UK Government Agency

Battling the spear-phishers

Part of this agency’s role is keeping other public sector offices safe from harm. Lately a new threat has emerged: spear phishing

Spear phishing is a new kind of cyber-attack where someone will use highly targeted personal information to pose as a person or a business that you already trust.

Once you’re convinced by the info they have on you, they’ll ask you to click a link to update something trivial like your back-up email address. And there, in an instant, your personal information starts uploading from your device and into their hands.

It’s harmful and it’s hard to spot, and because of both it poses a huge risk to the UK government when its staff are targeted by attacks.

The big question

How could we create a campaign that would help the UK’s civil service protect itself from spear phishing?

A selection of design materials we delivered, such as posters, storyboards, animated gifs and guides

What we did

Education, education, education.

The main problem we came across was that people didn’t even know this was a thing.

Spear phishing isn’t yet well-known as a practice, and the idea that an attacker could follow your online behaviours to glean private info that could be used against you, and then exploit it all in some kind personalised email – it just hadn’t crossed a lot of people’s minds.

We had to change that. So we introduced people to the risks in stages.

  • First an introductory video about what spear phishing is and what it looks like when an suspicious email comes your way.
  • Then guides, infographics and quizzes about how to spot a spear-phishing email and what to do about it if you receive one.
  • At the same time, we surrounded government staff with catchy poster campaigns about the risks and ramifications of being targeted.
  • Then we created guides to show other government agencies how to run simulations to continually test their own susceptibility to attack.

Introductory video

Engaging quizzes

Why it worked

The Spacing Effect

Learning doesn’t happen overnight. It’s iterative and cumulative.

That’s especially true when you’re not fully paying attention to what’s being presented because you’re busy, say, running a country.

That meant we had to spread our messages out – drip-feeding the campaign across different media over time so people could gradually internalise the risks of spear phishing and how to avoid them for themselves.

The Generation Effect

We learn best not by listening or reading, but by trying ideas out for ourselves.

We could tell you how to perfect your golf swing right here in text form, but until you get out there and start whirling your clubs around the truth is you’re never going to become the next Tiger Woods.

That’s why our campaign featured quizzes to help people recall spear-phishing risks. And just as importantly, we gave other government agencies the information they needed to run their own spear-phishing simulations.

Ego, status and desirability bias

We like to present ourselves in the most positive light we can. It’s why we buy brands like Apple and Nike that we feel represent what we want to convey about ourselves to the world.

Here, our campaign’s hook was ‘Don’t take the bait!’. 

Because none of us want to be the mug that falls for somebody’s cheap trick, the slogan appealed to people’s egos by making the idea of succumbing to a spear-phishing email feel like something only a sucker would do.

Don’t want to be that sucker? Pay attention, and make sure you know the risks!

The results

We can’t share our stats with you on this one, but I can tell you this was our most popular campaign ever!

– Our client, UK Government Agency