Do we Need to Prove Phishing Works?

Sep 01, 2021
At the McGrail Foundation, we believe that education is the best way to help users safer in a world of scams not testing users with fake phishes. For example, in September 2020, the Chicago Tribune wanted to test its cyber defenses by phishing their employees. The only problem? The phishing email offered employees a $10,000 bonuses only to link to a page that said they failed the phishing test. Employees were, understandably, up in arms. What did this test prove?

GoDaddy, in December of 2020, followed a similar pattern of phishing its employees with fake bonuses. These bonuses were for a mere $650 instead of $10,000 and linked employees to retake the company's security training if they were phished.

At the foundation, we are looking for insight to improve the education of users, administrators, and organizations on how to prevent phishing. Do you need to prove phishing works?

What do you think about 'testing' users, is it ethical?

What are some alternative ways to educate?

Have you or someone you know been phished? What do you think could have stopped that?

What's more important - a company having its employee's trust or stopping phishing?

How do you think that we, at The McGrail Foundation, can help this issue & prevent phishing?

Do you have a method of testing that you have found effective? Contact Us if you have any thoughts on these questions or opinions on something we haven't thought of!