BattlePhish™ — Gamified Phishing

Roughly speaking, the how…

  1. Random split of your org: Team A, Team B.
  2. Team A votes on the the phish (from choice 3) and the time it’s sent out (they don’t need the day) They then get to find out how successful they’ve been.
  3. Repeat with team B. Next month, randomise again….

Above, is the idea in a nutshell, and it’s one you probably have some instant feelings towards. What I would say is if you’re shaking your head, thinking this is a step too far — then maybe you’re fixed into the mindset that we must replicate how a scammer operates as much as we possibly can. I’m not saying that is wrong, or an inferior approach, but I would give the gamified approach a chance to defend itself.

First can I start by saying that I hate games. Well, not hate exactly, I just am that ambivalent to them it may as well be classed as hate. So it was a genuine shock to me recently when I realized I did have a soft spot for games, mental games.

If we look at the world of phishing employees, it is pretty much anything but a game for the person on the end of the clickalation soaked lures. It’s a barrage of mortar fire, with a distinctly different feel to their daily filtered and SEG’d email experience. HERE’S YOUR BONUS! Click. HAHA! Gotcha.

I don’t know about you, but any game I’m getting hammered at, I switch off. Where’s the fun for me.

So what do we lose by bringing the human fire(d at)wall in on the fun? Not as much as you might think. Phishing is just one part of an overall strategy to educate employees, so they can make better security decisions. It is not phishing’s aim to be an exact facsimile of the dynamic between a genuine scammer and a victim. That’s just replicating a process, that’s not aimed at helping employees make better security decisions.

Before you rise up to strike that statement down, lets look at this logically. A ‘typical’ phishing email is sent to an employee; they click on it — and they’re given perhaps a video or a page that details their mistake. We already know they’ve not really paid much attention to the lure, so the contact area of education is, let’s be generous, 5 minutes.

Now let’s look at what a gamified version might look like. First we have the creation of two random teams — immediately the dynamic is not security team/phishing vendor vs employee, it’s against your peers. For arguments sake, let’s say we stick with the idea they get to vote on which email out of a choice of 3 they get to send. Immediately you have an opportunity to get 3 relevant scams in front of half the organization. And even better still: they are actually trying to decide which is most likely to fool them!

They then have a vested interest in how their campaign will play out, and it would be hard to imagine colleagues not wanting to ask which team you were on.

Taking a further step back, the employees are now battling against being caught out not by their security team pretending they’re a cyber criminal, but by the very real danger of being had by someone they were just on a Zoom call with.

I’m not saying this should be used at every organization, and for every department. All I’m really doing is showing the process we hide away from the employee, has tremendous value if we let them in on aspects of it.