STOP. DOING. THIS. Use simulations to train how to report emails. Literally send them saying "let's practice how to report this example phish." All simulations like this do is prove people click links. NO FREAKING KIDDING! There is no avoiding clicking links!

Click rate is a pointless metric. You know what is a better one? Using link as an engagement metric. Send your example phishing with instructions on how to report it. Then say "want to see this attack from a hacker perspective? Click here! And redirect to a video of...

a phishing. From this one simulation you now have excellent metrics: 1) Who read the email and followed instructions 2) Who read the email and didn't bother with instructions (higher risk user) 3) Who didn't read the email (maybe a technical problem) And...

4) Who clicked the link to learn more and might make a good security champion All 1000x more useful than "we tricked the plebs this month in clicking a LINK." If your security program can be brought down by clicking a link... you've got 99 problems, but end users aren't one.

OMG. That is so cruel and pointless. I know, the criminals can still do things like that, but we can teach people without pulling crap like this.

We’re working on this at @HuntressLabs to make this more of an educational experience for folks rather than a negative one. This is the training you get if you click the phishing link. What do you think?

I hate phishing simulations that count a click as an automatic fail. Clicking a simple link almost certainly isn't going to compromise the security of the organization unless there's some new critical webkit 0day or something, in which case we have bigger problems.

Yeah but did you see the comments? Near universal praise from people “in IT”. This is the KNOB5 effect. It’s not gonna be fixed by telling the infosec bubble. It needs to spread much more widely. And it needs to be pulled into the platforms enabling it. Maybe some mandatory…

The main argument from IT and security is that it only takes one click to get owned. But what I realised over the years is that companies that have no email sandboxing, no URL filtering and no anti-malware expect end users to not click on that one phishing link that will bring down the company. This is one of the most immature cybersecurity mindsets. You have to protect your users to be able to perform their jobs. How would like to work in HR for a week and have to open Word resumes without any of the aforementioned controls?

My favorite personal experience is when the security team sent out a knowbe4 phish to the employees saying the IRS owed them an extra refund. This actually made it back to the real (one employee took the reporting to the next level) and before I know it

If you’re relying on phishing training as your sole defense, good luck! Defense in depth and layered defenses are the best way to combat these attacks. Nothing is fool proof because the fools always find a way. Good defense and having a well trained team that can respond quickly is the key to a good security program.