Google: Stop Trying to Trick Employees With Fake Phishing Emails

Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. 

"PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit,” tweeted Matt Linton, a security incident manager at Google.

Linton also published a post on the Google Security blog about the pitfalls of today’s simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements.

In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they’ll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company’s security. 

"There is no evidence that the tests result in fewer incidences of successful phishing campaigns,” Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing.”

In Google’s case, Linton noted its own simulated phishing tests don't always accurately reflect how an attack will appear in an employee's inbox. That’s because these emails need to bypass the company’s existing anti-phishing defenses to work. "This creates an inaccurate perception of actual risks, [and] allows penetration testing teams to avoid having to mimic actual modern attacker tactics," he said. 

The other problem is that simulated phishing tests can annoy employees, and lead to resentment. "Employees are upset by them and feel security is 'tricking them,' which degrades the trust with our users that is necessary for security teams to make meaningful systemic improvements and when we need employees to take timely actions related to actual security events," he added. 

In Linton’s view, simulated phishing tests are like forcing workers to quickly evacuate a building during a fire drill — except that real smoke and fire are being blown through the premises. "Once outside, if you took too long you're scolded for responding inappropriately and told you need to train better for next time. Is this an effective way to instill confidence and practice fire evacuation?” he added on LinkedIn.  

Recommended by Our Editors

Google Experiments With Using AI to Flag Phishing Threats, Stop Scams

A Lot of People Are Falling for Those 'Your Package Cannot Be Delivered' Texts

Got a Phone Call From LastPass? Hang Up, It's a Phishing Scam

Linton’s larger point is that it’s impossible to “fix” people and prevent them from clicking on phishing messages. It’s why companies need to invest in anti-phishing technologies, such as hardware security keys and passkeys, to stamp out the threat in the first place.

But that doesn’t mean companies should abandon phishing tests either. Instead, he’s advocating companies adopt more transparent and instructive phishing training that drops such shaming. This could involve sending out an email that flat-out tells the users “I am a Phishing Email. This is a drill — this is only a drill.”

The email would then remind the user how to recognize and spot potential phishing emails, and that it’s necessary to report them to the company’s IT security team by instructing them how to do so. “There’s no need to make this adversarial, and we don’t gain anything by ‘catching’ people ‘failing’ at the task. Let's stop engaging in the same old failed protections,” he added.