Googler calls for fire drill-like overhaul of phishing tests • The Register

<!doctype html> <html lang="en"> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <title>Googler calls for fire drill-like overhaul of phishing tests • The Register</title> <meta name="robots" content="max-snippet:-1, max-image-preview:standard, max-video-preview:0"> <meta name="viewport" content="initial-scale=1.0, width=device-width"/> <meta property="og:image" content="https://regmedia.co.uk/2020/10/29/phishing.jpg"/> <meta property="og:type" content="article" /> <meta property="og:url" content="https://www.theregister.com/2024/05/23/google_phishing_tests/" /> <meta property="og:title" content="Googler calls for fire drill-like overhaul of phishing tests" /> <meta property="og:description" content="Current approaches aren't working and demonize security teams" /> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@TheRegister"> <script type="application/ld+json"> { "@context":"http://schema.org", "@type":"NewsArticle", "mainEntityOfPage":{"@type":"WebPage","@id":"https://www.theregister.com/2024/05/23/google_phishing_tests/"}, "headline":"Google guru roasts useless phishing tests, calls for fire drill-style overhaul", "datePublished":"2024-05-23T19:01:12Z", "dateModified":"2024-05-23T19:06:08Z", "image":{"@type":"ImageObject","url":"https://regmedia.co.uk/2020/10/29/phishing.jpg","width":"1000","height":"667"}, "author":{"@type":"Person","name":"Connor Jones"}, "publisher":{"@type":"Organization","name":"The Register","url":"https://www.theregister.com/","logo":{"@type":"ImageObject","url":"https://www.theregister.com/design_picker/1fea2ae01c5036112a295123c3cc9c56eb28836a/graphics/std/red_logo_sans_strapline.png","width":330,"height":55}} } </script> <script> var RegZoot = { }; var RegCC = [ ]; var RegPageType = 'Story'; var RegTruePageType = 'www story'; </script> <link rel="canonical" href="https://www.theregister.com/2024/05/23/google_phishing_tests/"> <link rel="amphtml" href="https://www.theregister.com/AMP/2024/05/23/google_phishing_tests/"> <script src="/Design/javascript/html5shiv.min.js"></script> <script> // IE8 only polyfilly for eventListener // source: https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener#Compatibility !function(){if(Event.prototype.preventDefault||(Event.prototype.preventDefault=function(){this.returnValue=!1}),Event.prototype.stopPropagation||(Event.prototype.stopPropagation=function(){this.cancelBubble=!0}),!Element.prototype.addEventListener){var e=[],t=function(t,n){var o=this,r=function(e){e.target=e.srcElement,e.currentTarget=o,void 0!==n.handleEvent?n.handleEvent(e):n.call(o,e)};if("DOMContentLoaded"==t){var a=function(e){"complete"==document.readyState&&r(e)};if(document.attachEvent("onreadystatechange",a),e.push({object:this,type:t,listener:n,wrapper:a}),"complete"==document.readyState){var p=new Event;p.srcElement=window,a(p)}}else this.attachEvent("on"+t,r),e.push({object:this,type:t,listener:n,wrapper:r})},n=function(t,n){for(var o=0;o<e.length;){var r=e[o];if(r.object==this&&r.type==t&&r.listener==n){"DOMContentLoaded"==t?this.detachEvent("onreadystatechange",r.wrapper):this.detachEvent("on"+t,r.wrapper),e.splice(o,1);break}++o}};Element.prototype.addEventListener=t,Element.prototype.removeEventListener=n,HTMLDocument&&(HTMLDocument.prototype.addEventListener=t,HTMLDocument.prototype.removeEventListener=n),Window&&(Window.prototype.addEventListener=t,Window.prototype.removeEventListener=n)}}(); document.attachEvent("onreadystatechange", function() { if (document.readyState === "complete") { // list of icons we want <= IE8 to replace with their png equivalents var svg_icons_png_equiv = [ // masthead icons (twitter + facebook are also shared for footer): 'reg_logo.svg', 'twitter.svg', 'facebook.svg', 'linkedin.svg', // navigation bar icons: 'vulture.svg', 'vulture_white.svg', 'search.svg', 'search_white.svg', // footer icons: 'sitpub_footer.svg', 'linkedin_white.svg', 'rss.svg', // lectures section icons: 'reglecture_logo.svg', // story template icons: 'reddit.svg', 'linkedin_alt.svg', 'linkedin.svg', 'calendar.svg', 'location.svg', 'rect_comment_bubble_white.svg', 'rect_comment_bubble_black.svg', 'envelope.svg', 'polls_unit_arrow.svg' ]; for (i = 0; i <= svg_icons_png_equiv.length - 1; i++) { var svg_icon = svg_icons_png_equiv[i]; var img_svg_icons = $('img[src$="' + svg_icon + '"]'); img_svg_icons.each(function() { $(this).attr('src', $(this).attr('src').replace('.svg','.png')); }); } var ad_params = { src: 'https://regmedia.co.uk/2018/06/15/gg2b_book.png', href: 'https://forms.theregister.com/gg2b/?td=iaomwtkie78' }; bird_alternative('ad_wp_top', ad_params); } }); </script> <script> var RegArticle={id:234203,pf:0,af:0,bms:0,sec:'security',cat:'update_me',ec:[],kw:[["cybersecurity",'Cybersecurity'],["google",'Google'],["phishing",'Phishing']],kwp:[["alphabet",'Alphabet'],["search engine",'Search Engine'],["security",'Security']],short_url:'https://reg.cx/4cXA',cp:0,noads:[],author:'Connor Jones'} </script> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/scaffolding.css"> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/design.css"> <style> #nav-security, #nav-security-all { text-decoration: underline !important; } </style> <link rel='stylesheet' type='text/css' href='/css/e5c206ed408f082870465a2c478e657ff0db3937/story_only.css'> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/rows_basic.css"> <link rel=alternate type="application/atom+xml" href="/headlines.atom" title="The Register: whole site"> <link rel=alternate type="application/atom+xml" href="/security/headlines.atom" title="The Register: Security section"> <script> var RegCR = false; </script> <script src="/design_picker/14513432720673f1c1ee02761ba265b674b7bee1/javascript/_.js"></script> <script> RegGPT('reg_security/front','0df13fad2ea597c71ae99fa84c3f976d','0df13fad2ea597c71ae99fa84c3f976d'); </script> <script async src="https://www.googletagmanager.com/gtag/js"></script> <link rel=search href="https://search.theregister.com/"> <link rel=search type="application/opensearchdescription+xml" title="El Reg Search" href="/Design/page/search.osd"> <link rel="icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/favicon.ico" sizes="any"> <link rel="icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/favicon.svg" type="image/svg+xml"> <link rel="apple-touch-icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/apple-touch-icon.png"> <link rel="manifest" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/site.webmanifest"> <meta name="msapplication-TileColor" content="#ff0000"> <meta name="msapplication-config" content="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/browserconfig.xml"> <meta name="theme-color" content="#ff0000"> <script src="/Design/javascript/respond.min.js"></script> </head> <body class="fullwidth" data-pagetype='Story' data-iebrowser='7' data-pagenum="0"> <div id="page"> <div data-oop="1" data-pos="top" data-raptor="kite" aria-hidden="true" class="adun"></div> <div id="masthead"> <div class="los_amigos"> <div class="left_nav"> <a id="mob_user_link" href="https://account.theregister.com/register/" aria-label="Your Account"> <img class="account_icon" width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_extents.svg" alt=""> <img class="filled_icon" width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_filled_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_filled_white_extents.svg" alt=""> <span id="mob_user_text"><span>Sign in / up</span></span> </a> </div> <div class="center_nav"> <a href="https://www.theregister.com/" id="logo"> <img src="/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/std/reg_logo_no_strapline.png" srcset="/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/std/reg_logo_no_strapline.svg" width="190" height="35" alt="The Register® — Biting the hand that feeds IT"> </a> </div> <div class="right_nav"> <a href="https://search.theregister.com/" class="nav_search topnav_elem" data-name="Search" aria-label="Search"> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/magnifying_glass_white_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/magnifying_glass_white_extents.svg" alt=""> </a> <div id="site_nav_mobile"> <noscript><div id="site_nav_mobile_hiding_stamp"></div></noscript> <button id="mobile_menu_toggle" aria-label="Open menu" type="button"> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_extents.svg" alt=""> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_close_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_close_extents.svg" alt=""> </button> </div> </div> </div> <div id="top_panel_wrapper"> <div id="top_panel"> <div class="block_section nav"> <div class="nav_col first_col"> <div class="nav_top_group"> <div class="nav_topics"> <div class="nav_head_bk"> <h2 class="main_head">Topics</h2> </div> <div> <nav> <div class="nav_elem"> <div class="cat_header"> <div id="nav-security"> <a href="#subnav-box-nav-security" data-toggle-for="subnav-box-nav-security" class="topnav_elem mob_only">Security</a> <h2 class="desk_only section_nav-security"> <a href="#subnav-box-nav-security" data-toggle-for="subnav-box-nav-security" class="topnav_elem desk_only">Security</a> </h2> </div> </div><div id="subnav-box-nav-security" class="subnav_box"><a href="https://www.theregister.com/security/" class="subnav_elem" id="nav-security-all"><span class="prefix_all">All </span>Security</a><a href="https://www.theregister.com/security/cyber_crime/" class="subnav_elem" id="nav-security-cyber_crime">Cyber-crime</a><a href="https://www.theregister.com/security/patches/" class="subnav_elem" id="nav-security-patches">Patches</a><a href="https://www.theregister.com/security/research/" class="subnav_elem" id="nav-security-research">Research</a><a href="https://www.theregister.com/security/cso/" class="subnav_elem" id="nav-security-cso">CSO</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-off_prem"> <a href="#subnav-box-nav-off_prem" data-toggle-for="subnav-box-nav-off_prem" class="topnav_elem mob_only">Off-Prem</a> <h2 class="desk_only section_nav-off_prem"> <a href="#subnav-box-nav-off_prem" data-toggle-for="subnav-box-nav-off_prem" class="topnav_elem desk_only">Off-Prem</a> </h2> </div> </div><div id="subnav-box-nav-off_prem" class="subnav_box"><a href="https://www.theregister.com/off_prem/" class="subnav_elem" id="nav-off_prem-all"><span class="prefix_all">All </span>Off-Prem</a><a href="https://www.theregister.com/off_prem/edge_iot/" class="subnav_elem" id="nav-off_prem-edge_iot">Edge + IoT</a><a href="https://www.theregister.com/off_prem/channel/" class="subnav_elem" id="nav-off_prem-channel">Channel</a><a href="https://www.theregister.com/off_prem/paas_iaas/" class="subnav_elem" id="nav-off_prem-paas_iaas">PaaS + IaaS</a><a href="https://www.theregister.com/off_prem/saas/" class="subnav_elem" id="nav-off_prem-saas">SaaS</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-on_prem"> <a href="#subnav-box-nav-on_prem" data-toggle-for="subnav-box-nav-on_prem" class="topnav_elem mob_only">On-Prem</a> <h2 class="desk_only section_nav-on_prem"> <a href="#subnav-box-nav-on_prem" data-toggle-for="subnav-box-nav-on_prem" class="topnav_elem desk_only">On-Prem</a> </h2> </div> </div><div id="subnav-box-nav-on_prem" class="subnav_box"><a href="https://www.theregister.com/on_prem/" class="subnav_elem" id="nav-on_prem-all"><span class="prefix_all">All </span>On-Prem</a><a href="https://www.theregister.com/on_prem/systems/" class="subnav_elem" id="nav-on_prem-systems">Systems</a><a href="https://www.theregister.com/on_prem/storage/" class="subnav_elem" id="nav-on_prem-storage">Storage</a><a href="https://www.theregister.com/on_prem/networks/" class="subnav_elem" id="nav-on_prem-networks">Networks</a><a href="https://www.theregister.com/on_prem/hpc/" class="subnav_elem" id="nav-on_prem-hpc">HPC</a><a href="https://www.theregister.com/on_prem/personal_tech/" class="subnav_elem" id="nav-on_prem-personal_tech">Personal Tech</a><a href="https://www.theregister.com/on_prem/cxo/" class="subnav_elem" id="nav-on_prem-cxo">CxO</a><a href="https://www.theregister.com/on_prem/public_sector/" class="subnav_elem" id="nav-on_prem-public_sector">Public Sector</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-software"> <a href="#subnav-box-nav-software" data-toggle-for="subnav-box-nav-software" class="topnav_elem mob_only">Software</a> <h2 class="desk_only section_nav-software"> <a href="#subnav-box-nav-software" data-toggle-for="subnav-box-nav-software" class="topnav_elem desk_only">Software</a> </h2> </div> </div><div id="subnav-box-nav-software" class="subnav_box"><a href="https://www.theregister.com/software/" class="subnav_elem" id="nav-software-all"><span class="prefix_all">All </span>Software</a><a href="https://www.theregister.com/software/ai_ml/" class="subnav_elem" id="nav-software-ai_ml">AI + ML</a><a href="https://www.theregister.com/software/applications/" class="subnav_elem" id="nav-software-applications">Applications</a><a href="https://www.theregister.com/software/databases/" class="subnav_elem" id="nav-software-databases">Databases</a><a href="https://www.theregister.com/software/devops/" class="subnav_elem" id="nav-software-devops">DevOps</a><a href="https://www.theregister.com/software/oses/" class="subnav_elem" id="nav-software-oses">OSes</a><a href="https://www.theregister.com/software/virtualization/" class="subnav_elem" id="nav-software-virtualization">Virtualization</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-offbeat"> <a href="#subnav-box-nav-offbeat" data-toggle-for="subnav-box-nav-offbeat" class="topnav_elem mob_only">Offbeat</a> <h2 class="desk_only section_nav-offbeat"> <a href="#subnav-box-nav-offbeat" data-toggle-for="subnav-box-nav-offbeat" class="topnav_elem desk_only">Offbeat</a> </h2> </div> </div><div id="subnav-box-nav-offbeat" class="subnav_box"><a href="https://www.theregister.com/offbeat/" class="subnav_elem" id="nav-offbeat-all"><span class="prefix_all">All </span>Offbeat</a><a href="https://www.theregister.com/Debates/" class="subnav_elem" id="nav-offbeat-debates">Debates</a><a href="https://www.theregister.com/offbeat/columnists/" class="subnav_elem" id="nav-offbeat-columnists">Columnists</a><a href="https://www.theregister.com/offbeat/science/" class="subnav_elem" id="nav-offbeat-science">Science</a><a href="https://www.theregister.com/offbeat/geeks_guide/" class="subnav_elem" id="nav-offbeat-geeks_guide">Geek's Guide</a><a href="https://www.theregister.com/offbeat/bofh/" class="subnav_elem" id="nav-offbeat-bofh">BOFH</a><a href="https://www.theregister.com/offbeat/legal/" class="subnav_elem" id="nav-offbeat-legal">Legal</a><a href="https://www.theregister.com/offbeat/bootnotes/" class="subnav_elem" id="nav-offbeat-bootnotes">Bootnotes</a><a href="https://www.theregister.com/offbeat/site_news/" class="subnav_elem" id="nav-offbeat-site_news">Site News</a><a href="https://www.theregister.com/offbeat/about_us/" class="subnav_elem" id="nav-offbeat-about_us">About Us</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div> </nav> </div> </div> </div> <div class="nav_bottom_group"> <div class="nav_bottom_section nav_special_features"> <div class="nav_head_bk"> <a href="#subnav-box-nav-special_features" data-toggle-for="subnav-box-nav-special_features" id="nav-special_features" class="topnav_elem mob_only">Special Features</a> <h2 class="main_head"> <span class="topnav_elem desk_only">Special Features</span> </h2> </div> <nav> <div class="nav_elem"> <div id="subnav-box-nav-special_features" class="subnav_box"> <a href="https://www.theregister.com/special_features">All Special Features</a> <a href="https://www.theregister.com/special_features/cybersecurity_month">Cybersecurity Month</a> <a href="https://www.theregister.com/special_features/vmware_explore">VMware Explore</a> <a href="https://www.theregister.com/special_features/blackhat_and_defcon">Blackhat and DEF CON</a> <a href="https://www.theregister.com/special_features/cloud_infrastructure_month">Cloud Infrastructure Month</a> <a href="https://www.theregister.com/special_features/malware_month">Malware Month</a> <a href="https://www.theregister.com/special_features/the_reg_in_space">The Reg in Space</a> <a href="https://www.theregister.com/special_features/spotlight_on_rsa">Spotlight on RSA</a> </div> </div> </nav> </div> <div class="nav_bottom_section nav_elem nav_vendor_voice"> <div class="nav_head_bk"> <h2 class="main_head"> <span class="topnav_elem desk_only">Vendor Voice</span> </h2> </div> <nav> <div class="nav_elem"> <div class="cat_header"> <div id="nav-tag-vendor-voice"> <a href="#subnav-box-nav-tag-vendor-voice" data-toggle-for="subnav-box-nav-tag-vendor-voice" class="topnav_elem mob_only">Vendor Voice</a> <h2 class="desk_only section_nav-tag-vendor-voice"> <a href="#subnav-box-nav-tag-vendor-voice" data-toggle-for="subnav-box-nav-tag-vendor-voice" class="topnav_elem desk_only">Vendor Voice</a> </h2> </div> </div> <div id="subnav-box-nav-tag-vendor-voice" class="subnav_box"> <a href="https://www.theregister.com/VendorVoice/" class="subnav_elem" id="nav-tag-vendor-voice-all"> <span class="prefix_all">All </span>Vendor Voice </a> <a href="https://www.theregister.com/VendorVoice/aws_here/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_here"> HERE and AWS </a> <a href="https://www.theregister.com/VendorVoice/aws_vonage/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_vonage"> Vonage </a> <a href="https://www.theregister.com/VendorVoice/aws_amdocs/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_amdocs"> Amdocs </a> <a href="https://www.theregister.com/VendorVoice/aws_ge_vernova_manufacturing/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_ge_vernova_manufacturing"> GE Vernova with AWS </a> <a href="https://www.theregister.com/VendorVoice/aws_ge_vernova/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_ge_vernova"> GE Vernova with AWS </a> <a href="https://www.theregister.com/VendorVoice/siemens_aws/" class="subnav_elem" id="nav-tag-vendor-voice-vv_siemens_aws"> Siemens and AWS Gen AI </a> <a href="https://www.theregister.com/VendorVoice/siemens_aws_itot/" class="subnav_elem" id="nav-tag-vendor-voice-vv_siemens_aws_itot"> Siemens and AWS IT/OT </a> <a