It finally happened.
I just clicked on my own phishing test.
Let me explain…
At Hook Security we create new phishing email templates every month based on the latest threats and tactics.
At the end of the day, most of the same tried and true tactics continue to successfully socially engineer the people of Email Land, but there are always trends and iterations for us to pick up on.
Fairly often we will send simulations to each other for both quality assurance and to always keep ourselves “in shape” from a cybersecurity posture.
In testing out a few new features in our phishing simulator I scheduled a few emails to go out to myself over the following few days.
And then it happened. I clicked on one. And not only did I click on it, I fell for it.
On the email
I was in deep work. Knocking out tasks. I was in such a creative flow. Then my phone buzzed:
From: Microsoft
Subject: New device login
This took me immediately out of my flow state.
That wasn’t me. Or maybe it was. Did I use Microsoft Word today?
I opened the email:
Oh no, this was definitely not me.
Someone in Romania just got through the first barricade on my account.
I got a hot flash and my heart rate went up. This is not good.
Luckily, Microsoft has spotted it as an unusual login, and has required an additional MFA code to access my account.
Thank you Microsoft!
All I need to do is click on this link to change my password and secure my account…
The rest is history, and there I sat watching a short training video of my wonderful coworkers on the training team telling me what I missed…
On what went wrong
If you’re a cybercriminal there is so much to like about this email. A few things that made this one particularly devious:
- It used urgency, but not too much! My account was not “hacked”, it was just accessed.
- The fact that fake-Microsoft caught this login attempt eases my immediate concerns.
- The nonchalant nature of the message leads me to believe this is not an emergency but definitely something to take care of right now.
- The phishing link itself says “If this wasn’t you, change your password and secure your account”. A well trusted brand is presenting a very “safe” link to click on and perform what i consider to be a responsible action (securing my account).
On why my brain made me click
Yes, I’m blaming this on my brain. It made me click on this link.
But how could this happen? I eat, sleep, and breathe phishing simulations.
I built this phishing campaign for crying out loud!
Why did I, of all people, click on a phishing link I had created?
The answer lies in the psychological underpinnings of our daily routines. Overconfidence had assured me that I was above such mistakes, while familiarity with the test's format blinded me to its threats. This incident underscored the potent combination of social engineering and cognitive biases—how even the most vigilant among us can be led astray by overfamiliarity and a well-placed sense of urgency.
On my phishing testing worldview
This incident reinforced my existing concerns about the potential drawbacks of companies conducting phishing tests on their employees.
While the practice aims to educate and safeguard against real threats, my personal slip-up highlighted how such tests, if not executed thoughtfully, can be counterproductive, affecting morale and productivity.
The vivid memory of clicking on the phishing link indeed serves as a potent deterrent against future lapses, suggesting that these experiences, while uncomfortable, can engrain cautious habits. Yet, it also brings to the forefront my ongoing internal debate about achieving the right balance.
The challenge lies in designing these tests to be educational rather than punitive, ensuring they foster a supportive environment where employees can learn from their mistakes without fear of retribution. This experience has deepened my conviction that while phishing tests are helpful, their implementation must be carefully calibrated to avoid undermining the very culture of security they seek to build, striving instead to create a constructive space for developing robust cybersecurity practices.
For me, the choice of to-phish-or-not-to-phish comes down to one simple question that should act as a core value of any company-wide program:
“Will the employee leave better off having experienced this training?”