Phishing, which involves sending fraudulent emails to steal confidential information, remains a significant cybersecurity threat. It accounts for up to 14% of cyberattacks in 2024, according to Verizon.
Phishing tests often use deceptive emails to convince employees to click on malicious links, simulating real attacks. However, some of these tests have been taken to extremes, causing unnecessary panic and irritation among employees.
At the University of California, Santa Cruz, sociologist Alicia Riley fell victim to a phishing test disguised as an Ebola outbreak alert on campus. After clicking on the link, Riley learned that it was a test organized by the university's IT department to raise awareness of cybersecurity. Outraged, she filed a complaint, claiming that the test undermined the credibility of the university's alert system.
Similar incidents have sparked discussion in many organizations. On Reddit, IT professionals often share stories about elaborate phishing tests, such as fake emails about lost pets or password changes, and many boast about the number of employees who have been duped.
“Tricking people to falling for a phish so you can lecture them that they failed, that’s the part that is terrible,” said Matt Linton, security engineering manager at Google. He emphasized that phishing training works best when it doesn't humiliate employees, adding: “They’re more receptive to the education if they feel like you haven’t just made them a fool.”
Despite the widespread use of phishing tests, academic research suggests that they may be less effective than expected. A 2021 study by ETH Zurich found that phishing tests combined with voluntary training sometimes increased employees' vulnerability to attacks. A subsequent study by the University of California, San Diego, confirmed these findings, showing only a slight improvement of 2%.
“These are just an ineffective and inefficient way to educate users,” said Grant Ho, co-author of the study.
Some organizations implement harsh consequences for employees who fail phishing tests. At Lehigh Valley Health Network, employees lose access to external email for three months after the first failure, a year after the second, and can be fired after the third. The organization's chief information security officer, Luis Taveras, defends this approach, noting: "It's strict until an attack happens and we have to shut down our medical systems."
One of Taveras's most successful tests was a fake email offering free tickets to a Philadelphia Eagles game, which received a 4% click-through rate.
Amid the criticism, organizations are reviewing their phishing testing strategies. The University of California, Santa Cruz, for example, has vowed to avoid a repeat of the Ebola email incident. Experts such as Linton advocate for more constructive approaches that emphasize education without humiliating employees.
Despite this, phishing tests remain a standard tool in cybersecurity training, but their limited effectiveness and potential backlash underscore the need to find innovative and employee-friendly solutions to counter the growing threat of cyberattacks.