While some employees push back on what they see as too realistic or deceptive training exercises, state security leaders say there’s no room for sugarcoating when one click can bring down an entire system.
“In the commonwealth, we’re not seeing those classic poorly worded phishing attempts anymore,” Jason Snyder, Massachusetts CIO, said. “So, we’ve implemented mandatory training every year for every employee, and we send monthly phishing exercises that look and feel real — because that’s what attackers are doing.”
A recent Massachusetts simulation disguised itself as a promotional offer from a major chain, complete with a QR code and a clickable link. The bait? A free cup of coffee for state employees.
“We try to time these simulations with the calendar — you’ll see winter things, fall things — all designed to look real and accurate,” Snyder said. “Only about 3 percent clicked or scanned the QR code — but even one is too many. Our goal is zero, but we’ve had as high as 14 percent in other simulations.”
That realism occasionally draws criticism, the CIO acknowledged, but it also drives engagement.
“We do get some complaints — people say the simulations feel too real, or they ask why we’re doing them at all,” he said. “In those cases, we take the time to explain the purpose behind it, and usually that clears things up. Occasionally, people are just frustrated about getting another message in their inbox.”
However, there is also positive feedback, which is due in part to the state’s unique approach to simulations.
“We’ve gamified it in a way,” he said. “People want to be the first to spot a fake.”
Indiana’s approach echoes some of the same strategies — monthly training, realistic simulations and targeting staff across the employment life cycle — with a focus during onboarding and offboarding.
“We’ve tried to embed training across the life cycle, starting with new hire training, because those who are relatively newer to the organization are more at risk,” Indiana’s Chief Information Security Officer Hemant Jain said. “When you’re newer, you’re trying to be responsive as much as possible to please your team or your boss. Sometimes, they may not be fully aware as to what’s legitimate or not and don't understand the context of what they’re seeing.”
Their training programs aren’t about punishment, both leaders emphasized — they’re about awareness.
“This is a learning exercise, and we continue to get better by really understanding what's driving employees to click on an email or open up a link or an attachment,” Jain said.
Cybersecurity expert and former CISO Dan Lohrmann agreed.
“Practice makes perfect, and phishing simulations offer the opportunity to practice responding to a variety of different scenarios,” Lohrmann said. “In recent years, I have seen orgs test more than just email, adding vishing [voice phishing] as well as text phishing and other new twists.”
Lohrmann, who writes weekly on cybersecurity for Government Technology, said agencies are moving in the right direction by imitating what people are seeing in real life and testing off that. But when exercises feel too real, employees can feel blindsided or embarrassed, so the simulations become more than a technical challenge, but a human one to overcome.
“Phishing is a human-targeted attack,” Jain said. “It's about emotions. It's about urgency. It's about fear. It's about curiosity. So, we’ve had to redesign the training to mimic or mirror that human element.”
By focusing on psychological triggers, Indiana’s program aims to build resilience, not resentment. That means explaining the ‘why’ behind each simulation, framing failures as learning opportunities and promoting a sense of shared responsibility, not shame. That human-centered approach has been particularly effective as phishing threats begin to hit closer to home.
“We are seeing this happening, smishing about unpaid tolls, etc.,” Jain said. “I was talking to somebody last week and they said, ‘This thing showed up and my daughter got this, and my son got that.’ So once it starts hitting personal life, that awareness is much stronger.”
Fortunately, the state CISO said, skepticism about simulations fades as phishing becomes more personal.
“Now you are starting to have a lot of folks understand the value of what we’re doing and how we’re doing it. And for some of the feedback, it’s been that we need to phish more. We need to test more,” Jain said. “This is not a gotcha exercise. This is really about, let’s be aware of the fact that everyone’s a target, and it’s not personal.”
It’s a tough balance, Lohrmann said, but security leaders need to know their culture and know how hard to push: “Make it relevant for different audiences at different times of the year and change it up regularly. You can’t keep doing the same thing and expect a different result.”
He also recommended choosing the right response when someone fails a test. Praising in public and disciplining in private, he said, is a good rule of thumb. And while some agencies assign extra training to “repeat offenders,” he warned this can backfire if overused.
He also emphasized that strong training needs the right infrastructure. Mandating multifactor authentication and restricting external messaging in collaboration tools, he said, are good practices, along with combining policy, people and technology to be effective.
As phishing tactics continue to evolve, technical defenses alone aren’t enough. What makes the biggest difference, leaders said, is creating a culture where awareness is everyone’s job — and where empathy and education go hand-in-hand with realism.
“There’s no technical vulnerability that’s being exploited here,” Jain said. “It’s the human element.”
