What I learned on my last Phishing trip…

Ask most employees and they will tell you what Phishing is and why it’s bad. Yet, Phishing is still a top Cyber Security concern for any organization. I recently conducted several mock phishing campaigns that revealed common problems that prevent employees from being successful at combating phishing attempts.


Phishing is a deceptive attempt to pose as a reputable entity or person in electronic communications, such as email, IM or social networks. Most employees know exactly what Phishing is and why it’s bad. They may even have a story about how a customer, vendor or friend fell for a Phishing scam. Yet, Phishing is still a top Cyber Security concern for any organization.


Recently I sent several mock Phishing emails to my entire company, bringing in some very interesting results. Before any campaign, McKenney’s started out with a failure rate of approximately 60%. After communications from the Technology department and later Marketing, our rate was below 30% failure. To further decrease that rate, we started sending quarterly tests, offering training at department meetings and created simple posters that explained the types of phishing. I’m proud to say McKenney’s consistently has less than a 10% failure rate across the company.


The top three things I learned from the 10% failure and even some of the successes are:

  • Awareness is great, but still people aren’t hovering over links
  • Employees don’t know they can preview links on phones/tablets, so they simply click on everything thinking mobile devices are more secure
  • Urgent emails still get people to take an action, even when they know they shouldn’t


All the news headlines, internal training and personalized communication efforts have raised awareness of the perils of Phishing. Like any skill however, one must practice hovering over links to make it a Habit with a capital H. Can you say you hover every link every time before clicking on it? If not, you’re opening yourself and your organization up to unnecessary risk. The simple act of hovering over links will save you a lot of time and trouble. When you hover over a link always make sure the link matches what you’re expecting. Additionally, the first part of the link (a.k.a. domain) should always be the company of the sender. This can be tricky on very long and confusing links, so focus on the beginning of the link. These tips will prevent you from being the victim of the next phishing scam.


Have a question for our experts? Leave your comment below and check out our website for more information.

About Shaun Hunt

Website: https://www.linkedin.com/in/shaunmhunt/

Email Address: shaun.hunt@mckenneys.com

Shaun Hunt manages the Technology group at McKenney’s, covering everything from mobile devices to cloud computing. He holds a Master of Organizational Leadership from Southern NH University. Shaun launched his technology career in consulting at Accenture followed by Deloitte Consulting, before holding senior technology positions in financial services and non-profits. Shaun is passionate about creating efficient and effective systems that enable clear business value safely and securely.

Leave a Reply

Your email address will not be published. Required fields are marked *