Latest Posts
UPDATE: 🚨 CVE-2025-24054 Is Being Exploited — Patch Windows Now or Get BurnedApple Hit with Back-to-Back Zero-DaysWindows Task Scheduler Flaw: Your Scheduled Nightmare Has BegunPriviledged Access Management Training for IT EmployeesPAN-OS CVE-2025-0128: One Packet, One Big Problem for Your Firewall

“I Was Just Trying to Warn Everyone…”

by | Mar 27, 2025 | Uncategorized, User Stories

The Whale Isn’t Supposed to Do The Phishing

User-Submitted Story #004 – Phishing Fail from the Top Floor

There’s nothing like a bit of chaos to bring people together—especially when that chaos starts in the corner office.

Phishing simulations are a great way to test your team’s awareness, but what happens when your CEO falls for a real phishing email and tries to play it off like it was all part of the plan?

One anonymous IT director named James shared this gem from their archives. We couldn’t make this up if we tried.

💬 User Submission:

We were in the middle of rolling out new phishing awareness training, and our CEO—let’s call him “Mark”—had opinions.

“These simulations are a waste of time,” he told me. “We’re smarter than that.”

About a week later, I get a panicked Slack message from our helpdesk:

“Did Mark just send a phishing email… warning us about a phishing email… with the actual phishing link…?”

Sure enough, I check my inbox.

Subject: “URGENT: Security Threat – Click Immediately”

Body:
“Team, I received this dangerous phishing email and I want you all to see it for yourselves. Be alert. This is how they get you. CLICK HERE to understand the risk.”

The link? Totally live. Totally malicious.

Mark had forwarded the original phishing email he received—complete with the fake DocuSign link still active—to the entire company.

We had 47 click-throughs in the first 10 minutes.

I confronted him gently (with the emotional tone of a bomb technician disarming a toaster).

He said, and I quote:

“I was just trying to raise awareness. People need to see what these threats look like in the wild.”

I said:
“Mark, you are the wild.”

After that, he agreed to participate in the next round of training. And we added an automatic warning banner to his outbound emails.

Just in case.

🔍 Blotter Takeaway:

Security culture starts at the top. And sometimes, it trickles down in the form of a company-wide security incident.

If you’re going to “raise awareness,” maybe don’t do it by sending out the actual malware. We love an engaged CEO—but maybe let IT handle the threat demos.

Also, if your C-suite thinks they’re “too smart” for phishing training… send them two tests. 🫠

Search