Fake Phishing
These are used only when a
Emails From
Companies
Get Creative
BY ANN-MARIE ALCÁNTARA
J uSong Baek remembers the
email all too well.
In early September, he
opened his work inbox to amazing
news: He was officially off the wait
list for Taylor Swift’s Eras Tour—he
could buy tickets for her Toronto
show.
But just before the 26-year-old
product designer clicked on the link,
he remembered something: He
didn’t use his work email to register
with Ticketmaster. It was a phishing
test from his employer.
What once began with Nigerian
princes asking for help in exchange
for riches has become far more so-
phisticated social engineering, and
companies are rising to the threat
by getting creative in their training.
These simulated phishing emails
promise bonuses, gift cards and yes,
once-in-a-lifetime concert tickets.
The practice has left some employ-
ees chuckling, and others wary
about the lines companies might
cross to test someone’s cybersecu-
rity competence.
Baek recognized the Taylor Swift
ticket alert as a phishing email be-
cause its urgency seemed suspi-
cious. When he clicked a phishing
alert button in his email, he learned
it was sent by his own company.
“I’ve never felt more personally
attacked by an email,” says Baek,
who lives in Edmonton, Alberta.
Phishing is a large-scale problem,
resulting in more than 300,000
complaints last year to the Federal
Bureau of Investigation’s Internet
Crime Complaint Center. Americans
lost $10.3 billion to online scam-
mers, including phishing and iden-
tity theft, in 2022.
‘Hurting morale’
Companies try to train their em-
ployees to recognize these attacks
by sending phishing tests. If work-
ers report an email, they pass. If
they fail the test and click a link or
download a PDF, they might get
sent to additional training.
Sarah Fiete regularly received
phishing tests and training at her
old job. One email from last Decem-
ber, however, tripped her up. It said
the company wanted to thank her
for her hard work with a gift card
and to click a link to claim it. When
she clicked it, it said she had failed
a phishing test.
The 33-year-old Fiete, now a di-
rector of marketing and communi-
cations at an arts investment studio
in New York, blames her phone. She
normally checks for phishing at-
tempts, but because she opened
this on her phone, she couldn’t
hover over the link to see where it
led. And her company used to give
gift cards in the past so it wasn’t
entirely unusual to receive such an
email, she adds.
She didn’t receive a gift card.
She also went to work grumpy.
“The phishing emails coming from
the company itself really felt like
they were hurting morale a lot
more than they were doing any
good,” Fiete says.
‘Under your skin’
The Taylor Swift phishing test was
a template created by KnowBe4, a
security-awareness company. In the
past 30 days, it was sent 17,600
times, with 533 people clicking on
it, the company says. It’s in line
with KnowBe4’s usual range for its
phishing tests.
KnowBe4, founded in 2010 and
working with more than 65,000 cli-
ents, is part of the security and
risk-management industry, which
offers businesses compliance train-
ing and other tools to safeguard
their information. This growing field
includes other companies such as
Living Security and Proofpoint,
which is used by The Wall Street
Journal’s parent company.
KnowBe4 has a creative content
team of four people who comb
through social trends to come up
with these phishing simulations.
They craft seasonal emails, such as
a notice of Valentine’s Day flowers
being delivered. The team has cre-
ated 20,000 templates for compa-
nies to choose from, says Greg Kras,
the company’s chief product officer.
KnowBe4 has a “controversial”
category, with more heartbeat-skip-
ping templates. One email says it’s
from a Twitter user alerting people
that their information was found
on the infidelity website Ashley
Madison, which had a data breach
in 2015. Any workplace test, such
as an email from a company’s hu-
man-resources department about
updated pay scales, is also consid-
ered controversial.
company’s cybersecurity team be-
lieves the organization is ready for
tougher tests, Kras says. These
emails are more alarming and emo-
tional to mimic the behavior of ac-
tual attackers, he added.
“That’s what the attackers are
doing, they’re trying to get under
your skin,” Kras says.
According to a report from
KnowBe4, after a year of phishing
training and simulations, a com-
pany’s likelihood of employees click-
ing on an email or suspicious link
drops to 5.4% from 33.2%.
‘Especially cruel’
With only two more months to go
till the end of the year, some com-
panies are beginning to roll out end-
of-year bonuses and other perks to
employees as thank-you gifts for
their hard work.
Except in Becky Robison’s inbox.
The 35-year-old corporate com-
munications writer received an
email in September, with the sub-
ject line “your yearly bonus.pdf Has
Been Shared With You.” Having
worked at her company for six
years, she knew bonuses weren’t a
regular occurrence and suspected it
had to be a phishing email.
Robison, who lives in Louisville,
Ky., didn’t fall for it—and says she
hasn’t failed any others her com-
pany has sent through the years.
But the tone of this one felt differ-
ent to her. “In a weird economic cli-
mate, it seems especially cruel to
tempt people with the idea of a bo-
nus, especially people who may not
know,” Robison says.