Punishing Employees Who Fall for Phishing Schemes

by BBB Staff | Jun 19, 2019 12:18:36 PM

Phishing emails are nothing new, but the catch and
release of employees who fall for the scam is. So, should someone be out a job
for an errant inbox click? While some companies have taken this “take no
prisoners” approach, security experts say the morale cost might just be too

Still, the number of people to click on a corrupt
email and lose their jobs is up. In fact, according to the 2018 Proofpoint
Email Fraud Survey
, 1 in 4 phishing attacks worldwide led to someone
getting fired. And, in some cases, employees are being fired for failing
phishing tests- not even actual attacks!

John LaCour, the founder and CTO of PhishLabs, a firm
that helps companies educate and test employees on how not to fall for phishing
scams, recently told security blogger, Brian Krebs that rather than teaching
people new things, the approach of testing and punishing employees was

 “It really demotivates people, and it doesn’t
really teach them anything about how to be more diligent about phishing
attacks,” LaCour stated. “Each phishing simulation program needs to be
accompanied by a robust training program, where you teach employees what to do
when they see something phishy. Otherwise, it just creates resentment among

Part of the problem with punishing an individual is
that the situation is often the result of something more systemic, like open access
to staff and member directories. Such directories have become a common attack
vector for phishing schemes, according to Tim Ebner, senior editor of Associations

“These are obviously big problems, and employees
should have awareness of what makes a phishing email and what doesn’t,” Ebner

Most security experts who spoke with Krebs agree that,
while there may be room for consequences for an employee clicking an errant
link—say, additional training requirements—straight-out firing should be off
the table.

Subscribe Now

Additional Reading