macbook pro on black background displaying Gmail, phishing emails

Article by Sandrine FRÉMEAUX, professor at Audencia Business School and Yvan BAREL, professor at the University of Nantes

One of the recent news stories that caught our attention was that of US web provider GoDaddy who had to apologise to its employees after sending them an email promising a USD650 Christmas bonus and asking them to fill out a form with their personal details that turned out to be a computer security phishing test…

The development of remote working since the start of the epidemic has dramatically increased the risk of phishing attacks. HMRC detected a 73% rise in email phishing attacks from March to September in the UK.

The fight against phishing is certainly a serious issue, and it is vital that employees are aware of the risks of external attacks by offenders posing as colleagues in order to gain access to confidential information or disrupt systems.

But should management – with the help of IT teams – trick their employees to teach them a lesson about the risks of cyberattacks? Was GoDaddy (and so many others) right to test employees by sending them fake phishing emails in order to identify those who were most susceptible to scammers? The idea of this type of action is that once they have been caught out, these “feckless” employees should undertake mandatory cyber security training.

However, several studies have shown that this type of action is far from effective, and can even have harmful consequences.

Firstly, employees who were caught out in this way seemed just as likely, and sometimes even more likely, to be vulnerable to future cyberattacks. Secondly, these ‘guilty’ employees were likely to feel shame, resentment and a weakening of their confidence, and their commitment to the company and their productivity was adversely affected. Finally, it was perceived as a breach of trust by management, making it more likely that the employees would become passive and distrustful, even ignoring future management emails.

Moreover, these fake phishing emails can cover highly sensitive and vital subjects, for example, making employees believe that they must quickly sign up for a mandatory coronavirus screening campaign. It makes it even worse when the name of the sender used by the IT departments is that of the company’s own HR Department, whose function is to protect and help employees, not to trick them.

So why do some organisations choose to trick their employees in such a way? It is undoubtedly the result of a purely rational vision of risk – like vaccination. The employees are ‘inoculated’ with a phishing email, the rationale being that this action, like a harmless injection of virus, should lead to immunity. Or, because IT departments are afraid that in normal circumstances, the training they provide often has little effect, they decide to use shock tactics to jolt their employees out of a false sense of security.

It is above all a human story, a story of IT departments fearing that their training will be badly received and not understood. But the problem is that those employees who are caught risk being presented as naive, reckless or irresponsible, when they are more often the victims of a lack of education. And the responsibility for this clearly lies with IT departments.

By opting for this type of action, IT departments forget that many employees are in fact eager to be educated, to be helped, to be supported, and to know more about IT cyber security. And as a result, the tricked employees are less likely to see IT cyber security training as a positive step, but as a sanction or a threat.

Employees need to be supported by IT teams to protect themselves against cyberattacks. The gifts of time, attention, vigilance and information from IT departments are precious, and they are even more valuable when they can be received in a spontaneous manner. No matter how anxious management teams are to ensure the highest standards of resistance to cyberattack, they must completely resist the temptation to stigmatise staff. They should instead choose a dynamic of mutual aid and support, delivered without fear or coercion, allowing all employees to work efficiently and to feel safe at the same time.