U.S. Department of Justice staff are just like you and me—their retirement plan took a hit in the economic downturn. So when they got an email saying they might qualify for bailout money, some of them responded.
Unfortunately, the response required them to enter their account information at a fake website. Fortunately, the site was set up by their own employer. It was a test to see how many staff would fall for a phishing scheme.
Apparently, the test ended there. But the department could have turned the fake site into an interesting mini-lesson and used it to market their privacy course. Here’s one approach.
1. Separate the clueless from the savvy
We could give site visitors two choices: enter your private information to find out immediately if you get money, or be more cautious and learn more about the refund. By tracking the clicks, we’d get a sense of how gullible our employees are.
2. Provide feedback
Visitors who entered their info could be sent to a carefully-worded page that tells them that the site is fake. It would be important to do this gently to avoid appearing to say, “Idiot!” Sensitive humor might help.
The more cautious users who clicked “learn more” could get reinforcing feedback along the lines of “Great choice! You should never enter your account information in a site that…”
3. Highlight the suspicious bits
After the feedback, both types of users could then see a screen that highlights the elements of the email and web page that should have set off alarm bells. This screen could also link to the company’s course on electronic privacy, maybe by saying, “To learn more, see Staying Safe Online, a 20-minute course that…”
All of this would require a very light touch to avoid giving employees the impression that they have been tested, failed the test, and now have to take a course because they failed. Instead, the message should be, “This sort of stuff is tricky. Lots of people miss the tell-tale signs. There are many more risks out there, and to learn about them, you might like this course.”
I haven’t heard of anyone trying this, so maybe it’s too risky. What do you think? Would your organization ever try something like this?
Photo by radiant guy
I love your idea!!!
I’m not sure what my employer would think about this, but I’m pitching the idea first thing tomorrow morning. I’ll let you know what the reaction was…
I like it!
It would take some careful pitching, particularly to the clients. This reminds me of the Union Bank Front Line Loss Prevention demo I saw in Allen Interactions.
Interesting idea. Of course, there would need to be a follow-up email message for those who didn’t visit the website. Although, you could assume they were smart enough and don’t need a course on phising…
I think it’s a great idea to do something like this within the safety of a course. I can’t imagine the types of feedback they got from both the employees and the other organization that had to deal with all of the questions!
I think effective learning is always problem-based so it would be a great way to really send the message home. It’s exactly these sorts of things (tricks of sorts) that people will send around to their coworkers voluntarily. The real question is would it actually lead people to be excited about the course. I’m not entirely convinced that it would do what it was intended to do. And the training would have to be very effective to keep the interest level high.