Speaking strictly as a non-technical employee at an org that does this regularly, I view the practice as anti-pattern, un-educative and denigrating.
Should we place dummy card skimmers on gas pumps to teach people to be cautious of credit card fraud? Would you conduct a similar campaign over the phone or in person?
Don't lie to your dependents. Secure your infra.
No and yes. I wouldn't want my bank to do that to me because it's too paternalistic. At the same time, we recently had these at work. I didn't fall for it, but I'm surprised I wasn't immediately suspicious from the sense of urgency it created. Telling people what to look out for is one thing, but unless we train for things, we often don't know what to do in the moment.
Extending managed phishing campaigns to customers sounds like a very good way to erode the trust of those customers in your bank.
I would avoid dealing with any company that did this sort of thing, even if they offered me a way to opt out of it. In order to play "we were lying to you for a good reason! isn't this fun!" games with their customers, a company needs to cross the "we lied to you" line, and that is something they should not do with their customers.
(my employer runs these sorts of tests and I'm fine with it, the expectations in that relationship are quite different)
The customers who don't need phishing training - the ones who recognize what you are doing - will be understanding at best, and slightly annoyed at worst.
The customers who need phishing training are going to become more confused. Since some of the phishing emails now come from the bank, they are going to have a harder time than ever figuring out which emails are legitimate.
Offer free guides and classes to help your customers learn to remain safe. Do not include phishing tests that erode trust and confuse your most vulnerable customers.
Can I bill the bank when they waste my time on this activity?
Even if I could, I would still be dubious. It seems that the long-term efficacy of phishing tests is still disputed.
It would be better if banks educated customers on best practices such as "don't trust anything on a different domain" and "only provide PII for verification if you are the one initiating the call". Of course, both of those would require that banks stopped engaging in those two practices which make legitimate interactions indistinguishable from phishing.
Make it an opt-in service. Offer a quarter point rate bump on customers’ savings accounts, and maintain it only if they pass your phishing attempts.
Good for the company because it increases the savviness of their customers, good for customers because they become more savvy (and make a few extra bucks)
Our company phishes its own employees, through a contract with an external security consultant. Hilariously, those emails include a special header that gives away their source. An engineering co-worker wrote a script that send them directly to the trash, even though we are supposed to send them to the consultant to "report the incident". Since there's zero reward/incentive from reporting them, most of the engineers don't bother with them anymore.
For the non-engineers, I imagine it's better for them to click on a test email and learn their lesson rather than clicking on a link from an actual phisher. We've had phishing attacks work in the past, so I suppose it's not a bad practice overall for non-technical employees.
Phishing campaigns barely do any good if they are well-prepared and accompanied with good communication in a company environment. Employees need to be aware of phishing tests and have to have a way of reaching out to those who conduct them. If you run phishing tests, employees need to be able to verify if what they have received is indeed part of a simulation or a real phishing mail. At the end of the day, phishing trainings just tell you who is already good at identifying suspicious emails. The training effect is negligible.
Without the support infrastructure of internal company communication, phishing your customers most likely leads to more confusion and open support tickets.
No. Banks reminding customers about the dangers but I expect my bank to not send me deceptive sht even if supposedly for a good cause.
At work I’m ok with it though. Certain roles move millions on cash regularly so fire drills are just part of life
These services attempt to teach users to guess whether email content has malicious intention. But if an email from no-reply@chase.com says someone emptied your saving, you can't just laugh it off.
From a technical perspective, in order to successfully reach customers, they have to actually pass DMARC/DKIM/SPF tests and also some spam filters. For a company to do this to their employees, they typically have to ask their email admins to whitelist such service or even let them use a legit company domain. When I got such email for the first time, I thought our email system was compromised.
Something like a quiz similar to [0] with a small reward would be better.
If banks would spend money on this and not enabling support for hard to phish MFA options like hardware keys (FIDO2), I would change banks.
We have solutions to most of the phishing attacks, but most people find them hard to use or don't want to use them as they are seen as not important. I've made comments to several companies that SMS or TOTP based MFA is not phish-proof and that they need to implement something stronger, but it often is ignored.
If we had a strong professional media, you could possibly pitch it as proactive training for high risk customers. Unfortunately, the quality of journalism has declined dramatically over the next decade. Now, it’s a coin toss whether you could even convince a major publication that you weren’t in fact phishing your own customers.
A headline like “ABC Bank admits to phishing its customers” would most likely be the end of ABC Bank.
You can do it but don't tell them you're doing it. Either they don't bite, nothing needs to be done, or you hook them. Don't tell them, but now you know what works. Next, educate them through normal channels, or change something about your communication with the client that makes them recognize the phishing attempt next time. Change something to make them phishing attempt stand out more.
I would happily trim all passwords of these security assholes to 7 characters without any notice and watch them being locked out of the systems. If they are "testing" their customers this way as well, I'd love to avalanche them with dozens of "Are you American, respond in writing within 3 days" FATCA letters.
Most internal phishing tests are not that good. They sound good, but don't change much. Banks and emails should just be segregated to other more appropriate channels. Ultimately, you can't save a users from their own weaknesses.
This shouldn't be done directly from the bank but as a third party that is supported by the bank and a bunch of other companies concerned about this.
That way the bank doesn't have to worry about any legal or good will issues from doing this.
Why would a bank accept responsibility when a customer becomes a victim of fraud? How would the bank discern between customers that are actually victims, and customers using this responsibility to make the bank the fraud victim?
IMO teaching people about passkeys and making the onboarding experience as easy as possible would be many times more effective at actually preventing phishing.
No, you do phishing of your own employees to identify employees who need more training. What would be the outcome of doing it to your customers?
im surprised so many are against it. I think it should be mandatory, and include phone calls and letters as well. We cant force everyone to read the art of deception. But we can force banks to educate their users.
Dark patterns are basically phishing so some of them probably already do it.
No, but basic opsec should become part of home economics in grade school.
Let's start with some light grateful dead and see how it goes
Should your homeowners insurance red team your house?
Are these campaigns even effective?
Good practices I'd appreciate from my bank:
* Zero links on legitimate emails. Any email with a link is automatically a phishing attempt.
* Minimal content in mails. Any personal details other than my email address and first name absent in the notification. All the relevant content in the secure messaging section of my customer access.
* Clear categories of emails, and an easy way to unsubscribe from each.
* Direct-to-support-team phone numbers advertised in the website.
* Periodic reminders about good practices (e.g. a legitimate mail will never ask you to follow a link or click on a button; a one-time code can only be entered in the app and never used in any other way or given to anyone through any channel).