Phish-testing is fun…

A small company hired a new cybersecurity consultant after a phishing incident.

Day one, he walked into the office and asked, “How many people clicked the phishing email?”

The IT manager sighed. “About 40%.”

“That’s bad,” said the consultant.

“Actually,” replied the manager, “that’s an improvement. Last year it was 90%.”

Determined to fix things, the consultant launched mandatory security awareness training.

A month later, he sent a fake phishing test:

Subject: FREE PIZZA IN THE BREAK ROOM

Within two minutes, 73 employees clicked.

Within five minutes, someone replied-all:

“There is no pizza. This is another one of Kevin’s stupid tests.”

The consultant was disappointed.

Then he noticed the CEO had clicked too.

He walked into the CEO’s office and asked, “Why did you click it?”

The CEO shrugged.

“Because if there was free pizza and I didn’t click, I’d look stupid.”

The consultant updated the training.

Next month he sent another test:

Subject: IMPORTANT PAYROLL CORRECTION — ACTION REQUIRED

Only three people clicked.

Huge improvement.

Then payroll called.

Every employee had received the email, panicked, and immediately called payroll to ask if their paycheck was safe.

The payroll department suffered a complete operational collapse for six hours.

The consultant proudly reported a phishing click rate of only 1.5%.

The CFO stared at him.

“You shut down payroll for an entire day.”

“Correct.”

“And you consider that a success?”

“Absolutely.”

“How?”

The consultant pointed at his report.

“Nobody entered their password.”

The CFO rubbed his temples.

“Kevin…”

“Yes?”

“Next month, send the pizza email.”

The consultant smiled.

“Already scheduled.”