Imagine you receive an email from your boss saying that there’s a new promotion at work. All you must do is log into the secure portal provided, do a 5-question survey, and you’ll get a $200 bonus that month. “Wow”, you think. “This is just what I needed to cover my unexpected medical expenses! What a relief!” You sign in and immediately get notified that you’ve fallen for a phishing test. How do you feel? You’re likely defeated, upset, and maybe even angry. “That wasn’t fair!” you think.
What do you, the reader, think? Was it a fair test?
Some might say yes. Attackers don’t care about your medical expenses, why should that angle not be tested? Others say no, we aren’t real attackers, so we shouldn’t test employees in that way. What’s the right answer?
A Christmas Bonus
Over the pandemic, one company performed a phishing test much like the one in our intro. They tested employees by saying that they had had a great year at their company and were giving $650 Christmas bonuses to all employees who filled out a form. Nearly 500 employees fell for it. Those employees went public with complaints that it was an insensitive and tone-deaf test. This led to the company publicly apologizing. That test clearly did not leave employees with positive training points.
Clearly, the test could have been conducted in a more ethical manner. How so? The company could have instead said they were going to do a Christmas raffle. Something along the lines of “If you fill out the attached form, you will be entered to win a $15 iTunes gift card.” With just a few changes, this test would have left employees without the sense of loss they surely felt from the initial test.
Leave Them Feeling Better for Having Met You
Here at Social-Engineer, LLC, our core motto is “Leave them feeling better for having met you”. Is that possible if we’re preying on someone’s base need to provide for themselves and their family? No. The same goes for leveraging other intense emotions, such as fear. There’s no good training point if we threaten to fire someone. Our goal is not just to get a “win” for ourselves, but to leave a moment that your employees can learn from. Because of this, Christopher Hadnagy created a Code of Ethics for social engineering that we follow at our company. The Social Engineering Code of Ethics accomplishes these three important goals:
- Promotes professionalism in the industry.
- Establishes ethics and policies that dictate how to be a professional SE.
- Provides guidance on how to conduct a social engineering business.
Why Is It Important?
Why is a code of ethics for social engineering, and more specifically, phishing and vishing, important? Because even though we are paid to mimic the bad guys, we aren’t the bad guys. Our goals are not the same. We aren’t trying to get a win at any cost, or we shouldn’t be. Additionally, we need to keep in mind what our goals should be; to train employees and better secure companies to guard against malicious attackers. We can’t do that if we mimic the malicious attackers in every way. Why not?
Picture launching an attack like the one we opened with. What do you think the employee will remember about that “training” experience? Likely, it will be the negative emotions felt, not how to remain safe in the future. This is exactly what we, as professional social engineers, want to avoid. Rather, we want to leave them with solid, teachable moments. We want them to be able to focus on identifying the signs of a threat, rather than being sidetracked by the negative emotions we’ve created.
Remain the Good Guys
It’s true that training in this way, with a focus on influencing positive emotions, is not always easy. Negative pretexts are often much easier to create. But we think it’s well worth the effort. Introducing ethics into social engineering ensures that we impersonate the bad guys but remain the good guys. At Social-Engineer, we pride ourselves on what we do and how we do it. It’s what makes us different. We provide education and awareness to your employees, all while leaving them feeling better for having met us.
For a detailed list of our services and how we can help you achieve your cybersecurity goals please visit: