A few months ago, phishing training hit the headlines. Directors within a number of large companies (both in the US and in the UK) decided to entice their staff to click on a link. They did this by deceiving them with promises of bonuses for their hard work during the lockdown.
The backlash was fast and furious as the stories went viral. Quite right too. There’s no leadership manual that recommends tricking your staff or damaging trust between you and your team.
Now, some may say there’s no such thing as bad publicity. This line, often attributed to P.T. Barnum (the circus guy), may well have been true back then when you’re selling tickets to see dogs on bicycles and the reach of the publicity is limited.
But let’s face it, we live in an era where the whole world is ready and waiting to read about your mistakes. And to make things worse, those are usually online forever. So, what may have been true then doesn’t operate today. There is such a thing as bad publicity.
It is no wonder that Facebook decided to clamp down on Proofpoint’s use of their brand as part of their ‘phishing training’ exercises.
Facebook did not challenge Proofpoint’s use of their image because they were concerned with the end user, they challenged them because Proofpoint’s use infringed their trademarked brands.
It was reported by Catalin Cimpanu of The Record that amongst the domains Facebook included in their filing were facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org. These had all been registered years ago by Proofpoint for their customers to use to ‘train’ their staff.
Not to labour a point I’ve written about before, the results are in. According to the experts, phishing training:
- Has limited efficacy, surveys from leading academics reveal that any gains evaporate within days
- Is a black hole for resources, phishing training is expensive by any standards but more especially when you factor in the rather poor long-term results
- Reduces trust in leadership which in turn impacts productivity
So what now?
No firm goes to the time, trouble and expense of creating, building, and trademarking a brand, only to have it damaged and exploited by someone else. So the news that Proofpoint is dropping its case is not only a win for firms, like Facebook, whose brands have been misused, it’s also a win for the end user, whose days of being subjected to tiresome and ineffective phishing training exercises may now be numbered.
I’m not usually a fan of Facebook, but by taking this step to secure their own brand they have, perhaps inadvertently, created an impact that has broader benefits.
How can we tackle phishing? The rise of the machine
I think it’s fair to say that after today, phishing training exercises are – for any rational buyer – off the table.
Not simply because they don’t stack up when their efficacy, expense, and long term utility are reviewed, but because firms will no longer be able to exploit the trusted digital assets that belong to major brands. Nor will they be able to exploit assets that closely resemble the major brands. Their goose is well and truly cooked.
So what can firms do to drive down phishing attacks in their organizations?
The hard truth is that the most commonly used and effective types of email impersonation scams do not simply fool the human, they fool the computer. So phishing training was never your answer to begin with.
To start with, full DMARC compliance is a must if you want to stop spear phishing emails even reaching your employee inbox (the type which appears to come from your ‘CEO’ requesting you pay on invoice, or open a suspicious file). By implementing DMARC – a global protocol which stops domain impersonation in its tracks – you’re completing the first hurdle of email security, protecting your brand, business, reputation and supply chain. It can be hard, but tools such as OnDMARC exist solely to help you configure this.
Then, there’s Advanced Threat Protection, a tool to help your inbox recognise fraudulent emails at the drop of the hat. After all, why would you ask a human to do a computer’s job when there’s tools like OnINBOX?
And the good news keeps coming. There are even tools that can help businesses discover lookalike domains so that they can take immediate action to protect their digital brand by issuing take down notices and by immediately blocking those email addresses on the inbound side.
Finally, if that isn’t enough to cheer you up today, there’s also a brand-new email authentication standard available for DMARC authenticated senders. Backed by Google and their Gmail team, BIMI (Brand Indicators for Message Identification) enables businesses to attach their registered logos to any DMARC authenticated emails they send. A win-win for business brand impressions and users alike, who have an extra indicator that emails in their inbox are coming from a trusted source. This new standard is going to reshape and revolutionize not only email security but marketing and branding for some time to come.
Some might say, the proof is in the pudding
So there we have it, a long overdue dressing down of the phishing training initiatives costing an arm and a leg which at best don’t deliver, and at worst could be deemed unethical. But while this is a singular event, it’s important that we drive forward with its message. We shouldn’t be asking humans to do the job of a machine, and if we’re going to stand a chance against phishing attacks, BEC and vendor fraud going forwards, we need to use what’s at hand in terms of the data, technology and tools to forge a more secure future.