Please fill in the form below to subscribe to our blog

Don’t Make This Phishing Resistance Training Mistake

December 28, 2020

Playing Cruel Tricks on Your Staff is a Phishing Resistance Training Mistake


Phishing is the biggest single cybersecurity problem that any business faces today. We’ve evangelized extensively about the benefits that your company gets from security awareness training that includes phishing resistance, and the best ways to go about delivering that training. But there are also ways that businesses can sabotage themselves while conducting security awareness training. Learn from this phishing resistance training mistake.


Protection from cybercrime danger is easy when you deploy your secret weapon: security-savvy employees! WATCH WEBINAR>>


Good: Phishing Simulation Campaigns


No business wants to waste money on unnecessary or ineffective training. That’s one reason why regular testing is an essential part of a good security awareness training program like BullPhish ID. Whether a company is using the online testing features of BullPhish ID after a video lesson or running a phishing simulation campaign with one of its 80+ plug-and-play testing kits, it’s important that it can make sure that the training is working and the training solution fits their needs to defend them against disasters that are commonly delivered via phishing like ransomware.

It’s also understandable that a company would want to use the most enticing lures it can come up with to tempt staffers in a phishing simulation. After all, cybercriminals have the most success using exciting, topical lures to draw in unwary employees, as has been richly illustrated throughout the phishing explosion of the COVID-19 pandemic. Bad actors regularly use fakery including impersonation and business email compromise to catch new victims.

Using up-to-date topics and attractive content is good. BullPhish ID does, with 4 new phishing simulation campaign kits and new video lessons added every month, including COVID-19 threats and training in 8 languages. But companies should be wary of taking those things just a little bit too far, as Arizona-based internet hosting giant GoDaddy recently exemplified after launching a holiday time phishing training exercise that backfired badly.


password reuse danger can sink unwary businesses with poor security awareness. A cartoon image on black shows a blue shield with a lock

See how to grow your business with a new revenue stream in the time it takes to drink a cup of coffee. LEARN MORE>>



Bad: Taunting Your Staff


Like Dark Web monitoring, conducting good security awareness training requires specialized knowledge and experience to avoid expensive, embarrassing pitfalls. Here’s how GoDaddy’s recent phishing resistance training simulation campaign went off the rails and into disaster.

  • GoDaddy decided to conduct a new training campaign to test its staffers on their phishing awareness. This is a good call: phishing is a huge threat, and GoDaddy has already had security problems this year.
  • GoDaddy planned to conduct this campaign during the December holiday season, a known period of ramped-up threats as cybercriminals use everything from shipping notification scams to fake sale advertisements to lure users into falling for a phishing trap.
  • GoDaddy is following training best-practice recommendations by conducting regular training exercises. Experts agree that refreshing training at least every 4 months, is essential for making sure that security awareness training remains effective.
  • GoDaddy’s cybersecurity awareness training decision-makers choose a lure that’s fresh and exciting to entice employees to click on it: holiday bonuses for everyone!
  • GoDaddy’s training team fails to take into account the fact that the company had both announced large layoffs in the last few months and already told staffers that there wouldn’t be any bonuses this year. Oh, and they also forgot that there’s been a devastating pandemic going on all year leading to an economic crisis, lost jobs, and financial problems for millions of Americans.
  • GoDaddy sends an internal email to all employees announcing surprise holiday bonuses and asking for employees to confirm their information to get their bonus. “Happy Holiday GoDaddy! 2020 has been a record year for GoDaddy, thanks to you! Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus! To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.
  • GoDaddy employees are thrilled with the news of unexpected holiday bonuses, and flock to fill in the requested information to receive them.
  • GoDaddy then announces that there aren’t really any bonuses. That email was a phishing test, and everyone who filled in their information failed. Those staffers are assigned to more security awareness training.

cyberpunk 2077 malware represented by a futuristic looking cityscape featuring many neon signs at night

Want to Borrow Our Sales and Marketing Teams? OK!

Get expert sales and marketing help to power up your MSP in a flash with Powered Services Pro. LEARN MORE>>


Bad: Making Training Punishment


What happened in this debacle at GoDaddy is not the desired outcome of cybersecurity awareness or phishing resistance training by a long shot. Major mistakes were made here, and then compounded:

  • DON’T use insensitive or cruel phishing lures. Yes, you want the bait to be enticing and topical, but be mindful of using a lure that exploits your staff’s current challenges, damaging your employee morale.
  • DON’T use training as a punishment instead of a team-building tool. It’s not detention. Security awareness training shouldn’t be something that your staff dreads, or is only prescribed if they make a mistake. It should be a regular, routine portion of their job that builds community.
  • DON’T lie to your staffers about internal policies and programs. Giving false information about the circumstances of their employment or compensation to your staffers as a “phishing test” is a fast way to erode their trust in you as an employer who values them.


phishing email imitating famous brands dangers represented by a cartoon hacker in a hoodie at a laptop with an eye mask on done in shades of blue, Batman style.

Is Your Password a Zero or a Hero? Learn the difference and how you can strengthen yours in Build Better Passwords. GET IT>>


Good: Get Professional Help to Avoid Pitfalls


So what should you do to avoid this scenario in your business? Use a dynamic security awareness training solution like BullPhish ID. Our phishing training designers carefully craft each training video and complete phishing campaign kit using thoughtfully chosen real-life threats and examples to teach your staff to spot and stop phishing attempts in an easy-to-understand way no matter what their level of tech knowledge may be.

BullPhish ID empowers employees to become an important part of your security team instead of liabilities that your security team has to deal with.

  • Plug-and-play phishing simulation kits empower you to start training fast 
  • More than 50 engaging, animated videos provide easy-to-understand threat information 
  • Simple remote management makes it easy to run campaigns and adjust training groups 
  • Online testing measures retention to show who needs more help 
  • New training materials are added monthly to cover the latest threats like COVID-19 
  • More than 100 phishing simulation kits are available now
  • Training content is available in 8 languages 
  • SEE A VIDEO OF BULLPHISH ID AT WORK>>>