cious. When he clicked a phishing company’s cybersecurity team be- alert button in his email, he learned Emails From it was sent by his own company. “I’ve never felt more personally lieves the organization is ready for tougher tests, Kras says. These Companies attacked by an email,” says Baek, who lives in Edmonton, Alberta. emails are more alarming and emo- tional to mimic the behavior of ac- Get Creative Phishing is a large-scale problem, resulting in more than 300,000 tual attackers, he added. “That’s what the attackers are complaints last year to the Federal doing, they’re trying to get under BY ANN-MARIE ALCÁNTARA Bureau of Investigation’s Internet your skin,” Kras says.
J uSong Baek remembers the
email all too well. In early September, he Crime Complaint Center. Americans lost $10.3 billion to online scam- mers, including phishing and iden- According to a report from KnowBe4, after a year of phishing training and simulations, a com- opened his work inbox to amazing tity theft, in 2022. pany’s likelihood of employees click- news: He was officially off the wait ing on an email or suspicious link She didn’t receive a gift card. Living Security and Proofpoint, list for Taylor Swift’s Eras Tour—he ‘Hurting morale’ which is used by The Wall Street drops to 5.4% from 33.2%. Companies try to train their em- She also went to work grumpy. could buy tickets for her Toronto Journal’s parent company. ‘Especially cruel’ ployees to recognize these attacks “The phishing emails coming from show. KnowBe4 has a creative content With only two more months to go But just before the 26-year-old by sending phishing tests. If work- the company itself really felt like ers report an email, they pass. If team of four people who comb till the end of the year, some com- product designer clicked on the link, they were hurting morale a lot they fail the test and click a link or through social trends to come up panies are beginning to roll out end- he remembered something: He download a PDF, they might get more than they were doing any of-year bonuses and other perks to didn’t use his work email to register sent to additional training. good,” Fiete says. with these phishing simulations. employees as thank-you gifts for with Ticketmaster. It was a phishing Sarah Fiete regularly received They craft seasonal emails, such as their hard work. test from his employer. phishing tests and training at her ‘Under your skin’ a notice of Valentine’s Day flowers Except in Becky Robison’s inbox. What once began with Nigerian old job. One email from last Decem- The Taylor Swift phishing test was being delivered. The team has cre- The 35-year-old corporate com- princes asking for help in exchange ber, however, tripped her up. It said ated 20,000 templates for compa- munications writer received an a template created by KnowBe4, a the company wanted to thank her email in September, with the sub- for riches has become far more so- security-awareness company. In the nies to choose from, says Greg Kras, for her hard work with a gift card ject line “your yearly bonus.pdf Has phisticated social engineering, and and to click a link to claim it. When past 30 days, it was sent 17,600 the company’s chief product officer. Been Shared With You.” Having companies are rising to the threat she clicked it, it said she had failed times, with 533 people clicking on KnowBe4 has a “controversial” worked at her company for six by getting creative in their training. a phishing test. it, the company says. It’s in line category, with more heartbeat-skip- years, she knew bonuses weren’t a These simulated phishing emails The 33-year-old Fiete, now a di- ping templates. One email says it’s regular occurrence and suspected it with KnowBe4’s usual range for its promise bonuses, gift cards and yes, rector of marketing and communi- from a Twitter user alerting people had to be a phishing email. once-in-a-lifetime concert tickets. cations at an arts investment studio phishing tests. Robison, who lives in Louisville, in New York, blames her phone. She KnowBe4, founded in 2010 and that their information was found Ky., didn’t fall for it—and says she The practice has left some employ- ees chuckling, and others wary normally checks for phishing at- working with more than 65,000 cli- on the infidelity website Ashley hasn’t failed any others her com- about the lines companies might tempts, but because she opened ents, is part of the security and Madison, which had a data breach pany has sent through the years. this on her phone, she couldn’t risk-management industry, which in 2015. Any workplace test, such But the tone of this one felt differ- cross to test someone’s cybersecu- hover over the link to see where it rity competence. offers businesses compliance train- as an email from a company’s hu- ent to her. “In a weird economic cli- led. And her company used to give mate, it seems especially cruel to Baek recognized the Taylor Swift gift cards in the past so it wasn’t ing and other tools to safeguard man-resources department about tempt people with the idea of a bo- ticket alert as a phishing email be- entirely unusual to receive such an their information. This growing field updated pay scales, is also consid- nus, especially people who may not cause its urgency seemed suspi- email, she adds. includes other companies such as ered controversial. know,” Robison says.