href="https://www.theregister.com/VendorVoice/aws_new_horizon_solutions/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_new_horizon_solutions"> Amazon Web Services (AWS) New Horizon in Cloud Computing </a> <a href="https://www.theregister.com/VendorVoice/ddn/" class="subnav_elem" id="nav-tag-vendor-voice-vv_ddn"> DDN </a> <a href="https://www.theregister.com/VendorVoice/google_cloud_data_transformation/" class="subnav_elem" id="nav-tag-vendor-voice-vv_google_cloud_data_transformation"> Google Cloud Data Transformation </a> <a href="https://www.theregister.com/VendorVoice/google_gemini/" class="subnav_elem" id="nav-tag-vendor-voice-vv_google_gemini"> Google Gemini </a> <a href="https://www.theregister.com/VendorVoice/hpe_greenlake/" class="subnav_elem" id="nav-tag-vendor-voice-vv_hpe_greenlake"> Hewlett Packard Enterprise: Edge-to-Cloud Platform </a> <a href="https://www.theregister.com/VendorVoice/intelvpro/" class="subnav_elem" id="nav-tag-vendor-voice-vv_intelvpro"> Intel vPro </a> <a href="https://www.theregister.com/VendorVoice/vmware/" class="subnav_elem" id="nav-tag-vendor-voice-vv_vmware"> VMware </a> <noscript> <a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a> </noscript> </div> </div> </nav> </div> <div class="nav_bottom_section nav_resources"> <div class="nav_head_bk"> <a href="#subnav-box-nav-resources" data-toggle-for="subnav-box-nav-resources" id="nav-resources" class="topnav_elem mob_only">Resources</a> <h2 class="main_head"> <span class="topnav_elem desk_only">Resources</span> </h2> </div> <nav id="top_nav"> <div class="nav_elem"> <div id="subnav-box-nav-resources" class="subnav_box"> <a href="https://whitepapers.theregister.com/">Whitepapers</a> <a href="https://whitepapers.theregister.com/events/list/">Webinars & Events</a> <a href="https://account.theregister.com/edit/newsletter/">Newsletters</a> </div> </div> </nav> </div> </div> </div> </div> </div> </div> </div> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="condor" data-xmd=",fluid,leaderboard," data-lg=",fluid,leaderboard," data-xlg=",fluid,superleaderboard,billboard,leaderboard," data-xxlg=",fluid,superleaderboard,billboard,brandwidth,leaderboard,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> </noscript> </div> <article> <div id=top-col-story> <div class="header_left"> <div class="cat_header"> <h4 class="dcl"> <a href="/security/" aria-label="Security">Security</a> </h4> </div> <div class="comments_wrap mobile_only"> <a class="comment_count" aria-label="Read comments on this article, currently there are 57 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/05/23/google_phishing_tests/"> <strong aria-hidden="true">57</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> </a> </div> </div> <div class="header_right"> <h1>Google guru roasts useless phishing tests, calls for fire drill-style overhaul</h1> </div> <div class="header_left"> <div class="comments_wrap desktop_only"> <a class="comment_count" aria-label="Read comments on this article, currently there are 57 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/05/23/google_phishing_tests/"> <strong aria-hidden="true">57</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> </a> </div> </div> <div class="header_right"> <h2>Current approaches aren't working and demonize security teams</h2> <div class="byline_and_dateline_and_share_and_comments"> <div class="byline_wrap"> <img class="vulture_icon" src="/design_picker/d518b499f8a6e2c65d4d8c49aca8299d54b03012/graphics/icon/vulture_red.svg" alt="icon"> <a class="byline" href="/Author/Connor-Jones" title="Read more by this author"> Connor Jones </a> </div> <div class="dateline_wrap"> <span class="dateline"> Thu 23 May 2024 <span class="slashes"> // </span> 19:01 UTC </span> </div> </div> </div> </div> <div id=main-col> <div id="article-wrapper" class="article_wrap"> <div class="left_col"> <div class="floating_bar"> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_2"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul&url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul&summary=Current%20approaches%20aren%27t%20working%20and%20demonize%20security%20teams" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> <div class="promo_advert"> </div> </div> <div class="centre_col"> <div id="article"> <div id="body"> <p>A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit.</p> <p>Matt Linton leads Google's security response and incident management division. Tasked with rolling out phishing exercises every year, he believes tests should be replaced by the cybersecurity equivalent of a fire drill.</p> <p>Today's phishing tests more closely resemble the fire drills of the early days, which were more like fire evacuation drills – sprung upon a building's residents with no warning and later blaming them as individuals for their failures.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="condor" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> </noscript> </div> <p>Since then, more security features have been fitted to buildings. Linton cited wider doors and their push-bar exit designs, as well as fire sprinklers as examples of innovations that improved a building's fire safety. None of these were implemented to improve individual residents' response to drills, but together they increased survival rates and now fire drills are better planned, well-announced procedures.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="falcon" data-xmd=",fluid,mpu,leaderboard," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <div class="adun_eagle_desktop_story_wrapper"> <div aria-hidden="true" class="adun" data-pos="mid" data-raptor="eagle" data-xxlg=",mpu,dmpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> </div> <p>Readers, you can probably see where he's going with this. Parallels between these early fire tests and modern-day phishing exercises are clear – in both cases the burden of responsibility is applied more to the individual rather than the infrastructure around them.