Earlier this month, an email went out to a large listserv at my university offering faculty, staff, and students $720 in “Covid-19 benefits” to “get through these hard times.” To claim the money, all you had to do was click on the form linked in the message and fill out all the requested information, including your full name, address, date of birth, social security number, driver’s license number (as well as its date of issue and expiration date), bank account number, and bank routing number. The final sentence of the email warned: “If you do not submit all the information requested, your application will not be processed.”
You know where this is going: It was a phishing email, sent out to try to capture personal information from unwitting recipients, by scammers who were presumably banking on the hope that people would see the promise of money and immediately click through. (I didn’t submit my information, but then I live with a pretty high level of paranoia about whether most of my email is actually coming from people trying to steal my identity.)
That was the same rationale behind a phishing email that went out this week to employees at the Tribune Publishing Co. announcing bonuses of up to $10,000 to thank them for their “ongoing commitment to excellence.” Except that those emails weren’t sent by scammers—they were sent by the Tribune Publishing Co. itself, as part of a phishing training and test, to see whether recipients would click on the enclosed link to find out how large their bonus was. Those who did click on the link were immediately directed to a site that informed them they had failed the test. The imaginary bonuses had just been used as bait.
Predictably, this particular cybersecurity awareness raising exercise, dangling the promise of a fake bonus only to teach a fairly generic lesson about email security, generated a fair bit of backlash among the email recipients, as the Washington Post reported. Many of the people who received the emails pointed out that they came on the heels of several cost-cutting measures at the company and took advantage of how susceptible employees were to any sign of good financial news. A Tribune Publishing spokesman told the Post: “In retrospect, the topic of the email was misleading and insensitive, and the company apologizes for its use.”
I have a great deal of sympathy for the employees who felt that their hopes were raised just to make a point about cybersecurity. Framing phishing exercises with the premise of a large raise, particularly at a financially precarious moment, is a manipulative and, yes, slightly cruel tactic.
At the same time, though, scammers are manipulative and cruel—and do not hesitate to take advantage of moments like these when many people are especially susceptible to financial pressures and promises. Arguably, one of the best ways to prepare people not to respond to a message offering me $720 from my employer is through tests like the one levied by Tribune Publishing that emulate a skillful spammers tactics as closely as possible.
Recently published work by researchers at the National Institute of Standards and Technology emphasizes that test phishing emails can yield very different click-through (or failure) rates depending on how well they are masked. In particular, the researchers highlight that people are much less likely to be able to identify a phishing message when its premise “aligns with a user’s work context,” as the Tribune Publishing Company’s message did. Tricking as many employees as possible into clicking on a fake phishing email may not be the goal of every employer—indeed, many might rather find low failure rates during such exercises. But crafting trickier fake phishing messages could help raise awareness for recipients who would be able to identify more obvious phishing emails but are still be susceptible to emails tailored to their job and employer.
That assumes, however, that exercises like the one run by Tribune Publishing actually help prevent people from clicking on future phishing emails. There’s been quite a bit of research looking at a variety of different phishing training techniques, from email-based tests like the Tribune’s and instructional videos to games that teach you what to look for in suspicious messages. Many of these studies suggest that such tactics have some impact on people’s ability to identify phishing messages, though their effectiveness appears to wear off over time.
For instance, a recent study conducted by researchers in Germany and published this summer in Symposium on Usable Privacy and Security attempted to estimate how long the effects of these trainings actually last. The researchers studied 409 employees at a German office and found that video-based trainings and interactive exercises had the longest-lasting influence on participants. But even those effects only lasted about six months after they were conducted, suggesting that for these initiatives to be effective they must be repeated at regular intervals—news that the Tribune Publishing employees are unlikely to relish.