Part of:

Why Ethical Phishing Campaigns Are Ineffective


Ethical phishing campaigns have a place, and the place is alongside a layered security plan.

It has been posited that targeted long term ethical phishing campaigns are no more effective than using your finger to plug a dam.

This in part is so true, unless combined with a solid, well thought out mitigating security architecture, that encompasses the Layered Defence method.

Targeted ethical phishing campaigns are usually performed by an external cybersecurity agency or internally by a business to gauge potential security holes. These campaigns consist of carefully crafted emails that are created and sent out to the organization to simulate methods used by real-world attackers.The campaigns are conducted over a period of time to thoroughly assess the ability of personnel within a business to correctly identify a phishing email. Once identified by the recipient, the campaigns aim to verify if the recipient knows how to act or respond in an appropriate way. Targeted campaigns can be tailored to suit an organization, for example targeting a Finance or Sales department.

Ethical phishing has an important role to play in protecting against cyber attacks. Plus, any cybersecurity training given to staff becomes a transferable and worthwhile skill. People who have undergone this kind of training also become more security-aware away from work, for example, while surfing the web or reading emails on their own devices. On their own, however, ethical phishing campaigns are not enough.

Ethical Phishing Campaigns

Ponder this: Your Ethical Phishing Team has just posted their latest campaign report on the Intranet, the stats look promising, and only five members of staff have clicked on the carefully worded ethical phishing emails this month. But hey, no worries, those single-points of failure will each receive a communication from their managers stating that they can expect enrollment for additional 'Phishing Awareness Training'. They'll get the hang of it, eventually, won't they?

Training users to be vigilant by keeping a watchful eye on their inboxes for emails containing malicious links is a sure way to foster an appreciation and an awareness of the threats posed by Cyber-criminals and does provide some intermittent protection.


Data Breaches Still Occur

However, ethical phishing campaigns alone are not a guarantee that your business won't fall victim to a data breach. All it takes is a single user out of a few thousand, to click on an email containing a malicious link; a link that allows a Command and Control( C2C) scenario, or a piece of ransomware to infiltrate your perimeter network and jeopardize your entire business. The risks are significant: as a blow to the company's reputation and via regulatory sanctions or fines. If you contravene General Data Protection Regulations (GDPR), that can amount to a maximum of €20 million (about $24.3 million) or 4% of annual global turnover, whichever is greater.

And that's not accounting for the costs of incident response in hours lost, specialist services, loss of revenue, and detrimental effects of the potential loss of data. This is when we find out how realistic and accurate those Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) were.

Eventually, and it could be sooner than you think, you or a member of your team are going to let a phishing email slip through that gap in your network security, and make no mistake, it is a serious gap that could see a twenty-year-old reputation of good standing, ruined in a day. In 2020, 96% of phishing attacks arrived by email and every minute, companies lose $17,700 due to a phishing attack. Organizations that have fallen victim to phishing include Facebook, Google, Pathé, and Mattel; at a combined loss of $124 million. (Read: 7 Sneaky Ways Hackers Can Get Your Facebook Password.)

Why Breaches Happen

But my staff aren't stupid! I hear you say.

No, they aren't, and neither am I, but we are only human and therefore prone to make mistakes. Busy schedules, email overload, or just plain fatigue can all result in that one tiny mistake. It could happen today, tomorrow, or it might have happened last week – would you even know? Has anyone alerted the IT or security team to a potential incident?

According to Security Boulevard:

  • 22% of all data breaches in 2020 involved phishing attacks.

  • 97% of users cannot recognize a sophisticated phishing email.

  • Employees in departments handling large-scale data have problems in identifying phishing emails.

  • Recipients open 30% of phishing emails, and 12% of these targeted users click on the malicious link or attachment.

  • 78% of users claim to be familiar with the risks of unsolicited links in emails. And yet, they click on the links, anyway.

What's the problem?

It's easy to see why criminals use phishing. It is an effective technique. We may spot one or two if we are lucky and alert, but phishing emails are constantly adapting, designed to trick us, persuade us into clicking on a familiar-looking email from the CEO or CFO instructing us to act. . Clicking on a link within a malicious email carries the potential to connect with a server on the Internet. Unfortunately, it could be a server belonging to a Command & Control (C2C) Threat Actor. You won't even realize what has happened – you've been phished. (Read: How to Avoid Getting Phished.)

There are several kinds of phishing attacks users must be aware of:

Spear Phishing: Whereas phishing casts a wide net, hoping to catch any valuable information, spear phishing is highly targeted and designed to access specific information.

Whaling: Phishing that is crafted to capture information from the "whales," like CEOs, CFOs and other C-suite executives.

Smishing and Vishing: Although email is the most common form phishers use for bait, they also can reach out via text or SMS (smishing) or voice messaging (vishing.)

