In an attempt to battle against the neverending surge of phishing attacks, some employers have taken the unusual measure of devising and sending their own fake emails to employees.

The employers’ tests are designed to raise awareness of phishing emails and especially the recent rise of so-called “spear phishing” attacks, where attackers target specific companies by sending email messages that appear to come from the company own IT or HR department.

The Wall Street Journal reports that instead of directing the target to visit a website where their confidential information, like passwords and account information, can be stolen, a “spear phishing test” tempts an employee to following a link embedded within an employer’s phishing email and leads to a reprimand and message about the dangers of phishing. In the past few months, almost 10,000 New York state employees have received spear phishing tests, and New York’s chief information security officer confirms that these tests will continue to be sent out to instill a permanent behavioral change.

So, just how gullible are users? In a recent test at West Point:

more than 500 cadets at West Point received an email from Col. Robert Melville notifying them of a problem with their grade report and ordering them to click on a link to verify that the grades were correct. More than 80% of the students dutifully followed the instructions.

But there is no Col. Robert Melville at West Point. The email was crafted by Aaron Ferguson, a computer-security expert with the National Security Agency who teaches at West Point. The gullible cadets received a “gotcha” email, alerting them they could easily have downloaded spyware, “Trojans” or other malicious programs and suggesting they be more careful in the future. Mr. Ferguson, who runs similar exercises each semester, said many cadets have been victimized by real online frauds.

Before companies rush out to conduct their own tests, they should carefully consider the potential impact on employee morale — duping your own employees is not necessarily the best means of instilling confidence in a company’s management practices. Also, while such a test may raise awareness about today’s style of attacks, is there a plan in place to repeat the test regularly? If not, is it really an efficient prophylactic measure when the type of attack changes regularly? Finally, a business must make sure that the very process of creating fake messages does not sow enough confusion that it enables the real bad guys to take advantage, perhaps by sending subsequent emails that exploit the process in some manner.

However, if done correctly, and the follow-up from management is phrased and implemented appropriately (i.e., no publishing of lists of people who responded, no formal discipline taken, etc.), perhaps even with some humor, these tests can be an effective tool, probably much more effective in some ways than yet another warning email from the company’s IT department.

Posted by Steve Chung