</p> <div class="promo_article no_img"> <h2 title="'Chaos specialist' Linton's e-quip backfires">Google Spectre whiz kicked out of DEF CON hotel over misunderstood tweet</h2> <a href="https://www.theregister.com/2018/08/10/google_matt_linton_caesars_def_con/"><span>FROM 2018</span></a></div> <p>Despite anti-phishing controls being baked into security products and email clients, research points to phishing attacks increasing. Zscaler's latest annual <a target="_blank" href="https://www.zscaler.com/blogs/security-research/phishing-attacks-rise-58-year-ai-threatlabz-2024-phishing-report" rel="nofollow">phishing report</a> found the past 12 months saw a 58 percent increase in phishing, and the <a target="_blank" href="https://www.theregister.com/2023/01/11/gpt3_phishing_emails/">wider adoption of AI by cybercriminals</a> has driven that surge.</p> <p>The Federal Risk and Authorization Management Program (FedRAMP) is one of the US organizations that promotes cybersecurity standards. Google maintains FedRAMP compliance and does so, in part, by running phishing tests that follow its guidance, which still claims users "are the last line of defense and should be tested."</p> <p>Linton argues that there is value in providing staff phishing training, but achieving a 100 percent success rate "is a likely impossible task."</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="falcon" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <p>"Phishing and Social Engineering aren't going away as attack techniques," he <a target="_blank" href="https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html" rel="nofollow">blogged</a>. "As long as humans are fallible and social creatures, attackers will have ways to manipulate the human factor. </p> <p>"The more effective approach to both risks is a focused pursuit of secure-by-default systems in the long term, and a focus on investment in engineering defenses such as unphishable credentials – like <a target="_blank" href="https://www.theregister.com/2024/05/02/microsoft_google_passkeys/">passkeys</a> – and implementing multi-party approval for sensitive security contexts throughout production systems. It's because of investments in architectural defenses like these that, we're told, Google hasn't had to seriously worry about <a target="_blank" href="https://www.theregister.com/2024/04/29/uk_lays_password_legislation/">password</a> phishing in nearly a decade."</p> <h3 class="crosshead">The problem with current tests, and possible alternatives</h3> <p>The main argument against current phishing tests is "there is no evidence that the tests result in fewer incidences of successful phishing campaigns," said Linton.</p> <p>Some tests like those mandated by FedRAMP require organizations to reduce or eliminate existing controls to maximize the perceived impact of a failed test. This opens up a litany of issues, such as giving test subjects a false sense of the real risks and the allowlists implemented during exercises not being removed after, leaving them open for abuse by attackers.</p> <p>There's also the increased load placed on incident responders and those tasked with triaging reports sent to threat detection teams, all while staff are left feeling unnecessarily deceived, Linton said, and he's not alone.</p> <div aria-hidden="true" class="adun" id="story_eagle_xsm_sm_md_xmd_lg_xlg" data-pos="mid" data-raptor="eagle" data-xsm=",mpu,dmpu," data-sm=",mpu,dmpu," data-md=",mpu,dmpu," data-xmd=",mpu,dmpu," data-lg=",mpu,dmpu," data-xlg=",mpu,dmpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <p>The <a target="_blank" href="https://www.ncsc.gov.uk/guidance/phishing" rel="nofollow">guidance</a> from the UK's NCSC, for example, concurs with many of the points raised by the Googler, saying they erode trust between staff and security teams, and that there are a host of reasons why a user may click on a link in a phishing test.</p> <ul class="listinks"> <li><a href="https://www.theregister.com/2024/05/23/china_hacking_group/">'China-aligned' spyware slingers operating since 2018 unmasked at last</a></li> <li><a href="https://www.theregister.com/2024/05/21/with_ransomware_whales_becoming_so/">With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'</a></li> <li><a href="https://www.theregister.com/2024/05/16/microsoft_quick_assist_crime/">Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware</a></li> <li><a href="https://www.theregister.com/2024/05/13/cisa_ascension_ransomware/">Uncle Sam urges action after Black Basta ransomware infects Ascension</a></li> </ul> <p>Factors such as certain personality traits of a given individual may compel them to click a link and situational variables including a particularly stressful workload being managed at the time a test is issued may unfavorably skew results.</p> <p>"Employees should instead create a positive cybersecurity culture so employees feel comfortable reporting <a target="_blank" href="https://www.theregister.com/2024/04/10/x_fixes_url_blunder/">phishing</a> incidents, and in this sense, they can be a valuable early warning system," the NCSC says.</p> <p>Linton's idea of how these tests could be improved goes back to the notion of fire drills evolving into what they are today.</p> <p>Rather than them being delivered with deception, the fact they're a test should be clear as day, in the same way that apartment and office blocks have posters plastered around every corner weeks before a test is carried out. They should point to a test and inform the recipient of the benefits.</p> <p>Linton's idea of a possible alternative is considerably different compared to the tests office workers have become accustomed to over the years.</p> <div class="blockextract"> <p>Hello! I am a Phishing Email. </p> <p>This is a drill - this is only a drill!</p> <p>If I were an actual phishing email, I might ask you to log into a malicious site with your actual username or password, or I might ask you to run a suspicious command.</p> <p>You can learn more about recognizing phishing emails at and even <a target="_blank" href="https://phishingquiz.withgoogle.com/" rel="nofollow">test yourself to see how good you are at spotting them</a>. Regardless of the form a phishing email takes, you can quickly report them to the security team when you notice they're not what they seem.