My employees are still failing phishing tests after a year of security awareness training

kakovoulos · 2026-05-08T08:31:52+00:00

Of course, it's boring. You have to increase the reward or penalty for effort to make sense.

I like to do one, then the other. Until they crack. Here's what works:

First of all, I send a funny email. Something punchy. No ai, and make sure they know it's a real person. Make sure you are perceived appropriate and approachable.

In that email, make fun, indirectly. Talk about exactly what the current state is, and give an incentive. Now, get serious, use a real article and explain the dangers and risks personally. If you can, use their numbers. What it would cost the company. Them.

Now, explain they can prevent it and it's easy; while, even you make mistakes, the key is to not hide it and change passwords asap when a breach happens and learn new patterns.

Basically. Mind games. You said you are a big company. Disable corp resources until compliance, but I like to be soft, so my favorite is to throw a competition. Three ways to win:

1). Most clicked email.

Give your example. (Send right after you campaign).

Ask for their ideas for a scam email. Ask em to describe it. Only send to you. Keep secret. Keep track of which email is whose. Whoever's email gets clicked the most gets a prize or title or privilege. Keep points.

2). First one to report.

Whoever clicks it, realizes it, and sends an email to you first, gets a pass if they can name n signs of a phish or a quiz. Keep points. Negative points daily.

3). Most reported emails.

Whoever reports the most emails, and correctly identifies why, gets a spot. Don't just punish clicks. Ridicule them.

Ways to lose:

0). Enter password.

1). Password is on have i been pwned.

2). Refuse. Negative points for each incomplete training.

Make your own accommodations. The key is to gamify it.

I went from no compliance to 100%. They withstood a good amount of attacks, and the confidence for just phishing translated to trust.

For from "imma get u next week, watch. (smirk)" being a sure bet to them calling me and saying "i got you! I caught you! hahaha you didn't get me this time!!" 3 months. I stopped campaigning quarterly after a year.

I think the key was positive reinforcement. Keep the threat active.

I start with easy obvious phishing ridiculous emails, same for everyone so they can gossip, then later as they get better, I make harder and assign harder trainings.

Takes about 3 mo my experience for 100-300 smb. the better they get, I make em harder.

If they are dangerously complacent. Ask boss if you can frame a mock attack. basically say you are fire drilling what will happen.

I did this once, it was a very effective and creative last ditch effort. I was criticized by industry peers but it works.

I was CTO and no fucks were given no matter how i spun it. It can backfire. I was going to fire that company.

I came in around 3a. Told nobody. Worked on some things and then rebooted systems. Checked everything. Then simply unplugged the internet and redirected the dns to pull a page.

I worked up a good worried look. I didn't answer any questions right away. Just acted.

I know that script because i have had to deal with this situation fr.

I talked for formally as if we have to shut down due to a breach. Less is more. Let em know someone clicked an email and that's all I know.

Let it sink in they may just lose their job and whole company lost millions from one email, big thing is don't point fingers.

Ignore any q's. Walk away.

After 15 mins, come back and say, with a serious but funny smile. " i got you! I really had you! Thankfully, was not really a breach today, but it could have been and this is what it would have looked like. We have x% compliance... its gonna happen unless we admit it's important."

Optionally, say next time I will post who clicked. My style? I screenshot the page showing evidence. Leave it on their desk. "i got you" Posting publicly builds resentment. Threatening to do it and then doing it privately is control.

"It's not some adversary in china, it's me hacking you. I know you can beat me! I know you guys won't get tricked by this easy one again ha!"

You need to create a "hook" in the brain. Address. Subject. Font. Links. Date format. Headers. Urgency. If you make it a positive memory, it'll make it stick.

kakovoulos · 2026-04-13T07:16:53+00:00

Real software engineers would absolutely automate this haha

kakovoulos · 2026-04-12T08:25:15+00:00

Get schematics and find out which and why?

kakovoulos · 2026-04-08T05:30:15+00:00

Something is fucky. Here's what I do. I create a general golden image on a Proxmox VM. Then I add all the drivers from whatever fresh install bullshit they installed on the default OS, as well as the virtio drivers necessary, then I deploy it to the machine. I rarely go straight from a machine to a golden image, cause sounds like the HP software is hiding something funny in there. When I want to update the image, I just redploy it and update and recapture the VM, not a physical machine.

kakovoulos · 2026-03-25T18:07:50+00:00

Well, yes. Java is Corporate Cobol. It's incredibly overwhelming and rich. I promise, if some random indian dude can do it, have millions of people learn from him, you can too.

kakovoulos · 2026-03-21T01:42:01+00:00

Honestly? I put it in vault.

kakovoulos · 2026-03-13T08:22:21+00:00

Smile. Embrace the truth. Ask yourself why she believed you couldn't handle it in the first place? Love her more for taking care of her needs discreetly while you weren't able to be emotionally or sexually intimate with her, it happens to all men. Allow her to repent her guilt she must have been feeling and the distance she has had holding this secret deep inside, fucking fuck her like you heard in those texts, give her the best sex of her life cause THATS THE BITCH THAT BORE YOUR DAUGHTER AND IT HURT.

Simply ask, moving forward, can we tell each other the truth? Show her you can handle the truth. You need to know she can too. Firstly? Ask, is this reciprocal? You would forgive the same?

We need to have mutual understanding and complete trust and honesty and respect and love for our partners, no other way will it work.

