Stop Phishing with Bad Fake Bait

Right now, you could have a message waiting in your inbox from someone you don't know inviting you to open a Google Doc, access a file in Office 365, or download a document from Dropbox. Even worse, the message could be from someone you do know who had his account hijacked by a cybercriminal. The e-mails are convincing, but rather than use these real phishing messages as learning tools for our staff, many IT professionals are told by vendors or legal counsel that they can't legally make a simulation that realistic.

It's time we stop trying to fight the cybercriminals with one hand tied behind our back.

At issue is the intellectual property of the company being impersonated in the e-mail. Any tech company with a web interface wants to make it as easy as possible for users to get to their services, so they include a handy link to take the user exactly where they need to go. The cybercriminals know this and so rather than concoct an elaborate phishing message from scratch, they will often just copy the format of the real e-mail and rewrite the link so it points to a malicious site. The cybercriminals have no problem violating the intellectual property of the company in their phishing messages, or on their credential collection pages. Think of the recent Google Docs scam or Podesta phishing attack, which were both effective in part because the bad guys were happy to use registered logos to trap unwary targets.

There are many vendors (e.g., Wombat, PhishMe, and Duo) that have developed phishing simulations in order to train users not to click on suspicious links and inadvertently give away personal information. However, these companies may refuse to use the logos and names of real companies in their training tools, and real companies are hesitant to give them permission to use their trademarks. As a result, the phishing simulations are often bad approximations of the real thing; they might let you send a FriendBook request or invite a colleague to view a PowerPresentation, which of course is ineffective. It is internal phishing with bad fake bait, and it's not helping anyone.

But it doesn't have to be this way. The law provides safe harbors under the doctrines of fair use — both for copyrights and trademarks — that might allow educational institutions to use actual company logos in phishing simulations designed to train or educate employees to spot and avoid phishes.

Courts recognize that fair use circumscribes a copyright holder's ability to limit the use of a copyrighted logo. A copyright fair use analysis balances four factors: the purpose and character of the use, including whether such use is for nonprofit educational purposes; the nature of the copyrighted work; the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and the effect of the use upon the potential market for or value of the copyrighted work.1

Courts have also recognized that a defendant's "nominative fair use" of trademarks is not infringing. A nominative fair use occurs if: 1) a product is not readily identifiable without use of the mark; 2) only so much of the mark is used as is reasonably necessary to identify the product; and 3) the user does nothing that would, in conjunction with the mark, suggest sponsorship or endorsement by the trademark holder.2

A carefully designed internal phishing simulation program could use actual logos within the boundaries of both of these legal doctrines.3 Provided it is designed with education in mind and the message's destination ultimately contains carefully worded disclaimers revealing its true purpose as a training exercise, a phish could legally use copyrighted or trademarked material, yet not ultimately create additional liability for your institution.

At Indiana University, we conduct internal phishing of our IT employees to help increase education and awareness. We have found that the most convincing phishing simulations we've sent have been ones that take the e-mail text verbatim from some of our internal systems. On the other hand, phishes that imitate services are anywhere from one-third to one-tenth as effective as those that use a system e-mail verbatim.

We urge tech companies to grant security companies permission to use their logos and trademarks, or perhaps even partner for mutual benefit. Failing that, we urge colleges and universities that are already conducting phishing simulations to make them as realistic as possible. Training our users not to open a PowerPresentation is not nearly as effective as training them to beware of cybercriminals impersonating the likes of Google, Microsoft, and Dropbox. We'll always be a step behind as long as we continue phishing with bad fake bait.

Notes

  1. See Bouchat v. Baltimore Ravens Ltd. Partnership, 737 F.3d 932 (4th Cir. 2013), as amended (Jan.14, 2014) (certiorari denied).
  2. See New Kids on the Block v. News America Publishing, Inc., 971 F.2d 302, 306 (9th Cir. 1992)(quoting Soweco, Inc. v. Shell Oil Co., 617 F.2d 1178, 1185 (5th Cir. 1980)).
  3. Learn more about the benefits and potential risks of deploying a phishing simulation program on campus.

Daniel Calarco is the chief of staff in the office of the vice president for information technology at Indiana University and chairs the office's SafeIT taskforce.

Jennifer Westerhaus Adams is associate general counsel in the office of the vice president and general counsel at Indiana University, and she sits on the university data management council.

Mario Arango is a law fellow in the office of the vice president and general counsel at Indiana University.

© 2017 Daniel Calarco, Jennifer Westerhaus Adams, and Mario Arango. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.