Exhaustion Campaigns: A False Sense of Security?
Posted by Dennis Dillman—PhishLine • Tuesday, August 8 2017
An “Exhaustion Campaign” is our term for a training technique that focuses on a very narrow security issue in an effort to drive down click rate. This technique uses the following approach:
1. Send training to users about a very specific type of phishing attack (e.g. fake package delivery)
2. Send users a simulated phishing attack exactly as described in the training
Send people enough training about a specific type of phish and eventually everyone develops the ability to recognize that specific type of phish. Click rates drop. Companies that promise lower click rates can claim success.
What makes this approach so dangerous is that it creates the illusion of overall improved security while doing very little to improve security. Even though click rates have gone down, users have not learned how to critically evaluate emails for potential phishing attempts. They’ve only learned how to spot one very particular type of phishing email. Send another type of phish and click rates rocket back up.
At PhishLine, we understand that exhaustion campaigns are part of the information security training landscape. And if a client requests one, we can create one. But they seldom do. We work with our clients to understand that more sophisticated training creates smarter employees who can fortify the organization against fraud, information theft, and a host of other digital threats.
At PhishLine, we not only offer our own in-house training, but we also offer training from industry leaders in our pioneering Content Center Marketplace™. Our customers can combine our wide array of phishing templates and landing pages with the best training in the industry to accomplish real improvements in their organization’s security posture.
If you’re ready to take your information security awareness to a whole new level, we invite you to learn more. Contact us and request your free PhishLine demo.