Confessions of a Cybersecurity Pro Who Failed a Phishing Test

Even cybersecurity pros can get phished, this candid story shows why slowing down and questioning every email is critical.

By Julia Miller, SBS Cybersecurity
 
I considered agreeing to a post-phish interview only if the lights were dim, my voice was gravelly, and my silhouette appeared in profile, like an anonymous source in a documentary about international espionage. Picture it: The camera pans across the darkened room, my identity shrouded in mystery as I confess, "Yes, it's true. I clicked on a phishing email. I did the thing. Please, never show my face to the IT department again." All that was missing was dramatic background music and an on-screen subtitle: "Phishing Victim, Security Professional."
 
But there's power in stepping out of the shadows and owning these moments, no matter how mortifying. We build resilience not by pretending mistakes don't happen but by recognizing they can happen to anyone, at any time. It's through sharing our stories, stripped of anonymity and shame, that we foster understanding and collective vigilance.
 
The Value of Regular Phishing Assessments
Before I recount the moment I fell for the bait, it's worth reflecting on why companies conduct phishing assessments in the first place. No amount of training alone can guarantee immunity, as hackers are always adapting. That's why organizations, mine included, have made regular phishing simulations a cornerstone of their security strategy.
 
These tests aren't meant to embarrass or punish. Instead, they serve as real-world reality checks, revealing subtle vulnerabilities that creep in when we least expect them. Routine phishing tests help employees practice vigilance safely, sharpening instincts and keeping everyone alert to the latest tactics. Every misstep becomes a learning moment, cultivating a culture where cybersecurity is everyone's responsibility.
 
The Email That Got Me
It was a Tuesday morning like any other, with coffee in hand, to-do list ready, and a fresh batch of emails to sort through. As a long-time cybersecurity professional, I like to think I'm savvy about spotting suspicious messages. I've written about phishing, warned others, passed dozens of phishing tests, completed security awareness training, and even helped design campaigns.
 
But that morning? That morning, I clicked.
 
It wasn't flashy. No Nigerian prince. No lottery winnings. Just a simple, well-crafted email with the subject line: "Executive/HR Meeting Report."

The message contained a link to review a document from my manager — a typical red flag. However, I had just completed my annual review, and my manager was going to send compensation notes along with a final document to sign. I was eagerly awaiting that email.
 
Timing couldn't have been better — or worse. In my haste, I didn't scrutinize as closely as I should have. The sense of importance, paired with familiarity, made it feel legitimate.
 
Click.
 
Bam! A splash screen: "Oops! You clicked on a simulated phishing test!"
 
Cue the facepalm.
 
The Aftermath
I shook my head. I groaned. I may have said, "Well played, security team." Mostly, I was just surprised. How did I fall for that?
 
The answer is simple: I was moving too fast and didn't follow The Golden Rule of Email — treat every email as if it's a phishing attempt.
 
The Golden Rule in Action
Phishing isn't always obvious anymore. Today's attacks are subtle, familiar, and timed to catch you off guard.
 
This email looked like it came from my manager. It referred to a document I was expecting. It had just enough familiarity to override my better judgment.
 
The Golden Rule encourages us to slow down and ask:

• Who is this really from?
• What are they asking me to do?
• Why am I getting this now?
• Does this make sense?

 
If I had paused to hover over the link or double-check the sender, I'd have seen the red flags. But I didn't.
 
Here's the breakdown of this scenario:

• Who is this really from? The sender's address didn’t exactly match my manager’s or HR department's usual address.
• What are they asking me to do? They wanted me to open and review a document. I was expecting one, just not in this delivery method.
• Why am I getting this now? I was expecting a document at the time the phishing email was sent, which made it feel legitimate.
• Does this make sense? This is where I tripped up. I should have put the first two red flags together and realized that, while I was expecting a document, it wouldn't be sent in this format.

 
Even the tiniest lapse — a split second of inattention — could spell major trouble. One careless click could expose sensitive data, trigger a costly breach, and affect everyone relying on our systems.
 
I'm genuinely grateful this was a test, not a real attack. It's a wake-up call and a timely reminder that vigilance isn't optional. It's essential.
 
What to Do If You Click on a Phishing Link
Even experienced employees can accidentally click on a phishing email, but what matters most is how you respond. Whether it's a test or a real attack, here's what to do if you click on a phishing link.
 
If you've clicked on a phishing test, take a breath — it's a learning opportunity, not a failure.

• Don't panic. These tests exist to help you recognize patterns and improve.
• Take a moment to review what made the email convincing.
• Report the training email to your IT or security team just as you would a real phishing email. Building that habit now helps you react quickly when it really counts.
• Apply what you learned so you're ready if a real phishing attempt lands in your inbox.

 
If you realize you've clicked on a real phishing email, speed matters.

• Disconnect from the network if possible.
• Alert your IT or security team immediately so they can contain potential risks.
• Change any passwords you entered or that might have been exposed.
• Keep an eye on your accounts for unusual activity or login attempts.
• Follow any additional steps your IT team recommends for incident response.

 
By responding quickly — and honestly — you help protect your organization and turn a stressful moment into a valuable lesson.
 
​SBS CyberSecurity, LLC (SBS) is a top-rated consulting and audit firm. With over 20 years in the cybersecurity industry, SBS has provided solutions to thousands of regulated organizations across the United States and abroad. They offer dynamic solutions to help you build a proactive risk management program capable of withstanding the daily threats your organization faces. Their services are designed to assist you in making informed cybersecurity decisions to better protect your business. For more information please contact George McDonald, DakCU Interim President/CEO.