Can a simulated phishing campaign be too good?

Is there a risk of overengineering cyber awareness and create a simulated phishing email which does harm instead?

Cybernao

~4 min read · April 30, 2026 (Updated: April 30, 2026) · Free: Yes

Fell for a simulated phishing email. Now what?

My close friend knows I am 'in-cyber' and was a little embarrassed to admit to me they they were 'caught', clicking on a simulated phishing email run by their business recently. Although they were feeling a bit silly for falling for it, they didn't feel too bad, since almost everyone else did too. Everyone had just been informed that the flu-shot email was a phishing simulation email.

So, I asked to look at the email:

1. The Email

My friend said it looked exactly like what they would have expected, the HTML banners were the right colours for the department and everything looked like it should have. It was clearly designed by their IT department who had intimate knowledge of the department that this particular email would come from, let's call it: Communicable Disease Immunisation Coordination Branch (Influenza) and the email was from the 'correct person' titled the 'Branch Director, Influenza Immunisation Coordination'.

So, here are the facts:

The sender was the one they had expected; The knew the name and the title
The signature banner was correct; it looks like every banner sent from that department.
The content was timely and expected; it unsurprisingly contained a link to book in their flu shot.
The business logo was correct.
It was consistent; the entire email looks like it was designed off the flu shot email from last year.
There was otherwise nothing spelled incorrectly, or nothing out of the ordinary except:
An incentive was offered
There was one small error

So why was this email too good to be, well… good?

2. The Test

The only indication was the email address was not the typical department email.

To be fair, it is a really big sign that all is not well…however…

That was the only test.

Analyse the email address before clicking on anything.

Here's the problem with that:

3. It proves…what exactly?

It was created so well, with only one minor error for people to pick up on and of course, most people clicked on it.

Because, this year, unlike other years it was offering a $10 voucher!

Here's the problem, what does a campaign like that prove?

That the staff didn't check every senders email address and compare it to past emails before opening?
That the cost of living makes people want that extra free $10?
That staff who didn't click actually noticed? (No, apparently people were too busy to open and action that email which is why it wasn't a total 100% success, by they time they proudly announced it was a phishing simulation email and we GOTCHA!)
That people can be manipulated so well, in such a specific way from their own business, that even your brightest and most vigilant employees get knocked down a peg and feel stupid.
That IT can successfully mimic another department and fool everyone?

4. Is that IT's job?

I told my friend that I really think that they should not feel bad, I don't think it really was a great use of IT's time to build that sort of campaign.

No doubt though, IT felt really clever about that email. Super sneaky. SOOO many people are going to fall for that. Yep.

To me, it proved that an insider threat could pull off a phishing campaign like that against colleagues.

If that business was at risk from Nation State hackers who have the resources to build a brilliant, highly researched phishing campaign with spear-phishing type, highly-informed and targeted messaging with knowledge of intimate details of these departments and previous flu-vaccine campaigns.

I'm sorry guys, I see what you are trying to do there IT, but this was real, it would look more likely that you have an insider-threat informing the baddies on the best way to trick you all into giving out your credentials.

And if the business is likely to suffer an attack of a highly sophisticated phishing scenario like this, then they should be focused on strengthening controls and hardening the environment.

Not just testing users.

That means enforcing multi-factor authentication (MFA) for all users, so a password alone is not enough to gain access. It also means having strong identity and access management in place, especially for higher-risk accounts, using things like privileged access management (PAM) to control who can access critical systems and when.

Privileged and administrative accounts should be tightly secured and closely monitored, as they can do the most damage if compromised.

At a broader level, systems containing sensitive information should be properly segmented and access restricted. That way, even if an attacker gets into one account AND they managed to bypass the MFA and other controls in place, then they cannot easily move through the network or reach critical data.

So maybe there is such a thing as a simulated phishing email which is just too good to show your organisation's vulnerabilities or maybe, you are just looking for vulnerabilities in the wrong place.

Relevant image created by AI

#cybersecurity #cyber-security-awareness #cyber #simulation #phishing

< Go to the original