</p> <p>To complete the annual phishing drill, please report me.</p> <p>Thanks for doing your part to keep</p> <p>A. Tricky. Phish, Ph.D</p> </div> <p>In addition, the NCSC says a multi-layered approach should be taken to mitigating phishing attacks in a workplace:</p> <ol> <li> <p>Make it difficult for attackers to reach your users</p> </li> <li> <p>Help users identify and report suspected phishing emails</p> </li> <li> <p>Protect your organization from the effects of 'successful' phishing emails</p> </li> <li> <p>Respond quickly to incidents</p> </li> </ol> <p>"Educating employees about alerting security teams of attacks in progress remains a valuable and essential addition to a holistic security posture," Linton said. "However, there's no need to make this adversarial, and we don't gain anything by 'catching' people 'failing' at the task. </p> <p>"Let's stop engaging in the same old failed protections and follow the lead of more mature industries, such as fire protection, which has faced these problems before and already settled on a balanced approach." ®</p> <div class="wptl btm"> <noscript><strong>Get our</strong> <a href="https://whitepapers.theregister.com/" style="text-transform:uppercase">Tech Resources</a></noscript> </div> </div> <div class="article_body_btm mobile_only"> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> <span>Share</span> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_3"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul&url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul&summary=Current%20approaches%20aren%27t%20working%20and%20demonize%20security%20teams" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> </div> </div> <div class="right_col desktop_only"> <div class="similar_topics"> <div class="similar_topics"> <h4>More about</h4> <ul class="keywords"> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Google/" > <span class="keyword_name"> Google </span> </a> </li> <li> <a href="/Tag/Phishing/" > <span class="keyword_name"> Phishing </span> </a> </li> </ul> </div> <div class="keyword_wrap" style="display: none;"> <div class="keyword_trigger">More like these</div> </div> <div class="lightbox_overlay"> <div class="keyword_popup more_topics"> <div class="close">×</div> <div class="keyword_group similar_topics"> <h3>More about</h3> <ul class="keywords"> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Google/" > <span class="keyword_name"> Google </span> </a> </li> <li> <a href="/Tag/Phishing/" > <span class="keyword_name"> Phishing </span> </a> </li> </ul> </div> <div class="keyword_group child_topics"> <h3>Narrower topics</h3> <ul class="keywords"> <li> <a href="/Tag/Android/" > <span class="keyword_name"> Android </span> </a> </li> <li> <a href="/Tag/App%20stores/" > <span class="keyword_name"> App stores </span> </a> </li> <li> <a href="/Tag/Chrome/" > <span class="keyword_name"> Chrome </span> </a> </li> <li> <a href="/Tag/Chromium/Web%20Browser/" title="Disambiguation: Web Browser" > <span class="keyword_name"> Chromium </span> </a> </li> <li> <a href="/Tag/Gemini/" > <span class="keyword_name"> Gemini </span> </a> </li> <li> <a href="/Tag/Google%20AI/" > <span class="keyword_name"> Google AI </span> </a> </li> <li> <a href="/Tag/Google%20Cloud%20Platform/" > <span class="keyword_name"> Google Cloud Platform </span> </a> </li> <li> <a href="/Tag/Google%20I%2FO/" > <span class="keyword_name"> Google I/O </span> </a> </li> <li> <a href="/Tag/Google%20Nest/" > <span class="keyword_name"> Google Nest </span> </a> </li> <li> <a href="/Tag/G%20Suite/" > <span class="keyword_name"> G Suite </span> </a> </li> <li> <a href="/Tag/Kubernetes/" > <span class="keyword_name"> Kubernetes </span> </a> </li> <li> <a href="/Tag/Pixel/" > <span class="keyword_name"> Pixel </span> </a> </li> <li> <a href="/Tag/Privacy%20Sandbox/" > <span class="keyword_name"> Privacy Sandbox </span> </a> </li> <li> <a href="/Tag/RSA%20Conference/" > <span class="keyword_name"> RSA Conference </span> </a> </li> <li> <a href="/Tag/Tavis%20Ormandy/" > <span class="keyword_name"> Tavis Ormandy </span> </a> </li> </ul> </div> <div class="keyword_group parent_topics"> <h3>Broader topics</h3> <ul class="keywords"> <li> <a href="/Tag/Alphabet/" > <span class="keyword_name"> Alphabet </span> </a> </li> <li> <a href="/Tag/Search%20Engine/" > <span class="keyword_name"> Search Engine </span> </a> </li> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> </ul> </div> </div> </div> </div> </div> <div class="right_col mobile_only"> <div class="similar_topics"> <h4>More about</h4> </div> </div> <div class="left_col main_content"> <div class="sharing_block"> <div class=article_body_btm> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> <span>Share</span> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_4"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul&url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Google%20guru%20roasts%20useless%20phishing%20tests%2c%20calls%20for%20fire%20drill-style%20overhaul&summary=Current%20approaches%20aren%27t%20working%20and%20demonize%20security%20teams" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/05/23/google_phishing_tests/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> </div> </div> <div class="centre_col main_content"> <div class="comments "> <a class="comment_count" aria-label="Read comments on this article, currently there are 57 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/05/23/google_phishing_tests/"> <strong aria-hidden="true">57</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> COMMENTS </a> </div> </div> <div class="hidden_col mobile_only"> <div class="similar_topics"> <h4>More about</h4> <ul class="keywords"> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Google/" > <span class="keyword_name"> Google </span> </a> </li> <li> <a href="/Tag/Phishing/" > <span class="keyword_name"> Phishing </span> </a> </li> </ul> </div> <div class="keyword_wrap" style="display: none;"> <div class="keyword_trigger">More like