Why you should try phishing your colleagues

Monday morning, 9 o’clock. Jake sits down at his desk with his first coffee of the day. In the hours to follow, he plans to drink two more cups; it’s his regular routine. He traditionally starts his working week by sorting through his mailbox: during the weekend he receives several documents from colleagues and his first job is to check them for urgency.

He routinely sorts the first four messages. The folder structure he has created over the years works a treat and gives him a good overview of his priorities. With the fifth e-mail, things go wrong. Sylvia, an IT colleague, informs him that there is a problem with his company account – could he please check it and change his password? One failed login attempt later, he chokes on his coffee: his computer shows a red screen and is demanding a ransom. The next coffee will have to wait…

The above story looks a bit boring, almost predictable. Yet it is one of the most common scenarios that cause entire organisations to go under. 90% of all cyber problems stem from a small, human error, and they are easily made. It only takes one locked computer to bring down an entire company.

Too often people think that hackers use elaborate, well-thought-out programs and strategies to trap someone. This is because they simply have no experience with it. In reality, cybercriminals do little more than select victims and approach them in the simplest way possible. Simplicity is key: the easier and more credible, the greater the chance that the victim will fall into the trap.

In this case Jake is not doing anything wrong: he reads, evaluates and processes e-mails that seem to come from his colleagues and he does his best to keep his organisation running. With a routine job, of course, the devil is in the details: a criminal often sends out generic messages that can fit perfectly into a daily workflow. Those who then have insufficient experience with the small elements that give away rogue e-mails are helpless prey.

Discovering that you have been tricked is never pleasant. Victims of our phishing simulations often understand the need for such exercises to protect their organisation. However, sometimes we receive reactions that show they do not appreciate the exercise. ‘I was not prepared for this.’ ‘This is unfair.’ Too realistic’: this is just a small selection of common indignant reactions.

For Phished, that’s exactly the point: people are never prepared for a phishing attack. Hackers use the same tactics (and techniques) as we do, but with a less educational angle or intent. Criminals know no mercy, which is why it is important that everyone is as prepared as possible – through training, education and simulations.

Trying to phish your own colleagues is therefore a strong, legitimate strategy to better protect an organisation. At least, if it is done in a responsible way. This is where Phished comes in: using realistic phishing simulations, tailored to the recipient, employees are trained in an automated way to recognise and deal with real threats.