Going Phishing in the Company Pond


Phishing is a unique form of cyberattack where deceptive emails or websites are used to try to get unsuspecting users to give up personal information like credit cards or passwords. It is a huge problem. In fact, it is the second-most common type of security breach out there, just on the heels of malware. And your biggest problem—people who click on things they just shouldn’t—isn’t going away. But what if you could change that by creating a smarter, savvier set of employees who know just what to look for? This is the thought that’s causing many companies to take part in a somewhat controversial practice: phishing their own employees to find the chinks in the organization’s armor. 

According to Verizon’s 2018 DBIR report, email continues to be the most common method of phishing at 96% of incidents and breaches, and with about 22% of people clicking on a phishing link in a year. More alarmingly, the more phishing emails someone has clicked, the more likely they are to click in the future. It’s unsurprising that the DBIR report goes on to suggest that “part of your overall strategy could be that you can try and find those 4% of people ahead of time” (referencing that 4% of people in any phishing campaign will click on it). 

The Case for Benevolent Phishing

You can love them, lecture them, and give them hands-on training, but some employees will always simply…zone out. So, it makes sense to teach them in ways that will grab their attention, like sending out a fake phishing email and giving extra training time to anyone who fails the test and clicks! Many companies are now participating in the practice of phishing employees, either once, or periodically, to get a sense of how secure their defenses really are, and to maybe tighten them more. The practice has become so common, in fact, that you can now outsource it: services like Core Security, Gophish, Security IQ and Lucy can do it for you! 

An article by Business News Daily suggests letting employees know that a fake phishing email will be going out soon. Other companies run the tests in secret to get an optimal picture of just how many employees need extra training, so they will not be on the lookout. 

From a legal perspective, when doing any employee surveillance, it is important to generally let employees know in advance that their activities will be monitored on company systems and equipment. This helps set the appropriate expectation of privacy, as well as ensure that the organization is complying with appropriate laws. If you have not previously set up such a policy, it may be important to revisit the issue before conducting any clandestine phishing activities. Laws and other rules around monitoring email and other electronic systems can be complex, so it is important to make sure the proposed exercise is legally permissible in your jurisdiction before taking action.

The Case Against Benevolent Phishing

There are others who feel differently about intentionally phishing in your own company pond. Not only could phishing your own employees shame those who do not pass the test, but it could potentially create an even bigger problem. Transgressing your employees’ privacy and trust through a fake phishing exercise may create morale issues with ongoing consequences. A huge risk factor for companies is disloyal employees who can abuse private company access or information. The last thing you want to do is to lose the loyalty of an employee or push an ambivalent employee over the line into malicious activities. You know your employee culture best, so be sure to take these factors into consideration. 

For employees whose loyalty is not in question, their honesty could be. An employee who fails a fake phishing test may (from sheer embarrassment) be less likely to be truthful if she clicks on the real thing in the future, and it is important to deal with all potential threats as speedily as possible. 

As opponents of the practice point out, fake phishing may not even give extremely reliable results, as what you may interpret as a successfully low click-rate may just be the result of an unusually hungry junk mail folder. Also, it’s good to keep your guard up and not get a false sense of security. Even the most discerning employee has a potential to be duped, so it’s best to always prepare for the likelihood that a dubious link will be clicked, and to put plans in place from there. 

To Phish or Not to Phish: A Few Alternatives 

At the end of the day, it is always best for you and your employees to be on the same side in the battle against phishing and other cyber-attacks. Regardless of whether phishing exercises are right for your organization, here are a few suggestions of things to prepare your team to face the inevitable attacks:

1.  Separate Internal Systems. Separate your critical and financial systems from your more everyday ones (such as by using different cloud-based systems), so if a lesser system gets hacked, less is at stake. 

2. Practice! Run drills, give lessons, and show examples of real phishing emails. You don’t necessarily need to phish your employees to get the issue on their radar, but you should not wait until someone outside the organization shows your employees an example…

3. Educate Yourself and Your Employees. Read our blog on cyber-securing your business and do your homework on best practices for securing your systems. Then, make sure you educate your employees. Ensure employees with access to the more important systems have a higher level of awareness, training, and accountability. They should know that they’re on the front lines.


Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations