Phishing attacks are on the rise, and a small but significant slice of employers are taking a hard-line stance, disciplining or even firing employees who fall for one of these email scams.
A former employee at Cooley LLP, one of the largest law firms in the world, was shocked to hear during a cybersecurity training in 2017 that the company had a three-strike policy for falling for phishing attempts.
“It was scary. I remember asking our IT guy about it, like ‘Can I really get fired?’ and he was super serious about it,” said the former employee, who spoke on the condition of anonymity to discuss internal company policies. (Grid contacted Cooley on April 11, seeking comment. A Cooley spokesperson replied after publication and denied that the firm’s “training on avoiding phishing traps” included “threats of termination,” now or in 2017. “We do not believe in instilling fear as a training tool,” the person said.)
Security professionals say that such harsh policies like this aren’t limited to any one industry — and many of these experts are baffled that the practice continues. They say the idea that setting harsh penalties can prevent employees from clicking on a deceptive, dangerous link or file is misguided. Cybercriminals’ phishing attempts have grown more sophisticated, making it harder for a worker to recognize a scam email. And imposing harsh penalties for honest blunders can decrease employees’ loyalty, undermining a company’s culture and productivity.
“Sacking people for opening a link is vile and disgusting because it’s nobody’s fault for opening a deceptive link or download — it’s virtually impossible to stop a persistent targeted attack,” said Paul Walsh, CEO of the cybersecurity company MetaCert, which focuses on phishing.
Some companies take the shaming approach to extremes, even putting up signs in office kitchens naming employees who fall for a phishing attack, said Karen Renaud, a computer science professor at the University of Strathclyde in Scotland who studies cybersecurity behaviors. She and her colleagues published a study last year drawing on information from more than 100 people who personally experienced a cybersecurity incident at work or knew someone who had.
Renaud began studying how companies react to phishing attempts and attacks after hearing about a lawsuit in Edinburgh. A woman received an email, purportedly from her line manager, that instructed her to transfer almost £200,000 to pay an invoice. The woman emailed her line manager back to ask if she should proceed, and the attacker posing as her manager responded affirmatively. The woman transferred the funds. When her employer discovered what had happened, they fired her on the spot and took her to court for the money that was lost.
“What people were telling us, it really confirmed that companies really think that shame is a tool that they can wield here,” said Renaud of the survey she and her colleagues undertook, “not actually thinking about the long-term consequences of what they’re doing.”
A frowned-upon practice
Social engineering attacks, a category that includes phishing, seek to manipulate people to take actions that benefit the attacker — such as sending money or clicking on a link that surreptitiously installs malware. The results can be disastrous. In 2013, a phishing attack on an HVAC company led to a massive data breach at Target involving credit card and personal data from more than 100 million people. The breach began when an employee at the HVAC company, a Target contractor, clicked on a link that delivered malware.
Attackers also capitalize on events in the news. After the Colonial Pipeline ransomware attack, hackers sent phishing emails purporting to be from cybersecurity firms encouraging clients to update their ransomware protections. Anyone who clicked the link would inadvertently download ransomware.
Phishing attacks have increased steadily in recent years, particularly during the pandemic, as many sectors transitioned to remote work. A recent survey of 2,000 workers by cybersecurity firm Tessian said that 26 percent had fallen for a phishing scam at work in the past 12 months.
Grid viewed a set of training videos from the security company KnowBe4 that warn of potentially stark consequences for victims of phishing attacks. “A successful social engineering attempt could cost organizations millions of dollars in either theft, loss of production or damage to their reputation,” the videos’ narrator said in a voice-over. “What happens to the employees who fall for a social engineering attack? Well, they might get fired or have to pay for damages.”
Firing an employee for falling for a phishing scam is not illegal. But professionals say it can undermine trust between security teams and regular employees that can be counterproductive by reducing employees’ willingness to flag potential security risks or ask questions.
KnowBe4′s cybersecurity training options include versions with language about potential termination of employees and payment of monetary damages because some of its clients have such policies in place and need training that reflects that, said Perry Carpenter, KnowBe4′s chief evangelist and strategy officer.
“We know that there are companies out there that have that as a policy — even when our language and people like me, that represent [KnowBe4], can say over and over and over again that this should not be a punitive type of thing,” he said.
Walsh said that approach also ignores a key question: Why aren’t security vendors doing a better job keeping such emails from reaching clients’ inboxes?
Organizations who attempt to increase compliance through fear and penalties will fail, said Parham Eftekhari, executive vice president at the CyberRisk Alliance, an organization for cyber professionals. “It’s absolutely not productive,” he said. Eftekhari said that developing a security-centric culture can be done only by encouraging trust between a company’s IT staff and broader workforce through continuous education, gamification of training and nonthreatening feedback.
In some cases, such policies may be designed to meet the requirements of insurers writing policies that cover damage from cyberattacks. Insurers will often seek to deny such claims if a breach or attack was caused by human error, Carpenter said.
“When you look at these draconian methods that some organizations use, where they try to put the employee on the hook for that, that’s for a recovery of funds,” he added.
Gabriel Friedlander, CEO of security-training firm Wizer, said that in his experience, companies that fire employees who fall for phishing attacks aren’t limited to any one industry. He has seen both large and small companies adopt such policies and said it’s a reflection of management style.
“Some people believe in the carrot-and-stick approach and have hard, hard policies,” said Friedlander. “It comes down to the person running the show, to be honest.”
That can sow distrust within companies. “Instead of the mindset of ‘It’s us against the bad guys,’ it becomes the employer against the employee, who is now the bad guy,” said Marc Dupuis, a professor of information science at the University of Washington and one of Renaud’s co-authors. “It really flips the script in a negative way that just isn’t fair and isn’t true.”
And employers run the risk of being sued, or held legally liable, for firing an employee over falling for a phishing scam. In these situations, Friedlander said, the victim is the person who was the subject of the attack, and firing them could be a form of retaliation.
“It’s like putting the victim of a car crash in jail,” he said.
This article has been updated. Thanks to Lillian Barkley for copy editing this article.