Tarah WheelerAug 7, 2024

I'm going to prove a point and you're going to help me.

If you're a member of the information security and/or cybersecurity profession, and you have clicked on a phish in the last, say, five years, share this post. If you have not, star this post.

Someone's trying to say that you can punish people out of clicking on scam links and I say that not only can you NOT prevent phishing by punishing people, but the most skilled #infosec and #cybersecurity people in the world can and do get phished as well.

Show threadspencercmd

@Tarah I have not been successfully phished, however, we do run these training campaigns and I have responded to several users who have clicked on phishing emails. They always feel like shit. It's basic psychology. You're not going to punish someone worse than they can punish themselves. Instead, providing positive reinforcement to your users and giving them incentive to increase their vigilance and suspicion works.

One user I will use as an example, had multiple incidents in one year. We had to change their passwords, expire sessions, lock them down, whole deal, multiple times. We positively reinforced, provided training, and they are now one of our top reporters of suspicious emails. No incidents in 2024 from this user.

Aug 7, 2024 at 10:11pmWeb