Are you a bad phisher or a good phisher?

Phishing emails, they’re a big deal.

That’s probably because ~91% of data breaches start with a phishing email.

In response to the sheer volume of phishing emails out there, many companies include sending simulated phishing emails to their employees as part of their cybersecurity awareness program. The frequency, content, and punishment for failure can run the gambit.

A few bad phishers have made headlines, and now the question ‘to phish or not to phish’ your employees is a hot topic.

What did they do?

They sent simulated phishing emails to their employees promising big bonuses (up to $10,000) as a thank you for all their hard work during COVID. They said their company had been receiving similar phishing emails IRL, and it made sense to simulate these types of emails.

The worst phisher of all didn’t even tell employees for TWO DAYS that they failed the test. Many of those employees spent their ‘bonus money’ during those two days.

What happened next?

The employees got pissed. The employees got vocal. The employees complained. Negative press. Demands for payments of bonuses.


  1. They didn’t tell the employees in a timely manner that they failed the phish (it should be immediate)
  2. They ignored the current climate (layoffs, pay cuts, and reduced hours make for a sensitive workforce)
  3. The phishing email was from their actual email domain (an email coming from a hacked account is different than someone impersonating you)

How are you phishing? Are you sending the right Phish at the right time? If you’re feeling queasy about phishing after reading this, let’s chat about how phishing with purpose can change the entire direction of your phishing program and your employee’s thoughts on phish.

Do you remember reading about any of these bad phishers in the news? Comment below, and let me know your thoughts.


Popular posts from this blog

Is that love in the air or catfish?

Cybersecurity Careers

Here’s to cheating, stealing, fighting, and drinking