Rethinking Phishing Campaigns: Should Employees Share Phishing Alerts?
One of the things I value most in cybersecurity—and leadership—is getting a fresh perspective. This week, while explaining our phishing campaign strategy during a team meeting, a new colleague asked a question that stopped me in my tracks.
I was walking them through our phishing cadence: how we design internal phishing simulations, ensure every employee is eventually tested, and strategically space them out to avoid spreading the word and spoiling the test. Then came the question:
“Don’t we want people to warn others about phishing attempts?”
Wow. That gave me pause.
Are We Discouraging What We Should Be Encouraging?
The question challenged my long-held approach. I’ve always emphasized stealth in phishing simulations to measure individual reactions accurately. But this team member was right—shouldn’t we be encouraging communication and awareness when it comes to phishing threats?
It’s a fair point. Real phishing attacks are dangerous. They can lead to stolen data, lost money, and major headaches both at work and at home. The more people talk about them, the more resilient our organization becomes. This is why I believe building security into company culture is critical.
Encouraging Security Awareness in the Workplace
One of my proudest accomplishments is helping build a security-minded culture at a previous company. It’s tough—but worth it. When people openly share phishing examples, suspicious emails, or cyber attack attempts, everyone becomes more vigilant.
So yes—we want employees to talk about phishing threats. Not just at work, but with friends, family, and even strangers. Cybersecurity isn’t just a workplace issue—it’s a life skill.
So, Was My Phishing Campaign Strategy Wrong?
Not entirely. But the question did force me to re-evaluate the balance we’re trying to strike.
The intent of phishing simulations isn’t to trap or embarrass people—it’s to measure how individuals respond without external influence. If coworkers warn each other about every simulated email, we lose the ability to assess true behavior. Worse, if people think all phishing attempts are just internal tests, they may start ignoring real threats.
We walk a fine line:
- Encourage sharing of real phishing attacks.
- Avoid tipping off others about internal phishing simulations.
It’s a challenge—but a necessary one. The key is to foster a security-aware culture where people are empowered to ask questions, challenge assumptions, and continually improve.
I’m grateful for a team that feels confident doing exactly that.
