Is all fair in simulated phishing?

Post a Fraud Alert:

Is there a limit to how far we should go in attempting to emulate the trickery and deceptive tactics of the cybercriminals who bombard our employees with increasingly devious emails? 

Let me present a couple tactics we’ve seen phishers use to try to break down our employee’s defenses. I’ll then consider the ethical and legal implications of using those same tactics ourselves as we send simulated phishing attempts to try to educate people

Exhibit A: tax time phishing 

Beginning in late January of each year, a familiar phenomenon pops up, just as workers across the U.S. are getting their W2s from employers and starting to think about filing their taxes. Employees of all stripes begin to receive emails allegedly from the IRS, offering information about refunds or overdue taxes or some other item that is sure to alarm and entice taxpayers who already find tax time confusing and a little stressful. 

If you past the IRS logo on the email, it’s even worse. It’s a scourge for the IRS, who has for years been very publicly telling American taxpayers that it will not contact them by email about their taxes, and asks taxpayers to report this fraud. Guess what? This public information campaign has worked, and the IRS gets flooded with reports of these scams.