these</div> </div> <div class="lightbox_overlay"> <div class="keyword_popup more_topics"> <div class="close">×</div> <div class="keyword_group similar_topics"> <h3>More about</h3> <ul class="keywords"> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Google/" > <span class="keyword_name"> Google </span> </a> </li> <li> <a href="/Tag/Phishing/" > <span class="keyword_name"> Phishing </span> </a> </li> </ul> </div> <div class="keyword_group child_topics"> <h3>Narrower topics</h3> <ul class="keywords"> <li> <a href="/Tag/Android/" > <span class="keyword_name"> Android </span> </a> </li> <li> <a href="/Tag/App%20stores/" > <span class="keyword_name"> App stores </span> </a> </li> <li> <a href="/Tag/Chrome/" > <span class="keyword_name"> Chrome </span> </a> </li> <li> <a href="/Tag/Chromium/Web%20Browser/" title="Disambiguation: Web Browser" > <span class="keyword_name"> Chromium </span> </a> </li> <li> <a href="/Tag/Gemini/" > <span class="keyword_name"> Gemini </span> </a> </li> <li> <a href="/Tag/Google%20AI/" > <span class="keyword_name"> Google AI </span> </a> </li> <li> <a href="/Tag/Google%20Cloud%20Platform/" > <span class="keyword_name"> Google Cloud Platform </span> </a> </li> <li> <a href="/Tag/Google%20I%2FO/" > <span class="keyword_name"> Google I/O </span> </a> </li> <li> <a href="/Tag/Google%20Nest/" > <span class="keyword_name"> Google Nest </span> </a> </li> <li> <a href="/Tag/G%20Suite/" > <span class="keyword_name"> G Suite </span> </a> </li> <li> <a href="/Tag/Kubernetes/" > <span class="keyword_name"> Kubernetes </span> </a> </li> <li> <a href="/Tag/Pixel/" > <span class="keyword_name"> Pixel </span> </a> </li> <li> <a href="/Tag/Privacy%20Sandbox/" > <span class="keyword_name"> Privacy Sandbox </span> </a> </li> <li> <a href="/Tag/RSA%20Conference/" > <span class="keyword_name"> RSA Conference </span> </a> </li> <li> <a href="/Tag/Tavis%20Ormandy/" > <span class="keyword_name"> Tavis Ormandy </span> </a> </li> </ul> </div> <div class="keyword_group parent_topics"> <h3>Broader topics</h3> <ul class="keywords"> <li> <a href="/Tag/Alphabet/" > <span class="keyword_name"> Alphabet </span> </a> </li> <li> <a href="/Tag/Search%20Engine/" > <span class="keyword_name"> Search Engine </span> </a> </li> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> </ul> </div> </div> </div> </div> <div class="right_col main_content"> <div class="tip_off_widget"> <h4>TIP US OFF</h4> <p><a href="https://www.theregister.com/Profile/contact/" target="_blank">Send us news</a></p> </div> </div> </div> </div> </article> <hr id=story_section_break> <div id=story-bot-col> <h3 style="position:absolute;color:transparent;z-index:-1;">Other stories you might like</h3> <div id="aua" data-unit-type="aua" class="keepreading"> <div class=headlines> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/23/opinion_google_chrome/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Why Google's Chrome monopoly won't crack anytime soon</h4> <div class=standfirst> <span class="label">Opinion</span> Haven't we heard this story before?</div> <div class=time_comments> <span class="section_name">Columnists</span><span class="time_stamp" title="23 Nov 2024 12:35" data-epoch="1732365312">23 Nov 2024</span> | <span class="comment light_bg_comments">36</span></div> </div> </a> </article> <article> <a href="/2024/11/21/usa_vs_google_full_filing/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>DoJ wants Google to sell off Chrome and ban it from paying to be search default</h4> <div class=standfirst> <span class="label">Updated</span> Filing also suggests it flogging off Android, stops scraping content for AI without opt-out</div> <div class=time_comments> <span class="section_name">Applications</span><span class="time_stamp" title="21 Nov 2024 12:40" data-epoch="1732192813">21 Nov 2024</span> | <span class="comment light_bg_comments">59</span></div> </div> </a> </article> <article> <a href="/2024/11/07/fake_copyright_email_malware/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Don't open that 'copyright infringement' email attachment – it's an infostealer</h4> <div class=standfirst>Curiosity gives crims access to wallets and passwords</div> <div class=time_comments> <span class="section_name">Research</span><span class="time_stamp" title="7 Nov 2024 22:18" data-epoch="1731017895">7 Nov 2024</span> | <span class="comment light_bg_comments">21</span></div> </div> </a> </article> <article> <a href="/2024/10/29/why_ai_builds_best_on/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Why AI builds best on private clouds</h4> <div class=standfirst>AI projects under pressure to show real value in the tightest of timeframes might be worth keeping on-premises</div> <div class=time_comments><span class="section_name">Sponsored Feature</span></div> </div> </a> </article> </div> <div aria-hidden="true" class="adun" data-pos="btm" data-raptor="hawk" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu," data-xmd=",fluid,leaderboard,mpu," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,mpu,leaderboard,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=6&c=66Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D6%26raptor%3Dhawk%26pos%3Dbtm%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=6&c=66Z0MAykx1tDYrMVKhYc7d7AAAAQg&t=ct%3Dns%26unitnum%3D6%26raptor%3Dhawk%26pos%3Dbtm%26test%3D0" alt=""> </a> </noscript> </div> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/19/us_drinking_water_systems_cybersecurity/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>America's drinking water systems have a hard-to-swallow cybersecurity problem</h4> <div class=standfirst>More than 100M rely on gear rife with vulnerabilities, says EPA OIG</div> <div class=time_comments> <span class="section_name">Public Sector</span><span class="time_stamp" title="19 Nov 2024 19:59" data-epoch="1732046345">19 Nov 2024</span> | <span class="comment light_bg_comments">18</span></div> </div> </a> </article> <article> <a href="/2024/11/20/android_16_new_release_cycle/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Google changes Android release