Ethics and Phishing Experiments.

Phishing is a fraudulent form of email that solicits personal or financial information from the recipient, such as a password, username, or social security or bank account number. The scammer may use the illicitly obtained information to steal the victim's money or identity or sell the information to another party. The direct costs of phishing on consumers are exceptionally high and have risen substantially over the past 12 years. Phishing experiments that simulate real world conditions can provide cybersecurity experts with valuable knowledge they can use to develop effective countermeasures and prevent people from being duped by phishing emails. Although these experiments contravene widely accepted informed consent requirements and involve deception, we argue that they can be conducted ethically if risks are minimized, confidentiality and privacy are protected, potential participants have an opportunity to opt out of the research before it begins, and human subjects are debriefed after their participation ends.