True Stories of Cyber Awareness: Phishing (09/16/2025)
Cyber awareness month is coming up in October and I bet those who receive training cannot wait for the mass tips, tricks, how-to, and what-nots that will be flooding your screen and inbox soon.
Instead of posting the same old infographics that you have probably seen repeatedly, I decided to share true stories about topics related to cyber awareness, but they won't be nice. I will change names, but the stories are true. The titles of these blogs won't be nice either but hopefully insulting.
I was the person who ran the company and customer wide cyber awareness programs where the first few weeks of the month were set for training. The last part of the month is when the simulation campaigns would run to see if anyone learned anything about the topic. I tried to keep the simulations within the topic, but I threw in a wildcard occasionally. I also capped the simulations at 4 as I didn’t want to spam the users.
The manager of the IT division was phished 9 times over the course of 18 months. Yes, 9 times and the individual was fooled each time. This individual eventually took over the management of the M.S.P. department and I was let go because this person didn't like me. They wrote me up over an issue that occurred 18 months prior. Talk about being petty.
Turns out this person was removing talent from the company due to their own insecurities.
I never went above their head to tell the owner of their continued failed simulations, and I guarantee that this information never made it to him from this manager. Why would it?
I will admit that at other jobs in the past, my manager would test us and each time I got a simulation, I knew it was such. So, I would click and enter information to be an ass. He would talk to me and say, you know you failed. I replied that I knew it was a simulation and walked over the steps to show him how and why. I took the steps to see what was being sent to me instead of clicking away. I was an admin too so I could see the IP/Domain set up within the email rules for simulations.
Another situation with a client and their CEO wanted all emails to reach his inbox. I stalled and tried to persuade him otherwise but eventually allowed the flow of emails to his inbox or junk mail. He didn't want to check quarantine as he was lazy. Eventually, he realized a lot of crap was coming in and decided to use quarantine. The same CEO also didn't want Gift Card Phishing Simulations due to the company giving out gift cards to employees. Many were phished with the simulation and the CEO felt bad due to them not getting a gift card. That simulation was halted. Really? This was an insurance company. Go figure. The gift card scam is one of the most basic and simple to implement and will continue on with company strategies like this.
If you can help it, don’t click on any emails while using a mobile app as it will be limited with functionality. Check the from email address, is it legit? Hover over the link using an email client on a desktop to check the URL. These two steps will supply you with enough information to decide whether to click or not. Slow down and take some time to read what is in front of you as most people claim to be too busy and just click away. Unless you want to hear from IT, and have more training assigned, just slow down.
More tales of insanity will continue in the next Cyber Awareness blog post.
