Author: Fabrizio Di Carlo – CISO @ CyberMonks (Guest Article)
To learn more about Fabrizio check his Linkedin
The Familiar CISO Conversation
There is a recurring conversation I have with other CISOs. It almost always starts the same way. They describe years of security awareness training, strong phishing simulations, tight email security, enforced MFA, and modern detection pipelines. Then, predictably, the sentence ends the same way. And phishing still works.
This is not about incompetence, laziness, or immaturity. It reflects a simple truth. Phishing evolved as we built defenses. We matured training, and attackers industrialized operations. They automated personalization. They scaled phishing. They adapted faster than we could educate. We built strategies that assumed human awareness could permanently compensate for adversaries who are constantly evolving.
Awareness Reached Its Limits
Awareness has absolutely helped. It has reduced risk, improved culture, and given employees the instinct to pause before clicking. But over the past few years, a plateau has become visible. Training fatigue has crept in and the novelty has worn off. At the same time, phishing has expanded far beyond naive emails. It now hides behind legitimate cloud services, QR codes, MFA fatigue prompts, OAuth consent tricks, convincing language models, voice deepfakes, and tailored social cues. This is not a 2015 problem being poorly managed. It is a 2026 problem being faced with 2015 assumptions.
The problem is now structural, not educational. Phishing succeeds not because users are careless, but because attackers have favorable economics. Campaigns are cheap to launch, easy to scale, and simple to iterate. Attackers can fail thousands of times at little cost, while defenders pay with time, attention, and incident impact. We react, they experiment. We detect, they optimize. Defense has remained largely passive.
Reverse-Phishing as a Shift in Strategy
If phishing has become industrialized, defense strategies cannot remain purely educational or preventative. This is where reverse-phishing comes in. Reverse-phishing is the deliberate use of deception within your own environment. Organizations introduce believable but safe identities, decoy mailboxes, and controlled credential environments. Attackers interact with something that looks real but exists to waste their time, expose their infrastructure, reveal their behavior, and generate intelligence that strengthens the rest of the security stack.
This is not hacking back or retaliation. It is legally sound defensive deception that shifts the power dynamic. Attackers are no longer operating against a silent victim. Their campaigns take longer. Their infrastructure becomes visible. Their patterns become observable. Every attempt produces data and every failure creates friction.
From Fixing Users to Engineering Resilience
This approach reframes the CISO conversation. Instead of endlessly trying to fix users, organizations focus on engineering resilience into the environment. Mature security programs already accept that prevention is imperfect, so systems are built to absorb, misdirect, and reduce impact. Reverse-phishing applies this same resilient mindset to the human layer of security.
Yes, concerns remain around legality and complexity, but deception inside your infrastructure is fundamentally different from retaliation, and well designed reverse-phishing environments often reduce noise by producing structured intelligence instead of endless alerts.
Why This Matters Now
Phishing is not leaving. It is too effective, too cheap, and too psychological to disappear. We cannot train our way out of a problem that keeps reinventing itself. If attackers treat phishing as an industry, defenders must evolve to confront that industry. That means moving beyond protecting users alone and starting to influence attacker behavior. Organizations that recognize this shift early will stop merely surviving phishing and start actively shaping how it affects them.
