It was back in 2018–2019, and at the time, the phishing test felt completely unfair and unrealistic. As a front-line employee in sales, the email looked like a legitimate purchase order. As you’ve probably guessed—it wasn’t. Fortunately, it was just a training simulation.
There’s a common misconception in cybersecurity: that people with the most access need the most training. But that’s not always the case. A vulnerability is a vulnerability. And if you’re not conducting regular internal penetration tests, that vulnerability could lead to a much deeper compromise than expected. Gaining domain or admin access through a front-line worker is far too common in our field. Often, it’s because organizations assume their “disposable” workgroups don’t have access worth targeting. But if that were true, phishing attacks wouldn’t be as prevalent as they are today.
Anyone who’s ever worked on the front lines can tell you why they’re so vulnerable. Let’s consider just a few reasons:
As a front-line sales employee at a large company, I was expecting a PO. When one arrived, I didn’t think twice—because it fit my routine. When you’re on the front lines, a lot of “trash” gets thrown your way. The worst part? Even in a high-functioning role, you often feel disposable. Clicking on a phishing email can mean the end of your career—because people are treated as disposable.
Fear is a primal emotion. It’s not sustainable. When you’re busy, fear won’t kick in until it’s too late. That’s why firing employees for falling for phishing attacks is ineffective. What is effective is creating an environment where people feel safe asking questions and raising alarms. If someone clicks something suspicious, they should feel empowered to say, “I think I made a mistake,” rather than hiding it to protect their job.
First: when high workloads, routine, and KPIs create the perfect storm.
If you receive 40 emails a day and have a 1-hour SLA, things will get missed. If you receive 400 emails a day with a 48-hour SLA—and your job involves more than just reading emails—you will fall for something eventually.
Second: the blame game.
When companies fail to evaluate the sophistication of an attack, the environment in which it was deployed, and their own accountability, they miss the point. Unrealistic training is one thing. Expecting someone to do the job of multiple people and complete training is laughable.
I’m not here to tell you how to do your job. I’m here to help you protect your company—and most importantly, your people. Cures don’t just happen. They take research, effort, and commitment. Cutting out malicious attacks and vulnerabilities is no different.
Let’s break this down even further:
You must make the training relevant to the job, and the duties of the job. Sending a fake phishing email that I’d never click on because it’s stupid isn’t protecting you from anything, instead it is making light of a very potentially serious issue. Stop doing that. While I thought my phishing test that I failed was unreasonable, most people also failed it, which made it effective. If people aren’t failing your tests, it isn’t because you are impenetrable, it’s because you’re ineffective. A lot of times these tests are created by people who have never done the job, I’ll never understand this.
Attacks are sophisticated, highly personal, and traditionally play on emotions or feel urgent. Every time you send out that email that says you need something completed today, or immediately, you are opening the door for a hacker. It’s poor business management to make anyone feel like they must get something completed immediately or lose their job, so why put that out there? Honestly if you speak to people that way, maybe you deserve to increase your probably of attack because it’s a terrible way to treat people.
Creating training and culture so someone understands how they should be talked to, how they should be engaged and how they should respond, is going to save you from the ever-changing evolution of phishing schemes. If an email triggers an emotional or fearful response or creates anxiety, I’d give it a second thought before engaging and that is the training you should be giving something natural and consistent, so people are less likely to be manipulated.
Reducing distractions and workload is huge, if your team has time to think about something, you increase the effectiveness of the training you have put into place. People are going to mismanage time, you can’t prevent that a hundred percent, but you can make sure that your workload is appropriate for a single person.
Using MDR and SIEM solutions as well as Multi-factor Authentication help you in the event something happens and someone fails, because people will always eventually fail somewhere, it’s only a matter of time if the hackers are consistent and determined enough. These are both preventative measures and proactive measures. You should know when you click a link and must sign in, if you don’t have to authenticate immediately, then there is an issue with what you just did. Notify your IT team immediately after a breach regardless of size, it can save a lot of time and money. Which leads me to my last point: Encourage open communication and incident preparedness.
I don’t feel like I’m telling you things you don’t already know, but we do tend to see companies convolute and confuse their teams that the objectives aren’t clear. It should always be a clear and safe precedence set that if you feel you have made a mistake report it and hold your IT team accountable for reacting appropriately. Make sure they too have the bandwidth to react immediately. Do yearly Penetration tests, do quarterly vulnerability scans, empower them with the tools they need to know and roadmap your environment while it is under attack. If you don’t trust people because you don’t have an open environment then you must invest in SIEM and MDR solutions otherwise you are a sitting duck, and honestly, no matter how good you are, don’t trust people. Do right by them to reduce effectiveness but don’t ensure everyone is going to do the right things always, they aren’t.
Looking back, failing that phishing test was perhaps the best lesson I never wanted to learn. It exposed real vulnerabilities but also opened the door to better awareness and stronger defenses. If we keep learning and testing, we can stay one step ahead of threats that could otherwise compromise our security. It has truly helped me in my career to further help companies identify real threats and identify vulnerabilities in their process and management. I feel like I’ve seen it all, and the truth is I’ve only seen what I’ve been exposed to, and I have to help others stay vigilant to all attacks. Failing the phishing test made me realize that I’m capable of just as much human error as the next person, and its that characteristic that’ll never change so phishing will always be around. I hope you have a proactive and preventive system in place but if you don’t, I hope you found this helpful.
Warning: What follows is an example of a real-life ransomware attack and the resulting incident response. Picture this: you’re cruising through your usual workday, coffee in hand, inbox under control, ...
