Thought Leadership
Dr. Niklas Hellemann, psychologist and CEO of SoSafe, and Cybersamurai Managing Director Nicolas Leiser defend the use of phishing simulations as an effective method. Recently, Google Security Manager Matt Linton criticized phishing simulations.
Matt Linton, security manager at Google, warned: “Our colleagues are fed up with being fooled by such phishing tests. That only fuels frustration instead of being useful.”
Linton explains the downsides of simulated attacks in a blog post: Linton argues that there is no convincing evidence that simulated phishing tests can reduce the actual frequency of successful phishing attacks in organizations. A study from 2021 concluded that such exercises do not really make employees more resistant to phishing attempts. In his opinion, the biggest disadvantage of this practice is the negative impact on morale.
The industry sees things a little differently. “As everywhere, the scientific findings are quite differentiated, but there are numerous scientific studies that clearly prove the effectiveness. In their study, William Yeoh and Wang-Sheng Lee, for example, demonstrate a reduction in click rates through phishing simulations. And our own data from more than 3.2 million users and the feedback from our customers also show this: They reduce their click rates by up to 70%, their interaction rates by up to 80% and at least 70% of users show active reporting behavior within six months,” says Dr. Niklas Hellemann, psychologist and CEO of SoSafe, for example
However, Dr. Hellemann admits: “It is important – and I fully agree with Matt Linton – that companies should not demand error-free behavior from their employees, should not punish clicking on phishing emails and should not create a climate that positions phishing simulations as a “test” for employees.” “Phishing simulations that are carried out for this purpose or just to fulfill any compliance requirements will not reduce the risk in the long term, but may even increase it. The days of simple “phishing tests” should really be long gone.”
Instead, Dr. Hellemann recommends: “If phishing simulations are understood as part of a comprehensive learning strategy in which employees can test their knowledge and behaviour in an everyday attack situation and in an anonymous and fear-free space, risk metrics can be minimized in the long term.”
Cybersamurai Managing Director Nicolas Leiser also commented on the security manager’s comments to it-daily.net: “A good example of how not to introduce a security awareness campaign including phishing simulation, as it obviously leads to considerable misunderstandings and frustration among the participants,” he commented and continued: “The fact is that 85 percent of all attacks start by tricking people and only then do the machines, such as clients and servers, come into play.”
Technical measures such as passkeys, hardware keys and multi-factor authentication would support this, as the Google security manager recommended. “But even these techniques can be easily thwarted with social engineering attacks,” he adds. The aim of an awareness campaign should therefore be to motivate participants to become aware of the dangers. According to Leiser, this trains the behavior to deal with different dangers.
“The right communication with the participants is important here. We like to explain that there is a theoretical and practical part, just like in driving school. The theoretical part consists of small video trainings (2-3 minutes) the practical part consists of phishing or other social engineering attacks such as pretexting.”
To keep participant motivation high and training times and costs low, Cybersamurai tailors its training courses to the needs of individual participants. “We achieve this through video assessments and, of course, through the behavior of the participants in phishing simulations.”
It is definitely not about testing employees with phishing emails and punishing them with video training, as described in the blog post. “I also can’t understand the results of the unnamed study. We tend to hear from our customers that we were phished and were able to fend off the attack thanks to the security awareness campaign.” It is also interesting to note that the frequency of phishing simulations and participation in training courses is directly related to an individual’s susceptibility to phishing.
Like Dr. Hellemann, Leiser agrees with the Security Manager on one point: the participants’ trust should not be squandered. “From our point of view, this means not communicating the results of a phishing simulation and only training what is necessary.”
What do phishing simulations look like?
Phishing simulations involve sending employees fake emails or other messages that appear to come from a trusted source such as a colleague, manager or a well-known website. These emails often contain a link or a request to go to a specific website and enter confidential information such as usernames, passwords or credit card information.
If an employee clicks on the fake link or enters the requested information, this is registered by the company’s security team. The employee falls for the simulation, so to speak. They are then usually informed that it was an exercise and receive additional training or advice on how to recognize and avoid such phishing attempts in the future.
The aim of these simulations is to raise employees’ awareness of phishing attacks and to teach them how to recognize suspicious emails and websites and react to them correctly. By testing them in a controlled environment, employees can learn from their mistakes without actually compromising confidential data.
At the same time, the simulations reveal weaknesses in the company’s security measures, which can then be rectified. The results show which types of phishing attacks are most successful and in which departments or for which groups of employees there is still a need for more training.
