Understanding the Impact of Automated Clicks on Phishing Simulation Training

Automated clicks are the outcome of security tools used by security teams to check and validate the status of email links[...]
By Omer Taran
image February 21, 2021 image 6 MIN READ

Automated clicks are the outcome of security tools used by security teams to check and validate the status of email links. By clicking on the links, or ‘detonating’ the URL in a safe, sandbox environment, external security tools verify that the links are not malicious before a business has a chance to fall victim to a phishing scam. Sounds simple, but the reality is that the automated clicks that are caused as an outcome of these verification processes can create their own challenges.

One thing to note about automated clicks is that they are often the result of security tools that work in the background, utilizing complex infrastructures that the organization might not be aware of. Some solutions generate high traffic, but these are actually easier to spot. For example, a 70% click rate in a phishing simulation test is unreasonable and so detecting the IPs causing it will be pretty straightforward. It’s much more complicated when security solutions are causing more minor data volatility, moving the click rate from 15% to 17%, for example.

As a security manager, you may be trying to use the data to prove that your technology or awareness program is working. As soon as there is a known bias or inaccuracy in the metrics, people will begin to question all of the data that you’ve collected, even if you can adjust to suit.

This addresses one of the main issues with automated clicks, that they corrupt the pool of data that a business receives, making internal reporting on clicking malicious links inaccurate. As this data is regularly used to measure employee risk when false it can cause major issues.

Let’s deep dive into two examples:

Automated Clicks Leads to Boardroom Raving About Phishing Simulation Training

We’ve written in the past about the fallacies of the click rate, but let’s take another look at it from the perspective of automated clicks. Click rates are just a point in time view of a specific phishing simulation – as simulations change, and as employees come and go, the click rate metric shared with the board becomes meaningless as it does not provide any insight into actual real-time risk.

This is true even without the added complication of considering automated clicks, but they certainly exacerbate the problem. Automated clicks are only meaningful for a specific simulation or campaign, but are skewing the data overall. Instead of focusing on click-rate, one example of a KPI that shines more light on your risk landscape is the ratio of low to high-risk employees, and how this changes over time.

As organizations relying on click rates for their metrics are clearly using a volatile and unpredictable metric, they may find themselves in a position where they cannot easily explain their results, and where colleagues and other department stakeholders are questioning the validity of the data, the very opposite of what they need to attain board-level buy-in.

Automated Clicks During an Awareness Program Exacerbate Employee Bashing

Let’s discuss the second and more pressing issue of employee bashing. In this too common scenario, phishing simulation results from a phishing campaign tool are being sent to employees or to their direct managers with some notes on performance and how this should be improved upon.

Providing feedback to employees is challenging, especially when the source is always just negative feedback in the form of when they have failed to spot phishing simulation emails. In most cases, managers and security teams will receive pushback.

This pushback is quite natural. Think about the last time a police officer stopped you for driving over the speed limit, or not stopping at a stop sign. Think of your first reaction – was it “You are so right officer, where do I pay the fine?” or more along the lines of “Are you certain you actually measured my speed and not someone else’s? I’m sure I wasn’t speeding!”.

Understanding the Impact of Automated Clicks on Phishing Simulation Training

When it comes to phishing simulations what we see is that the pushback is usually in the form of “can you prove it?” And this is where it gets interesting. Most employees have no idea what IP address they are using when they browse. In fact, many less technical employees tend to think that an IP is like their home address – they have one and it’s always the same. Some expect this to be the corporate IP address, but that’s the only relevant part of the time (even before working from home changed the game).

In reality of course, when looking at click patterns, while most IPs used are actually benign and not automated, they are also unknown to the end-user. On any given day, all of us use various different IP addresses, for example when on public WiFi, switching between laptop and mobile, or restarting the router at home. To ‘prove’ that the employee was at fault, the security team is faced with a myriad of IP addresses, of which a high percentage would be IPs relating to some local ISP or mobile phone provider.

The byproduct of security tools in the form of automated clicks makes this even more complicated. Employees may look for an excuse such as “that IP is used too many times” or “that IP was used too quickly after the email was received” and blame the data on an automated click behind the scenes.

These little cracks in the data tend to create friction that leads to distrust and that might have negative implications on the security team’s other initiatives.

At CybeReady, we believe that when implemented properly, a continuous training program that provides immediate just-in-time training feedback has been shown to be effective. Chasing and chastising employees is not only unnecessary, but can cause harm, and have negative learning effects, too.

How Can We Improve the Integrity of Phishing Simulation Training?

Our solution to this challenge is broken down into three parts, encompassing the core of any IT solution: People, Process, and Technology.

1. People: Ensure that you’re fostering a no-blame culture around security awareness training

Chasing and blaming employees not only creates friction regarding the phishing simulations and their clicks, it also derails learning. When employees are faced with accusations, instead of learning from their mistakes they feel they have to defend themselves, which puts them on the offensive. If you’re working in a highly distributed organization you might see mid-level management align with employees on this issue, as they choose to trust employees and colleagues over unknown technology.

2. Processes: In a phishing simulation test – you can’t manage what you can’t measure

You can’t just ignore click rates, it’s an essential part of showing that phishing simulation training is working. So the only answer is to use more robust composite measures. Measures that are more resilient to changes in your workforce, lower the effects of automated clicks, and manage and adapt for the general interest that spikes phishing simulations from time to time. Moving the organization to look at long-term metrics that are more valuable, such as the proportion of high-risk employees, or long-term employee resilience would buy the security team more time to address changes in click rates with the necessary tools.

3. Technology: Get smart about your internal data to isolate a simulated phishing attack

Reach out to your security vendors and ask them to provide a known list of IP addresses that you can remove from your data. While some vendors might not offer this data, others will. You can also manually look for repetitive IP addresses and repetitive IP blocks, two signs of either your own IP address which is being used by your employees, or a security product. Another tip is to look for differences between click and send time. Most clicks would be generated within the first couple of days of sending the email. Of course, you may presume that some employees are on vacation or on sick leave, but a quick mental shortcut would be to look at any IP that comes in after 4-5 days as a more suspicious one.

How Does CybeReady’s Phishing Simulation Training Deal with Automated Clicks?

CybeReady’s onboarding phase includes training and support for the ‘people’ side of the equation, with the goal of creating a no-blame culture. For example, we do not provide personal data on phishing simulations by default, unless asked for by the customer. This request would usually trigger a discussion on the right approach to handling such cases, and the benefits of keeping the data anonymous and organized by groups.

When it comes to process, we provide robust longitudinal metrics, including employee resilience scores over time, and the proportion of your employees who can be considered high-risk. We use machine learning to optimize campaigns and have created our technology with the recognition that click-rates are not a random part of the phishing training but something that should be optimized over a period of time. In this way, our robust metrics allow us to provide long-term measures while simultaneously improving click rates.

As far as the technology goes, detecting which IPs are automated and which are not has been an internal project that we started towards the end of 2016 when customers could not figure out how to turn automated clicks and related features off. The internal project evolved into a machine learning model that aims to distinguish between real and automated clicks, allowing us to accurately mitigate the impact on our customers.

In short, CybeReady offers an autonomous training platform that promotes a healthy culture towards cybersecurity awareness. We heavily reduce the impact of issues such as automatic clicks that can dilute the efficacy of your phishing simulation data, and provide best practices to get the most out of awareness training overall.

Have any questions on automated clicks or interested to see how our platform works? Contact Us here!