The idea behind ethical phishing campaigns seems sound. Emulate the methodology of the cybercriminals to identify where there has been a lapse in training and what sort of emails your employees are more likely to fall for. However, concerns about just how ethical it is to wage a "gotcha" campaign on your employees have been raised. Does the ethical phishing campaign change behaviour, or does it breed resentment? Do employees feel grateful for the learning opportunity or do they feel like they have been tricked?

These concerns, along with the fact that on their own, ethical phishing campaigns are ineffective, leads one to wonder what should be done.

Layered Security Defense

So what's the answer, what else should be in place, how do you close the security gap?

As previously mentioned, to protect an organization from a data breach or cyber attack via the attack vector of a phishing email, a well-defended enterprise network must have layered security in place to counter and protect against such an attack.

The National Cyber Security Centre (NCSC) recommends four layers of defense to protect against phishing attacks.

Layer 1: Make It Difficult for Attackers

The first layer is making it difficult for malicious emails to even reach the users in your organization.

This is where DMARC comes in handy as a configurable technical defense. Ensure your business has correctly configured Anti Spoofing safeguards such as DEMARC, DKIM, and SPF in Microsoft Exchange or a similar back-end system, encourage your suppliers, partners, and customers to do the same.

Reduce information freely available to potential attackers by reducing your digital footprint (social media and information published on your website), and ensure incoming emails are being filtered for malicious links and quarantined where required.

Layer 2: Identify and Report

The second layer is to make sure each user is equipped to identify and report suspected phishing emails. This is where ethical phishing campaigns and Red Flag training become a dynamic skill.

Layer 3: Limit Damage Potential

The third layer involves protecting your organization from the effects of undetected phishing emails.

Configure devices securely, disable macros, install anti-malware & anti-virus. Block users from installing software, use whitelisting, Blacklisting, DNS Sinkholes, and don't forget to Implement two-factor authentication (2FA)

Layer 4: Respond Quickly

Alert your IT or Security team if you suspect that you have inadvertently clicked on a suspicious email. Put processes in place for everyone to follow in the event they have caused a breach and ensure your team knows who to contact and what to do. Establish an environment where people are not embarrassed to admit they "fell for it." Knowing about an incident early on can limit the harm caused.

Ethical Phishing Alternatives and Additions

This isn't to say there is no place for ethical phishing campaigns. As part of a multi-pronged defense against bad actors, they can be implemented well and derive valuable information about security in your organization. Only you know how they will be received by your employees or if the risks outweigh the benefits. You may want introduce these measures instead, or in addition to ethical phishing.

  • Look to implement email Gateways and apply policies, such as a visual stamp within the body of the email showing: **Warning this email is from an external source – Beware**
    This will prompt your users to apply extra vigilance, causing them to pause and think twice – do I trust this email, was I expecting it?
  • Use Conditional Formatting in your email client to identify external emails, for example, you could put in a Rule that turns any incoming email from Senders outside of your business – Bold & Red.
  • Next-Generation Firewalls, Web Application Firewalls, and NetFlow Alerting.
  • Network Intrusion Protection Systems, Endpoint Protection, Email Data Encryption, and email content filtering, email authentication, and threat intelligence.
  • Off-the-shelf platforms such as Symantec, Mimecast, Sophos, and virtual link protection such as that provided by Menlo Security. Most of these solutions include AI & Machine Learning and provide some form of 'Human Layer Security' in the guise of Behavioral analytics.
  • Implement an email security platform such as Egress Prevent & Protect with built-in AI & ML, designed to protect your outbound emails.


Not all businesses can afford to resource an IT or Security department, spend valuable budget on equipment and system redundancies. However, businesses must wake up to the fact and realize the actual Human aspect of your Security Defence is where the threat of SPOFs is greatest. (Read: The 5 Greatest Security Threats from 2020.)

Ethical Phishing Campaigns are definitely a positive contribution to the fight against cybercriminals and go some way to protect businesses. However, without being part of a dynamic Layered Defence, the gap and the risk of a breach is ever-present and should never be left to chance.

Yes, staff should understand their role in keeping your organization safe, but should not be left out in the cold, exposed to the possibility of compromise.

Cybercriminals aren't 9 to 5, they will work tirelessly around the clock, leaving no stone unturned. They see your staff as collateral damage, an inroad to your data, and will stop at nothing until they reach your crown jewels.


Related Reading

Related Terms

John Meah
Cybersecurity Expert

John is a skilled freelance writer who combines his writing talent with his cybersecurity expertise. He holds an equivalent level 7 master's degree in cybersecurity and a number of prestigious industry certifications, such as PCIP, CISSP, MCIIS, and CCSK. He has spent over two decades working in IT and information security within the finance and logistics business sectors. This experience has given John a profound understanding of cybersecurity practices, making his tech coverage on Techopedia particularly insightful and valuable. He has honed his writing skills through courses from renowned institutions like the Guardian and Writers Bureau UK.