Phishing emails are nothing new, but the catch and release of employees who fall for the scam is. So, should someone be out a job for an errant inbox click? While some companies have taken this “take no prisoners” approach, security experts say the morale cost might just be too high.
Still, the number of people to click on a corrupt email and lose their jobs is up. In fact, according to the 2018 Proofpoint Email Fraud Survey, 1 in 4 phishing attacks worldwide led to someone getting fired. And, in some cases, employees are being fired for failing phishing tests- not even actual attacks!
John LaCour, the founder and CTO of PhishLabs, a firm that helps companies educate and test employees on how not to fall for phishing scams, recently told security blogger, Brian Krebs that rather than teaching people new things, the approach of testing and punishing employees was demoralizing.
“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” LaCour stated. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”
Part of the problem with punishing an individual is that the situation is often the result of something more systemic, like open access to staff and member directories. Such directories have become a common attack vector for phishing schemes, according to Tim Ebner, senior editor of Associations Now.
“These are obviously big problems, and employees should have awareness of what makes a phishing email and what doesn’t,” Ebner advises.
Most security experts who spoke with Krebs agree that, while there may be room for consequences for an employee clicking an errant link—say, additional training requirements—straight-out firing should be off the table.