OutKept founders Dieter Tinel and Simon Bauwens
Phishing emails are increasingly finding their way to employees’ mailboxes. It only takes one person to let himself be caught and the damage is done: accounts are looted, information leaked or social media accounts misused for identity fraud. The Ghent start-up OutKept is the only company in the world that works with ethical phishers to conduct realistic simulation training at organizations. “Although people are the weakest link, they are also the best protection against phishing,” the two founders say in an interview with Bloovi.
Simon Bauwens and Dieter Tinel founded their own company at the beginning of the first corona pandemic. We are writing 2020. “We first met during a webinar. We were both looking for a co-founder and wanted to delve further into phishing and cybersecurity, in combination with the power of a community. OutKept arose from a confluence of three ideas”, Bauwens tells the story.
The SaaS startup is the first company in the world to collaborate at scale with a community of ethical phishers. The ongoing phishing simulations provide insight into the risk and continuously train people to recognize potential threats. “By means of training and simulations, we help organizations to become aware of the potential danger of phishing”, Tinel clarifies.
Humans are the greatest security risk
Every company is a potential target of phishing. Most employees think firewalls or cybersecurity software are enough to deter hackers. Nothing is less true. Software is a barrier, but it does not prevent all attacks. Phishing attacks are on the rise. Not only in frequency, but also in severity. If just one person makes a mistake, it can lead to disastrous consequences.
The phishing simulations help organizations in three ways, explains Tinel. “First, they raise general awareness. When people click on landing pages, they see phishing educational content. Second, they ensure that people remain alert at all times. After all, phishing can occur at any time. This creates the right reflexes to stop phishing emails. And thirdly, it ensures recognisability of specific content. The more often you see different phishing emails, the faster the mechanism is built.”
Although people are the weakest link, they are also the best protection against phishing
It’s like crossing the street, says Bauwens. “As a child you learn that you first have to look left and right before you cross the street. This is exactly the same with alertness to phishing. An automatic reflex is taught through the simulations. We talk about making organizations more alert, but by extension also in people’s homes. If employees learn to be alert at work, they will do the same at home. After all, confidential information is often viewed at home. With the right training, people will create reflexes to protect themselves from phishing emails.”
The OutKept platform is technology agnostic. It now generates content for emails, but in the future this could be extended to messages, apps, or even content for the metaverse. The principle and philosophy remain the same. “Technology applications are constantly changing. We do not want to replace technological solutions, but mainly add prevention”, explains Tinel.
Ethical phishers and approach
“Hacking focuses on the technical aspect, while phishing hacks, so to speak, on the psychological aspect of people,” Bauwens explains the difference. “Often the focus is on the emotional aspect to persuade the user. During our simulation training, numerous emails are sent to employees so that they automatically recognize them over time.”
“All phishing emails are ethically sourced”, emphasizes Tinel. “We don’t use fixed phishing email templates, but get content from a community of ethical phishers who are rewarded through a bounty system. In this way we encourage the use of the most modern techniques.”
We don’t use fixed phishing email templates, but get content from a community of ethical phishers who are rewarded through a bounty system. In this way we encourage the use of the most modern techniques
The local aspect is very important, it sounds. For that reason, OutKept works with phishers from different countries. This way, every ethical phisher knows what is happening in his or her region and which elements are needed in a phishing email. The phishing community does not only consist of security experts, but also of psychologists, marketers and copywriters.
OutKept functions as a kind of filter between the phishing community and the organizations. “The ethical phishers don’t know which companies are involved. All data, privacy and anonymity are protected, while simulations of the highest quality are developed. This allows organizations to test and improve awareness and vulnerability to phishing without risking long-term damage”, says Tinel.
“OutKept’s training courses are applicable and scalable in various sectors. “The customer portfolio is very broad,” says Bauwens. “It has long since ceased to be the case that phishing simulations are only practiced at banks, insurance companies or government companies. The goal is the same in every organization. In the initial phase, the duration of the simulations is discussed. Most customers opt for a monthly rhythm of phishing emails. From this we see that alertness is created and maintained.”
Our expertise and the local aspect of our community ensure high quality simulation campaigns
Between 20% and 40% of employees within an organization click on phishing emails. About 20% even fill in landing pages with login details. The impact of the simulation campaigns is enormous. “After three to six months, the number of interactions with phishing emails is reduced by half. That will continue to fall consistently until it becomes stable,” says Bauwens.
Just the beginning
OutKept is currently in a strong growth phase. “Our community is growing organically. The positive feedback and enthusiastic reactions motivate us to expand it even further,” says Tinel. “We are often asked if AI tools like ChatGPT will replace our ethical phishers. We do not see this as a replacement, but as a means to create added value. Our phishers sometimes already use ChatGPT to help them, but the human hand that adjusts still ensures the best result.”
OutKept’s growth is made possible by several important partnerships. “Our structural collaboration with HoWest, for example, has already meant a lot to us. Students from different study programs get to know the phishing community in this way. We are currently in talks with similar parties abroad,” explains Bauwens.
Will we be hearing a lot from OutKept in the future? The founding duo nods firmly yes. “Our top priority is to make organizations aware of phishing via emails, apps, messages or other technologies”, replies Tinel. “Now we are going to work on internationalization, but at the same time we want to continue to grow in our own country. Thanks to our strong community of ethical phishers, we are ready to take the next steps anyway!”