear things with that department prior to sending. If the Army commander had run this scenario past HR, they probably would have let him/her know that emails discussing problems with a person’s 401(k) are going to generate a passionate response.

By using the name of the Thrift Savings Plan, this exercise potentially abuses trademarks/trade dress, a practice that can get you into legal hot water while adding little of value to the exercise (The Air Force made phishing mistakes too in 2010)Effective phishing engagements will offer savvy users clues to recognize them as simulations. In the extended headers of PhishMe emails, we clearly display the email is from PhishMe. This doesn’t undermine the exercise, because if a user is savvy enough to read email headers, they can already recognize phishing emails!

The unauthorized use of someone else’s brand in phishing simulations is one that is confusing to me. Not only is it illegal, but it lacks creativity. Pentesters pride themselves on being creative, and I think they need to step up their social engineering game. The content team at PhishMe is constantly coming up with creative ideas that play on people’s emotions and encourage them to click links and enter passwords without abusing brands.

“The reason our phishing simulations don’t make national headlines is we know what we are doing.”

We’ve learned these lessons about phishing an organization through our experience. People often question the value PhishMe provides by saying they can conduct simulated phishing exercises in-house. Those with that mindset should take the Army’s recent gaffe as a cautionary tale. PhishMe routinely carries out large-scale phishing campaigns for some of the world’s largest organizations.

When it comes to sending phishing emails we are the undisputed heavy weight champions. At the time of writing this there are 157 active phishing simulations running on PhishMe’s North American infrastructure. There are 37 additional simulations scheduled to launch in the next 5 days.

In the past 90 days PhishMe has sent 1,790,089 emails. The reason our phishing simulations don’t make national headlines is we know what we are doing.

Good luck!
–Aaron @higbee