SANS Newsbites on Phishing your Company

SANS Newsbites is a summary of the most important news articles published on computer security in the past week. It includes commentary from an editorial board.
In Volume 11 Number 9, they reported on the DOJ self-phishing exercises that has been in the news. I was a little surprised that Marcus Ranum wrote “This sort of test generally serves only to embarrass people and hasn’t been shown to have any useful long-term effect. When I see someone trying this kind of stuff, I think it’s just a case of some auditor or pen-tester trying to prove their worth by having something about which they can scream “GOTCHA!””
It is true that phishing does have a great chance of success for pentesters. But I’ve seen numbers from phishme.com showing a marked improvement from initial tests to followup tests. That is what Alan Paller said in reply to Ranum in the Newsbites as well.
I agree with what Paller wrote, Phishing your own company is a core component of increasing security awareness
Any such testing should have the appropriate approval of course. The contents of the phish should be considered carefully. You don’t want users to think you’ve gathered their credit card information and you dont want them notifying external fraud alert services. There is plenty of education opportunities without attempting to harvest Paypal accounts for example.