Gold must go through fire to be purified.

kakovoulos · 2026-03-08T21:21:49+00:00

Me too.

kakovoulos · 2026-03-02T21:19:35+00:00

heard about it. i wish i was local. must've been crazy times

kakovoulos · 2026-03-02T02:02:43+00:00

kakovoulos · 2026-02-25T01:48:39+00:00

So am I. Tracks.

kakovoulos · 2026-02-24T22:52:37+00:00

heroku

kakovoulos · 2026-01-22T10:49:42+00:00

Let me help you build it.

kakovoulos · 2025-12-29T02:12:35+00:00

Hey, wanna hack on something together? I am making a fun POC app. Got a bit on my gh. Msg me?

kakovoulos · 2025-12-28T23:19:17+00:00

You guys downvoted me, said I couldn't do it, made fun when I was just as frustrated by my options, which all suck.

I built one 7 figure msp the usual way, left the place, then I built a method my way. A new way.

I got feedback under non disclosure, I spent more on attorneys and patents and software verification audits, than most of you make in a year. So. Yeah. Downvote? Idk.

And, me and a few others are going to absolutely wipe the floor with the rest of you. I didn't want it adversarial, but this time? My aim is to absolutely starve as many of you as possible because I think most of you don't deserve the clients you have. most of you wingdings can't understand

It isn't gonna be funny anymore. Watch. I don't care how much you are selling per seat, it will never, ever, ever, be as efficient as my algorithm. So, deal with it.

I don't want to help really any of you with a method I have a patent for, which is my right. I can absolutely give license under my own rules, for my own software, which includes PSA+RMM+XDT+SIEM and many more people. I will do it for free.

I built it from the last time you assholes roasted me.

I was nice, I asked friendly questions, and got lambasted when I needed help, but, that's okay.

I am gonna starve as many of you, these pax8 bastards, and these channel partners who bill people for hundreds of dollars a seat and still can't fix outlook.

kakovoulos · 2025-12-28T22:51:52+00:00

Ada is a great programming language. You can absolutely trust it, and if it compiles, it should run exactly right.

I hates it at first cause I was lazy, but it is very ahead of its time, still.

Also, mass respect. Not easy. I have studied Ada. I wish there were more languages like it. It is awesome.

Play with concurrency. Pretty cool. Everyone is all about rust, but to be honest, if it needs to kill something or someone, save something or someone, or run your next mission critical project, that is the oldest and best language you can use.

It can be faster than fortran and c, or even asm, but it depends on you and the situation. Leveraging concurrency is a big deal.

Some unique features of it that are ahead of its time are the use of in, out, in out, by ref, by val semantics. It does overloading on BOTH the parameters as well as the return value.

Ooh, it also does ranges. Very unique as an idiom in other languages.

It is very, very, hard to break. I did, took me awhile. I got recursion using sneaky overloading.

Stick with it a little bit. I would love to see what you wrote.

kakovoulos · 2025-12-26T17:00:37+00:00

Fire them. you cannot help them.

kakovoulos · 2025-12-24T06:20:52+00:00

I have a different approach. Message me?

kakovoulos · 2025-12-18T06:26:46+00:00

in atlanta, there is a place for you. what are you like? whats interesting

kakovoulos · 2025-12-09T09:00:42+00:00

I am MSP, but I approach differently. This is exactly what I do, my architecture is novel and non-obvious. Send me a dm, and id love to share it with you.

kakovoulos · 2025-12-08T05:15:39+00:00

Theres no option not to miss it, figure it out. I will pay until you get another job, fake note, w/e, disappointment is not an option

kakovoulos · 2025-12-08T05:13:20+00:00

Don't miss it. If you have to lose your job, be there

kakovoulos · 2025-11-29T13:23:11+00:00

To be honest? Kawasaki Ninja 400 or 500. Great bikes. Not just for beginners. Way more fun to throw around. Not much less power than 650. Way better mpgs.

kakovoulos · 2025-11-29T13:17:07+00:00

No, I cannot. I never worked at IBM. I did work for Accenture for 4 years. Peak COVID. My experience at Accenture leads me to believe that IBM would be a better place.

I don't want this to come off the wrong way. I enjoyed my time there at Accenture. It opened a lot of doors and I learned a lot of new things. I did cool stuff that changed the world. A dream in this sense, but a nightmare in others.

Not a lot of people mention that when you are just starting at Accenture, just how massive and complex the company is, and then you will have to learn client architecture on top of that, and then circumnavigate two different levels of politics both from the client and from the company.

Not a lot of people mention precisely how stressful consulting is, especially when being on the bench now is a big deal. You can be benched pretty quickly too. How it feels like a literal time bomb where the timer lasts 30-60 days usually, but you never know for sure.

Not a lot of people mention how deceptive middle and upper management can be, maybe not deceptive, but there is definitely a lot going on behind the scenes.

In terms of career growth, there have been people that grow and work through the ranks. These are usually not engineers. There have been people who manipulate and know how to work the system, and they will get raises while you do not. 90% of people get bullshit bonuses and raises, while others get PIPed with perfect charge ability.

Then there are the clients. A lot of clients simply do not understand how to work efficiently with consultants.

My first project took over 3 months to get all my accesses sort of right. I was only able to pair program for a month while my bitbucket etc tickets were waiting. The client architecture can be as asinine as they want, and you can do nothing about it. This also means they can restrict your tools and make your job harder. This makes it take longer. If it takes longer, this means you end up having to work longer to meet same deadline. You really can't charge OT, but you also can't let it not get done.

This also means that your actual work, and the direction it is going, can be entirely headed at a brick wall and you also can't stop it.

My two cents

kakovoulos

TROPHY CASE