A Google security manager has spoken out against simulated phishing exercises for employees. Such tests would create frustration rather than more security awareness.
Many companies send their employees fake phishing emails to see if they fall for them. However, this widespread practice of simulated phishing attacks has met with prominent criticism. Matt Linton, security manager at Google, warns: “Our colleagues are fed up with being fooled by such phishing tests. That only fuels frustration instead of being useful.”
In a blog entry, Linton explains the downsides of such simulated attacks. Google has to carry out these email tests due to legal requirements. If an employee falls for it, they are considered to have “failed” and have to undergo training. However, this approach is outdated.
“There is no evidence that such tests actually lead to fewer successful phishing attacks,” says Linton. A study from 2021 came to the conclusion that the exercises do not make employees more resistant to phishing.
According to Linton, Google’s simulated attacks also do not reflect reality, as they have to trick the company’s own phishing protection measures. This conveys a false picture of risk. However, the biggest point of criticism is the negative impact on morale: “Employees are angry because they feel they have been duped by the security department. This undermines the relationship of trust that is so important for meaningful protective measures.”
Linton advocates putting an end to such “games”. People cannot be expected to behave “flawlessly”. Instead, companies should invest in technical protection measures such as hardware keys and passkeys to prevent phishing.
An alternative would be open phishing training campaigns without the punishment mentality. Emails clearly inform employees: “This is a practice phishing email, no action required.” This provides training without losing trust.