Simulated phishing attacks are gradually becoming a more accepted method of schooling users on how to spot a phony email rigged with a malicious link or attachment, but staging fake phishing attacks can backfire if users are completely blindsided -- or become too comfortable with the controversial process.
"In the early days of simulated phishing, people were more cavalier when they deployed this," says Perry Carpenter, a former Gartner security awareness analyst who is now working as a security expert in the financial sector. "When you do this in a cavalier way without any forewarning and want to exact some kind of penalty [for users who fall for the attacks], then users just feel like you are out to get them. You don't want to be in that situation."
That doesn't mean taking the fire-drill approach and alerting users that a fake phishing attack is scheduled for Monday at 9 a.m. -- you need some element of surprise. The best strategy, according to experts and chief security officers' (CSOs), is to inform them of the simulated phishing training program you're launching or running, why you're doing it, and how it will make them and the company safer and more secure.