The number of phishing attacks continues to increase and more than 8 out of 10 data breaches are due to human errors. This makes phishing simulation one of the cornerstones of cyber security training for companies and organizations. And it comes as no surprise that organizations want to create as credible phishing simulations as possible. As threat actors' attacks become increasingly sophisticated and difficult to detect, those of us who work in cybersecurity must do what we can to keep up
Unfortunately, there are companies and organizations that cross the line and use other people's trademarks without consent. There seems to be a misconception that this is ok because it is done according to so-called fair use. But it is a legal application that applies in the US and not in Europe. According to legal trademark experts, on the contrary, as a general rule, it is a violation of trademark law in both the EU and Norway.
Given the potential for building good phishing simulations to increase and maintain awareness and vigilance, I find it remarkable that this seems to be continuing. Taking shortcuts to create credible simulations by violating Swedish and Norwegian law is a serious double fault!
Because really, it's all quite simple. In dealing with new and potential customers we are almost always told that there are other providers of phishing simulations that offer and encourage the use of well-known brands and logos, but when we point out that this may be against current legislation if there is no consent and in addition asks the rhetorical question how the customer in question would react if their logo was used in phishing simulations, the answer is usually something like: "No, in-house lawyers wouldn't like it!".
So what can be done to create credible phishing simulations without at the same time breaking the trademark law? From Junglemap, we recommend the following to our customers:
1. Start doing phishing simulations
To begin with, there are still many organisations that do not even conduct simulations. But to prevent cyberattacks, this type of training in detecting phishing emails is absolutely essential.
2. Do it regularly – all year round
No one knows when a phishing attack will occur. Phishing training must be seen as an ongoing process, not as an event. We recommend our customers to conduct phishing simulations about once a month, all year round.
3. Vary between types and target groups
Sending "everything to everyone" is rarely a good idea. Our model provides the opportunity to adapt phishing simulations thematically, organizationally and with over 170 templates adapted to different key roles in the organization.
4. Measure and follow up the effects
Measuring and following up the results is a key to gradually strengthening awareness and vigilance around phishing.
5. Look beyond the click-through rate
Not clicking on a wrong link is better than clicking on it. But employees reporting the email is even more important. It is this type of safety behavior that creates and strengthens a sustainable safety culture.
6. Avoid simplistic success stories
There are many actors who sell phishing simulations with convincing and foolproof promises that the organisation will have a calm and steady success journey on the road to zero clicks. Our experience shows that cyber psychology is complex and that well-thought-out simulation setups can produce very varied results - which provides a good basis for continued organizational learning.
7. Protecting yourself against phishing requires STAR behavior
At Junglemap build human firewalls by strengthening a so-called STAR behavior where employees stop, think, ask and report things that seem suspicious. The same applies when working to protect oneself against phishing attacks.
8. Use phishing simulation as part of a strategy
Phishing simulation has the best effect if it is done as an integral part of an overall training for increased cyber security awareness. Then there is also the opportunity to give examples of how well-known brands are used in phishing - completely without violating the Trademark Act.
Using well-known brands without consent in phishing simulations is both illegal and an easy shortcut. It is something that Junglemap do not use, that we advise our customers against doing, and something that is also not even necessary.
An updated phishing simulation that will face increasingly sophisticated attacks must be based on completely different things than the illegal use of well-known logos.
Nils Ivar Skaalerud, co-founder and COO at Junglemap