cycle so new versions arrive in Q2</h4> <div class=standfirst>Version 16 developer preview starts the new cycle, with warnings for devs to test sooner rather than later</div> <div class=time_comments> <span class="section_name">OSes</span><span class="time_stamp" title="20 Nov 2024 3:30" data-epoch="1732073414">20 Nov 2024</span> | <span class="comment light_bg_comments">10</span></div> </div> </a> </article> <article> <a href="/2024/11/18/teenage_serial_swatterforhire_busted/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Teen serial swatter-for-hire busted, pleads guilty, could face 20 years</h4> <div class=standfirst> <span class="label">Infosec in brief</span> PLUS: Cost of Halliburton hack disclosed; Time to dump old D-Link NAS; More UN cybercrime convention concerns; and more</div> <div class=time_comments> <span class="section_name">Security</span><span class="time_stamp" title="18 Nov 2024 0:31" data-epoch="1731889867">18 Nov 2024</span> | <span class="comment light_bg_comments">23</span></div> </div> </a> </article> <article> <a href="/2024/11/15/google_gemini_prompt_bad_response/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Google Gemini tells grad student to 'please die' while helping with his homework</h4> <div class=standfirst>First true sign of AGI – blowing a fuse with a frustrating user?</div> <div class=time_comments> <span class="section_name">AI + ML</span><span class="time_stamp" title="15 Nov 2024 18:31" data-epoch="1731695467">15 Nov 2024</span> | <span class="comment light_bg_comments">67</span></div> </div> </a> </article> </div> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/20/google_ossfuzz/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Google's AI bug hunters sniff out two dozen-plus code gremlins that humans missed</h4> <div class=standfirst>OSS-Fuzz is making a strong argument for LLMs in security research</div> <div class=time_comments> <span class="section_name">AI + ML</span><span class="time_stamp" title="20 Nov 2024 17:1" data-epoch="1732122087">20 Nov 2024</span> | <span class="comment light_bg_comments">9</span></div> </div> </a> </article> <article> <a href="/2024/11/05/google_cloud_says_all_customers/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Don't have MFA on a Google Cloud account? You'll have to from Jan</h4> <div class=standfirst>Lock it up. Lock it up</div> <div class=time_comments> <span class="section_name">PaaS + IaaS</span><span class="time_stamp" title="5 Nov 2024 19:17" data-epoch="1730834230">5 Nov 2024</span> | <span class="comment light_bg_comments">6</span></div> </div> </a> </article> <article> <a href="/2024/11/19/ilearningengines_bec_scam/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Crook breaks into AI biz, points $250K wire payment at their own account</h4> <div class=standfirst>Fastidious attacker then tidied up email trail behind them</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="19 Nov 2024 12:31" data-epoch="1732019473">19 Nov 2024</span> | <span class="comment light_bg_comments">12</span></div> </div> </a> </article> <article> <a href="/2024/11/15/google_stops_eu_political_ads/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Google decides Europe's political ad rules are too hard to implement at scale</h4> <div class=standfirst>Will stop accepting ads instead before TTPA comes into force</div> <div class=time_comments> <span class="section_name">Public Sector</span><span class="time_stamp" title="15 Nov 2024 5:31" data-epoch="1731648666">15 Nov 2024</span> | <span class="comment light_bg_comments">26</span></div> </div> </a> </article> </div> </div> <div aria-hidden="true" class="adun" data-pos="btm" data-raptor="owl" data-xsm=",fluid,mpu,dmpu," data-sm=",fluid,mpu,dmpu," data-md=",fluid,mpu,dmpu," data-xmd=",fluid,leaderboard,mpu," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,mpu,leaderboard,"></div> </div> </div><div id=footer> <div class="footer_slogan"> <div class="footer_wrapper"> <p>The Register <img class="vulture_icon" src="/design_picker/d518b499f8a6e2c65d4d8c49aca8299d54b03012/graphics/icon/vulture_white.png" alt="icon"> Biting the hand that feeds IT</p> </div> </div> <div class="footer_wrapper"> <div class=foot_wrapper> <div class="left_block"> <div class="foot_list"> <h4>About Us<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.theregister.com/Profile/contact/">Contact us</a></li> <li><a target=_blank rel=noopener href="https://www.theregister.com/AdvertiseWithUs/">Advertise with us</a></li> <li><a href="https://www.theregister.com/Profile/about_the_register/">Who we are</a></li> </ul> </div> <div class="foot_list more_us"> <h4>Our Websites<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.nextplatform.com/">The Next Platform</a></li> <li><a href="https://devclass.com/">DevClass</a></li> <li><a href="https://blocksandfiles.com/">Blocks and Files</a></li> </ul> </div> <div class="foot_list privacy"> <h4>Your Privacy<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.theregister.com/Profile/cookies/">Cookies Policy</a></li> <li><a href="https://www.theregister.com/Profile/privacy/">Privacy Policy</a></li> <li><a href="https://www.theregister.com/Profile/terms_and_conditions_of_use/">Ts & Cs</a></li> </ul> </div> </div> <div class="right_block"> <div class="foot_list"> <a href="https://situationpublishing.com/" id="sitpub_logo"> <img loading="lazy" width="250" alt="Situation Publishing" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/std/sitpublogo_2022.png"> </a> <p> Copyright. All rights reserved © 1998–2024 </p> </div> </div> <noscript><img width="1" height="1" src="/Design/graphics/std/transparent_pixel.png" alt="no-js"></noscript> </div> </div> </div> <div id=end_scripts> <script> if (typeof(ElReg.Ga.sendPageView) === 'function') { ElReg.Ga.sendPageView('reg_security/front','0df13fad2ea597c71ae99fa84c3f976d','0df13fad2ea597c71ae99fa84c3f976d'); } </script> <script> $(function() { RegUtils.set_bucket_group(973) }); </script> </div> </div> </body> </html>

CINXE.COM

Googler calls for fire drill-like overhaul of phishing tests • The Register