Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog
Join us for the in-person CCSK Azure course at Black Hat from August 4–5! Register now for a hands-on deep dive and secure your spot now!

Taking the Pressure Off Employees When Protecting the Organization from Phishing Campaigns

Published 05/23/2025

Home
Industry Insights
Taking the Pressure Off Employees When Protecting the Organization from Phishing Campaigns

Written by David Balaban.

 

At this point, it’s hardly news that the vast majority of cybersecurity breaches start with social engineering campaigns, most commonly phishing attacks. It’s not just breaches, either: according to some estimates, a whopping 45% of ransomware attacks begin with phishing campaigns, for example. Disrupting such cyberattacks early, at the social engineering stage, is an effective way to protect your organization from the oft-costly and damaging consequences of a breach.

There is a way to mitigate the risks of today’s highly effective, often LLM-assisted phishing attacks. A tailored phishing campaign runs on personal information: the more the attacker knows about their target, the more effective their phishing messages will be. Taking employees’ personal information out of circulation deprives attackers of their most valuable resource.

But first, let’s look at the two main types of phishing attacks and the most effective ways to protect organizations against them.

 

Spray N’ Pray Phishing Campaigns

The first kind of phishing attempt is the one most employees are familiar with. It involves bad actors with little or no more than a list of email addresses fishing for information they can use to create more targeted attacks or, if they get very lucky, login credentials that could give them network access or access to sources of useful information.

Since these phishing messages (typically emails) can’t be prepared with any specific employee in mind, they end up being notably generic. These are the typical ‘don’t get scammed’ messages that staff are warned about through routine cybersecurity training sessions. The following usual practices apply and work well.

 

Cybersecurity Education

Teaching employees to be cautious when opening attachments, following links, and responding to messages is crucial. Just as important, although more difficult, is teaching the team to analyze unexpected emails for signs of spoofing. These measures reduce the likelihood of people falling for generic emails and other messages, but do little to stop them from interacting with carefully crafted messages that seem to be coming from trusted colleagues, for example.

 

Phishing Simulations

Realistic simulations, when coupled with education, are the gold standard when it comes to hardening organizations against phishing attacks. Simulated phishing campaigns can show employees just how convincing phishing emails and other messages can be. They also give employees the opportunity to put into practice the skills they learn during cybersecurity training sessions. Finally, simulations can raise employees’ levels of awareness, keeping them more alert to anything that looks off and normalizing taking action when things don’t quite add up.

 

Technical Measures

Not all anti-phishing measures involve conditioning workers to react appropriately once confronted with a phishing message: some can effectively stop messages from reaching employees even though they’ve made it as far as the organization’s servers, others can help mitigate the consequences once a person has fallen for a phishing attempt and executed malicious code, followed a malicious link or shared credentials.

Spam filtering can provide guardrails against generic phishing emails (which are, by definition, spam). Monitoring systems can identify suspicious network activity and alert IT staff if anything deviates from the norm. Authentication protocols – like enforcing MFA on all accounts – can limit the damage incurred through shared credentials.

 

Targeted Phishing Attacks

Targeted phishing messages, though, are a different beast altogether. An employee may well check for signs of spoofing when confronted with a generic email from an unknown or ostensibly automated sender, but they’re much less likely to do so if the email seems to have come from a particular, known IT staff member, a trusted colleague, or even a superior.

Such emails don’t just have the right address in the “from:” field or the right graphics in the signature. They read as though they were written by the right sender: the tone, vocabulary, use of punctuation, and turns of phrase all fit. More than that, they may refer to information the recipient assumes to be confidential, known only to the genuine sender or the organization’s HR department.

These phishing messages are so carefully crafted that they can induce even high-ranking members of an organization to authorize the transfer of funds right there on the spot. Anti-phishing training really only comes into play once something seems off to an employee. Given enough information, an attacker can concoct a message such that the recipient legitimately sees none of the red flags that would normally prompt them to ask questions, dig deeper, or consult with their colleagues.

In other words, once this kind of message reaches the recipient, the odds of the attack being successful are all too high. Technical countermeasures like those described above might stop some attempts from getting through and might limit some of the potential damage, but, as the old adage goes, the bad actors only have to succeed once.

All of the countermeasures that work so well for generic, spray n’ pray phishing campaigns only come into effect after a phishing message has been created and sent. Many of them also fail in the face of messages that raise no red flags at all. When it comes to targeted phishing campaigns, the most impact an organization can have is at the stages before the message is drafted.

Before an attacker can tailor a message targeting a particular employee, they need some information on their target. The more information they have, the more convincing the message they can create.

Among the most likely sources of information for such an attacker are people search sites. Also known as people finder sites, these are a subset of data brokers: companies that generate revenue from the collection, sorting, analysis, and dissemination of personal information.

Removing employees’ data, or rather their data profiles – comprehensive collections of personal information compiled and sold by data brokers without their holders’ knowledge or consent – from the databases of these brokers can stop phishing attacks before they even get off the ground.

Employees’ names can still be found online, and their work emails can also be either found or deduced. But without the kinds of in-depth personal information on employees and their professional, familial, and social networks that data brokers provide, any phishing attempts will fall firmly within the spray n’ pray category.

Personal information removal services help organizations have their employees’ data removed from and kept off data brokers’ databases, depriving bad actors of the information they need to target employees and tailor messages specifically to them. It’s a completely different approach to threat mitigation and one that doesn’t rely on employees’ maintaining unrealistically high levels of alertness and diligence when dealing with the most mundane of daily interactions.

Enhancing cloud security strategyInnovating from the cloud RansomwareTop Threats

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Take the State of AI Security and Governance Survey!
The Human Factor: Addressing Employee Resistance to AI Adoption
Register for the Free One-Day Virtual Summit
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Level up with Cloud Infrastructure Security Training
Related Articles:
A Copilot Studio Story: Discovery Phase in AI Agents

Published: 06/26/2025

What Kind of Identity Should Your AI Agent Have?

Published: 06/25/2025

ESXi Ransomware: The Growing Threat to Virtualized Environments

Published: 06/25/2025

Why Are Penetration Tests Important?

Published: 06/24/2025