Caught by Your Own Phish

We often talk about the “human firewall” in cybersecurity. But sometimes, that firewall has a few open ports due to distraction.

This story comes from a security team I worked with. One of the team was deeply involved in the elaboration of the quarterly internal phishing simulation. He spent days brainstorming with the team, debating the best subject lines, and fine-tuning the fake login page to make it look just authentic enough to fool the unwary.

He knew every detail of the campaign because he helped design it.

A few hours after the launch, deep in the weeds of another task, his inbox pinged. He saw a subject line: “IT Security: Your password expires in 24h.”

Without thinking, driven purely by the muscle memory of clearing unread notifications and the stress of a busy day, he clicked.

He didn’t realize what he’d done until the “You’ve been phished!” training page popped up… the very page he had argued for in the planning meetings.

The security dashboard lit up with its first victim: The co-architect of the campaign himself.

It was a humbling reminder that no one is immune to social engineering, especially when fatigue or distraction sets in. Not even the people who built the trap.

We had a good laugh about it (once the embarrassment faded), but it proved that absolutely no one is 100% immune.