Simulated phishing attacks are gradually becoming a more accepted method of schooling users on how to spot a phony email rigged with a malicious link or attachment, but staging fake phishing attacks can backfire if users are completely blindsided -- or become too comfortable with the controversial process.

"In the early days of simulated phishing, people were more cavalier when they deployed this," says Perry Carpenter, a former Gartner security awareness analyst who is now working as a security expert in the financial sector. "When you do this in a cavalier way without any forewarning and want to exact some kind of penalty [for users who fall for the attacks], then users just feel like you are out to get them. You don't want to be in that situation."

That doesn't mean taking the fire-drill approach and alerting users that a fake phishing attack is scheduled for Monday at 9 a.m. -- you need some element of surprise... Read full story on Dark Reading


Post a comment to the original version of this story on Dark Reading