U.S. Department of Justice staff are just like you and me—their retirement plan took a hit in the economic downturn. So when they got an email saying they might qualify for bailout money, some of them responded.
Unfortunately, the response required them to enter their account information at a fake website. Fortunately, the site was set up by their own employer. It was a test to see how many staff would fall for a phishing scheme.
Apparently, the test ended there. But the department could have turned the fake site into an interesting mini-lesson and used it to market their privacy course. Here’s one approach.
1. Separate the clueless from the savvy
We could give site visitors two choices: enter your private information to find out immediately if you get money, or be more cautious and learn more about the refund. By tracking the clicks, we’d get a sense of how gullible our employees are.
2. Provide feedback
Visitors who entered their info could be sent to a carefully-worded page that tells them that the site is fake. It would be important to do this gently to avoid appearing to say, “Idiot!” Sensitive humor might help.
The more cautious users who clicked “learn more” could get reinforcing feedback along the lines of “Great choice! You should never enter your account information in a site that…”
3. Highlight the suspicious bits
After the feedback, both types of users could then see a screen that highlights the elements of the email and web page that should have set off alarm bells. This screen could also link to the company’s course on electronic privacy, maybe by saying, “To learn more, see Staying Safe Online, a 20-minute course that…”
All of this would require a very light touch to avoid giving employees the impression that they have been tested, failed the test, and now have to take a course because they failed. Instead, the message should be, “This sort of stuff is tricky. Lots of people miss the tell-tale signs. There are many more risks out there, and to learn about them, you might like this course.”
I haven’t heard of anyone trying this, so maybe it’s too risky. What do you think? Would your organization ever try something like this?
Photo by radiant guy