Learn how phishing simulations help organizations measure employee susceptibility to email-based attacks. Articles cover simulation design, realistic phishing templates, campaign scheduling, result analysis, and strategies for turning simulation data into stronger security behaviors.
posts
Your Employees Already Built a Second IT Department A marketing manager signs up for an AI writing tool using her corporate email. A sales rep stores client contracts in a personal Dropbox. An engineering team spins up an AWS instance without telling anyone. None of these people are malicious. Every
When the SEC fined SolarWinds' CISO for misleading investors about cybersecurity practices, it sent a shockwave through every security department in America. The message was unmistakable: vague assurances about security posture aren't enough anymore. Boards, regulators, and cyber insurers now demand evidence. That's why security
Your Training Program Is Worthless Without Proof In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to the help desk. The company almost certainly had a security awareness program in place. So did Caesars Entertainment, which paid a
A 45-Minute Training Video Never Stopped a Breach In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a phone call to the help desk. The attacker didn't exploit a zero-day vulnerability. They exploited a human. And I guarantee every employee
A $4.88 Million Average — and a Training Budget That's a Fraction of That IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million. That same report found that organizations with high levels of security training and awareness
89% of Employees Think They'd Spot a Phish. The Data Says Otherwise. I ran a phishing simulation for a mid-size law firm last year. Before the test, we surveyed staff — 89% said they were confident they could identify a phishing email. Then we sent three simulated phishes over
Most Security Quizzes Are a Waste of Everyone's Time I recently reviewed the cybersecurity training program at a mid-size financial services firm that had been breached through a credential theft phishing email. They had a training program. They had quizzes. Every employee passed with flying colors — 95% average
In 2023, the FBI's Internet Crime Complaint Center received over 298,000 phishing complaints — making it the most reported cybercrime for the fifth consecutive year. And those are just the ones people reported. I've spent years helping organizations respond to breaches, and the vast majority start
In March 2025, CISA and the FBI issued a joint advisory warning that the Medusa ransomware gang had compromised over 300 organizations across critical infrastructure sectors — healthcare, education, legal, insurance, and manufacturing. The attack vector in the vast majority of cases? Phishing. Not some exotic zero-day exploit. Not a nation-state
In 2024, MGM Resorts lost an estimated $100 million after a threat actor called a help desk, impersonated an employee, and gained access to internal systems. The initial vector? A social engineering call informed by information harvested through phishing. One phone call. One convincing story. Nine figures in damages. If
