Pentesters must take ethics/cultural events into account when planning phishing pentests. I don’t use any fear pretext or ones that compromise a person’s ability to plan (financially for example) or stay safe, etc — there we use education instead of attack. https://coppercourier.com/story/godaddy-employees-holiday-bonus-secruity-test/

Many argue “criminals will use fear to target your employees” or “criminals would offer $500 during COVID” — sure, a criminal would. But you can educate on that to prepare your people for those pretexts! They have to trust you as a helper so you can support and keep them safe.

Don’t compromise your ability for people to trust you as a helper in your job — keeping employees safe, teaching new concepts, helping when things go wrong, trusting security recs to prevent attacks.

You can pentest with a different pretext and educate on the criminal pretexts!

When folks fall for an email, call, text, or social media attack they won’t remember the right thing to do more if it’s a pretext that makes them feel you and your team are insensitive or rude. They’ll just remember they distrust you personally more — when you need their trust!

Set up program that doesn’t rely on fear or their safety (like ability to financial plan during crisis). Educate on how criminals pretext then test using ethics-informed pretexts. Only thing folks learn when scared/unable to safely plan is that you can’t be a trusted as a helper.

If you notice that your org struggles here & is unsure about what to do instead, there are plenty of ethical hackers and social engineers who can train you on how to build an education, awareness, and testing program that supports and educates employees rather than hurting them.

If your program focuses on click rate, you’re incentivizing your infosec team to scare to get a high click metric. Clicks are not the whole picture — instead: also measure reporting, speed of reports, how tech tools blocked before it hit inboxes, speed of internal comms to alert!

Then report rate will increase when you reinforce folks reporting, speed of alert on company slack, email etc will increase as folks get excited to be the first to catch and alert about a phish they notice, then your tech tools will stop reported emails from hitting inboxes!

Technical tools should make it hard for attacks to hit inboxes. People do need training for when (not if) attackers get thru but your phishing prevention tools should make it annoying for attackers to hit inboxes, MFA & pw managers should annoy criminals looking to cred harvest.

& a lot of programs focus solely on training to prevent phishing attacks (and it is needed bc one day attackers will get thru your tools or use phone, etc) but we need to equip people with *technical tools* so they receive fewer attack attempts. That’s on us to equip and develop!

Muting this thread now, have a great holiday if you’re celebrating! I hope you get to eat some cookies, some good food, or whatever treats make you happy today.