Phishing Failures: How Not to Phish Your Users

How Not to Phish Your UsersThis blog was co-written by Javvad Malik and Erich Kron.

Let’s dive into the cautionary world of phishing simulations gone wrong. You know, those attempts to train users not to fall for phishing that somehow end up setting off more alarms than a Hawaiian missile alert system. 

Let's explore why we need to phish our users, but more importantly, how not to phish them.

We turn to two of our trusted security awareness advocates Javvad Malik (JM) and Erich Kron (EK) to shed some light on the matter. 

Why Do We Phish Them?

JM - First off, let's acknowledge the elephant in the room - or should I say, the 6.4 billion fake emails floating around every day trying to scam Aunt Edna out of her retirement savings. Yes, you read that right. With phishing being as popular as pineapple on pizza (controversial, I know), it's crucial we prepare our users to dodge these deceitful darts.

EK - Phishing and social engineering in general are becoming way more popular than ever for bad actors. Now we've got deepfakes and AI generated materials without the obligatory grammar and spelling errors we used to have, and much better translations. Given the popularity of the attack vector and the number of successful breaches caused by phishing, helping to educate people and giving them simulated phishing messages to practice on is a no brainer.

Conditioning Reflexive Behaviors

EK - It's no secret that social engineering relies heavily on a subtle, or not so subtle, push on people's emotions. When we're emotional, we tend to make bad decisions unless we have trained to work under pressure. I wouldn't trust firefighters that have learned their trade by only watching YouTube videos, and given the quality of modern phishing attacks, I certainly wouldn't want to put my employees in a position where they don't get to practice the lessons they've learned in training.

Reacting while under pressure, for example a CEO's demand to wire transfer money with a significant sense of urgency, is improved by being exposed to the situations previously. For me, I'd much rather them make mistakes in a fail-safe environment than with our actual money or data.

JM - Mike Tyson once said, “Everybody has a plan until they get punched in the mouth.” Now, while I don’t advise any physical confrontations, I do believe in preparing our colleagues like cybersecurity boxers. The idea? Repeat, repeat, repeat. By continuously exposing them to various phishing simulations, they develop the reflexive behaviors needed to spot and thwart phishing attempts like the pros they are. It’s about failing safely, learning, and then celebrating those sweet moments of victory when they correctly identify a phishing attempt.

Beyond the Break Room: Training That Actually Works

JM - If you think locking your users in a break room with nothing but coffee, donuts, and a PowerPoint presentation will turn them into cybersecurity Spartans, think again. Effective training is about giving people the tools they need and allowing them to practice those skills in the wild. It's less about punishment and more about fostering a sense of pride in contributing to the organization’s safety.

EK - We have all had to sit through mind numbingly boring training before, whether in school or on the job. 

Bueller, Bueller, Bueller... 

If you want training to work, we can't bore people into a slumber, so let's keep it lively, exciting, and maybe even a little bit fun. Just a touch of  the right kind of humor can really make a scary topic a lot more palatable and interesting for the audience.

The Curse of Bad Habits

EK - We've all learned bad habits, but like anything in life as the world evolves, and so must our way of dealing with it. The days of using the same password on 27 different platforms, or of relying on endpoint protection to save our skin, are gone. We need to make some new habits, but they don't have to be difficult to master, and once we relearn the way we do some things, that becomes the habit we're used to. It's like wearing a seat belt, even just going across a parking lot without wearing one makes me feel uncomfortable. The same should be said for reusing passwords.

JM - Education needs to be a staple in the user’s diet, not just a quarterly or annual treat. And remember, encouraging users to report phishing attempts - both real and simulated - is like having an early warning radar system. Don't get caught snoozing on the job!

Avoiding the Pitfalls: A Guide to Compassionate Phishing

JM - Yes, there's such a thing as compassionate phishing:

  • Shaming is a No-Go: This isn't a 90s sitcom; there are better ways to encourage good behavior than shaming
  • Keep It Friendly: We're building reflexes, not resentment. Ensure your simulations are challenging yet achievable
  • Positive Reinforcement: Caught someone doing good? Celebrate it louder than a catfight at midnight
  • Choose Your Topics Wisely: Steer clear of sensitive topics that could trigger undue stress or fear. Think "misplaced coffee cup" not "missing paycheck"

EK - Simulated phishing is not about catching people. That is not your goal at all. What you really want to be doing is reinforcing the training they've received and giving them a chance to practice what you've taught them without causing an organization-wide event. 

Avoid topics that are going to make enemies. Sure, bad actors will use very controversial topics, however if people understand the types of social engineering attacks they're going to be facing, they can learn how to spot them without organizations having to rely on using controversial topics themselves. 

This is not an us-versus-them situation, we are here to help them learn to keep themselves safe. Consider gamification and trumpet successes loudly and publicly, while dealing with failures privately. Nobody likes looking like a fool in front of coworkers. Consider having some competitions within the organization, but don't think the prizes have to be big to get people to engage. And only post the winners. Little packages of candy or a silly trophy that someone gets to keep until the next round of phishing, can go a very long way toward making it fun.


JM - In our quest to equip our colleagues against the dark arts of phishing, let's remember that the goal is to educate, not alienate. By crafting thoughtful, regular, and empathetic phishing simulations, we transform our colleagues from potential victims into vigilant sentinels of our cyber realms. After all, an informed, confident user is the bane of a phisher's existence. So, let’s ditch the one-size-fits-all scare tactics and instead, adopt a more nurturing approach to cybersecurity education. Because when it comes to defending against phishing, a spoonful of kindness and a dash of humor go a long way.

EK - Considering the threat posed by phishing and social engineering attacks these days, if you want to give people the tools to protect themselves, combining training and phishing, both done at least monthly, can be one of your best tools to protect your organization. We need technical controls, but you cannot leave the human part out of your cybersecurity strategy. Just remember to try to make it fun and relevant rather than boring and pointless and you are likely to have much better engagement and interest in the topic.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews