Should You Use Controversial Simulated Phishing Test Emails?

The Wall Street Journal recently published an article about using highly-emotionally charged, “controversial”, subjects in simulated phishing tests. Controversial topic examples include fake pay raises, reward gift cards, and free Taylor Swift tickets.

The younger half of our team is convinced the latter topic would have completely tricked them. Since the article was published, we have had readers and customers ask us how we felt about the use of controversial simulated phishing tests, especially since they are part of our offering.

Here is our general statement: KnowBe4 recommends caution when using controversial subjects in simulated phishing tests as they may generate anger if used incorrectly. If you decide to use a controversial topic, it is better if it mimics a real-world phishing scenario than simply a brand-new idea that has never been used before. 

Our customers choose and customize templates based on their organization’s needs, and obviously, that needs to be done the right way. We have sent over a billion phishing tests over the last 13 years. A very small fraction of those have caused complaints. An ounce of prevention in the form of one simulated phishing test a month is worth a pound of cure. It is better to be proactive and prevent potential data breaches. 

Some people have asked us why we even offer controversial simulated phishing topics, which could cause negative reactions. The short answer is that many of our customers want and successfully use controversial simulated phishing topics.

Every organization is different and its tolerance of using controversial topics is different. But in general, security awareness training (SAT) programs should strive to win “hearts and minds” and proponents versus opponents. Creating an angry workforce that reacts negatively against an SAT program because of some outlier topics is not a great outcome. Our KnowBe4 platform has over 20,000 simulated phishing “templates” and we would advise you select a less controversial template, if the more controversial ones are going to cause strong negativity. 

We know from our data of over 65,000 customer organizations and over a billion simulated phishing tests that sending--ideally once a month--simulated phishing tests is one of, if not the best, things you can do to reduce cybersecurity risk in your environment. 

Social engineering and phishing accounts for 50% to 90% of successful cybersecurity exploits (depending on the data you rely on). No other cybersecurity attack root cause comes even close, although unpatched software and firmware trails in second place involved in around 20% to 40% of attacks. Doing simulated phishing tests is the best way to educate your workforce about various social engineering threats. 

It is the best type of security awareness education, far more effective than regular training content alone. In the average customer environment, about one-third of untrained employees will click on a phishing (or simulated phishing) email. After training, including simulated phishing tests, that percentage falls to around 5%. Many of our customers, with frequent simulated phishing tests, get that percentage down to 2% or less. Doing simulated phishing tests is one of the best defenses you can deploy.

Real-world bad actors often use “controversial” social engineering attacks that create immediate emotional responses. Bad actors use politics, and our love or hatred of a particular politician or ideology, against us. Bad actors intentionally pick and use news events with two highly charged sides. They pick subjects like pay raises, awards, and celebrity news to motivate us to click without taking the time to verify that the email is real. Bad actors intentionally use “controversial” topics so that we will throw away our normal, healthy skepticism, and react without thinking. Bland subjects allow people to slowly consider the available evidence and make rational decisions.

The whole purpose of SAT simulated phishing campaigns is to test your workforce’s response to in-the-wild malicious phishing. If a big part of real-world phishing is intentionally causing emotionally charged responses, it would make sense for some simulated phishing campaigns to include them. You want users who fail emotionally charged simulated phishing tests to understand how those emotions motivated them, how to recognize the feelings of a highly charged, emotional response, and how to effectively and safely deal with it. 

If done correctly, a user seeing a highly emotionally charged email will understand that it is exactly the reason why they need to slow down and better inspect the email for other signs of social engineering. Simulated phishing tests are trying to introduce common scenarios used by real-world bad actors and make the user’s thoughtful inspection and response an innate part of their behavior. You want the inspection of every email to be a natural part of their behavior, especially if that email seems to be intentionally going out of its way to motivate an immediate response. 

When we are teaching our kids how to drive, we are constantly pointing out real-world scenarios that could cause bad accidents. We tell our young drivers not to follow other vehicles too closely because the car in front could make a sudden stop. We tell inexperienced drivers to look both ways before proceeding through an intersection, even if they have the legal right-of-way because another driver coming in the perpendicular direction could make a mistake and cause a bad T-bone accident. We tell them not to get distracted by fiddling with the radio or other switches in the car. In teaching new drivers, we are trying to expose them to common scenarios that often lead to bad accidents. 

It is the same thing with simulated phishing. We want to expose our workforce to common phishing scenarios and use any failures as teachable moments to improve more secure behavior. Without exposing the user to common phishing tactics, including now and then emotionally charged simulated phishing attacks, they are not being truly exposed to the real-world of phishing. And training gaps can be destructive and expensive to an organization.

So, possibly the better question is, should an SAT program administrator NOT use controversial topics just to avoid negative employee and management responses? Should the SAT administrator allow bad actors to be the only one testing the high emotions of their co-workers?

In general, SAT administrators should use, at least as part of their program, simulated phishing emails that generate highly emotional responses. But there is a delicate balance between trying to give the most effective training possible and sending out topics that seem tone-deaf and highly “unfair” to management or workforce. We recommend not crossing that line. 

If you think a particular phishing template will be too controversial, choose another topic. You can choose a slightly less controversial topic and still get the message across that you hoped to teach. All simulated phishing emails, whether highly controversial or not, contain many signs that the email is a phishing (or simulated phishing) email, and that is really what you are trying to teach. Teach in order to win friends and perhaps even champions.

The ultimate answer is that every organization will have to decide on its own whether to include specific controversial topics in their simulated phishing tests, and if so, what topics are allowed. There are thousands of topics to choose from. Try to pick a realistic topic used in real-world phishing that does not bring about a lot of negativity. You want your security awareness training program to change behavior and ultimately create a stronger security culture.