Lessons learned from over 30,000 phishing simulations

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

After observing over 30,000 phishing email simulations conducted by the Arsen platform, we have drawn some lessons that we wanted to share.

A lack of necessary knowledge to detect the threat

All these phishing tests have revealed a significant lack of knowledge on the part of employees.

Even though theoretical content is necessary for learning, it is not enough to obtain quality training.

Your employees must perceive the danger. The majority of phishing emails use social engineering and influence techniques to prevent the victim from applying the theoretical knowledge learned beforehand.

As a result, the victim falls into a pattern of emotional responses that lead to mistakes.

However, even without the use of psychological tactics, a lack of knowledge is observed among employees.

Some of them have gaps in identifying domain names and, for example, may not understand the concept of a "subdomain".

Therefore, it is necessary to explain the structure of a URL and how to apply this knowledge in identifying a phishing email.

In Arsen's phishing simulations, for example, many of our clients used the name of their company or the service they were impersonating in a subdomain to test their employees.

Some employees considered the email legitimate because the company name was included in the link.

Explain to your employees the difference between HTTP and HTTPS as well. There are still many people who think that using SSL and seeing a green padlock in their browser bar means that the site is legitimate.

However, the "S" in HTTPS only indicates that the data transmitted between the computer and the server is encrypted, but it does not guarantee the legitimacy of the server.

It is important to know that there are services that generate SSL certificates for free. Therefore, it is very easy for a hacker to use HTTPS in their phishing campaigns.

The scenarios available on the Arsen platform are all HTTPS, allowing our clients' employees to quickly integrate this concept.

It is wise to train your employees on this subject and verify if the knowledge is acquired.

Lastly, there is a general lack of web culture. Few employees understand the implications of having their professional or personal email credentials stolen.

Today, if a hacker gains access to your email address, they can have access to the majority of your accounts, especially those that use email for password reset.

Insufficient corporate culture for team cohesion

It is not uncommon to hear employees say that it is not their role to detect threats, that it is the IT department's responsibility to protect them, that they do not have the time, or that not clicking on suspicious links is enough.

We will see why each of these statements is incorrect.

On one hand, when an employee believes that it is not their role and that it is the IT department or the cybersecurity teams' responsibility to protect them from threats, it primarily reflects a poor corporate culture.

Managing risk represents a real challenge when some employees are in opposition to the IT department or cybersecurity teams. It is essential to create unity and have both groups work collaboratively.

The cybersecurity teams should not perceive employees as individuals who click without thinking, and employees should not see cybersecurity as a hindrance to productivity.

The goal is to protect the productivity and informational assets of the company.

If the company falls victim to ransomware, the busy schedule, which prevents employees from taking the time to adopt secure behaviors in their daily lives, becomes completely irrelevant. The employee who "does not have time" will no longer be operational because files will be encrypted or a data breach will have damaged the company's activity.

On the other hand, employees who believe that not clicking is enough to thwart the threat have not been sufficiently trained on reporting.

Indeed, an employee who goes from vulnerability to a "passive" individual does not contribute enough to the fight against phishing.

If people do not take the time to report, they may not fall for the phishing attempt, but their colleagues remain at risk when they could be protected if the threat had been reported.

This leads to missing an additional layer of protection.

Anti-phishing filters are not enough to protect email accounts

One point that has generally been understood is that filters are not 100% effective.

We all have anti-phishing filters, and yet we still receive phishing emails in our inboxes.

The best detection systems filter up to 92.72% of phishing emails. Given the low cost of an email, on a high volume, there is a large quantity of threats that land in our inboxes.

Furthermore, the emails that bypass filters are usually more sophisticated and therefore pose a greater danger. Hackers who invest resources in bypassing filters likely intend to carry out a more targeted and lucrative attack than a mere spam.

On the other hand, few anti-phishing filters work if they are not properly configured or kept up to date.

Setting up an anti-phishing filter is not enough; hackers continue to innovate on obfuscation and bypassing techniques, so your defense will quickly become obsolete if not actively maintained.

Making better use of simulations for better awareness

Simple phishing tests and post-mortem meetings are not enough to provide adequate awareness. Conducting a test and explaining to employees three weeks later that they made mistakes may not improve your concrete protection against phishing.

It is interesting to provide awareness as soon as possible after a compromise.

The individual is more receptive and pays attention to the content provided when they are trapped.

It is also important to note that theory does not always transfer to practice.

It is common for companies that are confident in their protection because their employees performed well on a quiz after e-learning to decide to conduct a phishing campaign and end up with over 20% of passwords collected.

Two anecdotes encountered during simulations

Special offers scenarios

During our simulations, we used a phishing scenario imitating a streaming service claiming that the recipient's Works Council had reached an agreement with the platform to provide free accounts to company employees.

Some employees did not understand the scam and even went so far as to call the platform's customer service to complain about their non-working access.

The bad password technique

Firstly, it is important to reiterate that on the Arsen platform, we do not collect any passwords for security reasons.

Nevertheless, in our respective careers, we have had the pleasure of conducting phishing campaigns with other tools and experimenting with the technique known as the "bad password" technique.

The principle was to send an email encouraging individuals to log in quickly to change their password or update their account to maintain access to a critical application.

The login page was coded in a way that displayed the message "incorrect password" for any input.

Generally, the individual's reaction was to enter all the passwords they could remember in succession.

By collecting these passwords, it is very easy to understand the pattern with which the person constructs their passwords, such as dates and special characters they use.

It is then quite simple for a hacker to generate a list of potential credentials to carry out a brute-force attack.


In conclusion, these 30,000 simulations show that the attacker has the upper hand.

However, we can drastically improve our resilience against phishing and the quality of our awareness by implementing simple practices such as:

  • Training employees on the theoretical knowledge that is lacking and regularly exploited by hackers.
  • Applying theoretical modules in practical situations immediately after an employee makes a mistake.
  • Keeping detection tools up to date and properly configured.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.