Majority of Cyber Leaders Consider Dismissing Phishing Victims, Despite Admitting Their Own Mistakes
21 October 2025According to the latest research from Arctic Wolf, a surprising 77% of IT and security leaders say they either have or would dismiss employees for falling for phishing or social engineering scams—despite many leaders admitting to similar lapses themselves. This marks an 11% increase from 2024 and reflects what the report calls a “hardening of attitudes” in cybersecurity leadership.
Phishing Still Rampant, Mistakes Widespread
Despite growing awareness and technological safeguards, phishing attacks remain a top security concern. Of the 1,700 leaders and users surveyed, 68% said their organisations experienced at least one breach in the past year. Alarmingly, only just over half have implemented multi-factor authentication across all user accounts—still considered a basic defence.
Education vs. Termination
Interestingly, the same report found that organisations focusing on education over punishment saw a notable 88% drop in long-term human risk. Arctic Wolf’s CISO, Adam Marrè, warns that firing staff might seem like a quick fix but fails to address the deeper issue. “Training and culture change are far more effective at reducing risk than disciplinary actions,” he said.
The Executive Double Standard
The report reveals a stark contradiction: while many leaders expect perfection from their teams, they often admit to their own missteps. Nearly two-thirds of those surveyed had clicked on phishing links themselves, and a fifth didn’t report it. Even more telling, 51% admitted to bypassing or disabling security protocols because they found them inconvenient.
Constructive Action Preferred
Although dismissal was considered by many, 60% of leaders said they opted for milder measures like restricting access or adjusting privileges instead of termination. Arctic Wolf sees this as a more realistic and positive step in addressing human error constructively.
Executives: The Primary Targets
Executives are increasingly in the crosshairs of cyber attackers. Arctic Wolf’s data indicates that 39% of executive teams were targeted by phishing, and 35% experienced malware infections, making them some of the most valuable targets due to their high-level access and decision-making authority.
Gaps Between Confidence and Capability
The report illustrates a widening divide between what leaders think and what actually happens. While most believe their organisations are phishing-proof, the statistics say otherwise—highlighting a disconnect between policy and real-world behaviour.
New Employees Most At Risk
A separate mid-2025 study by Keepnet found that 71% of new hires clicked on phishing links within their first three months, making them 44% more susceptible than long-tenured employees. Causes included unfamiliar systems and inconsistent onboarding training.
Why Retail Is A Hotbed for Attacks
Retail has been hit particularly hard, especially in the UK and Ireland. Factors include legacy systems, seasonal sales pressures, and large volumes of customer data—all of which make it an appealing target for scalable phishing campaigns.
Can Employers Legally Fire Phishing Victims?
In the UK, dismissal for clicking on a phishing email is technically possible but legally complex. Employers must demonstrate a valid reason—such as gross negligence—and follow fair procedures under the Acas Code. Without evidence of willful misconduct, such terminations could be challenged as unfair dismissal.
Silence Breeds Risk
The fear of punishment often leads to underreporting. One in five security leaders who fell for phishing admitted they never disclosed it—creating a dangerous blind spot. The UK’s National Cyber Security Centre promotes a no-blame culture to encourage immediate reporting and early mitigation.
Culture and Communication Matter
Experts say consistent leadership behaviour and open dialogue around mistakes help build resilient defences. Marrè argues, “Risk is shared across the business, and progress happens when staff feel safe to admit mistakes and learn from them.”
AI Elevates Phishing Threat
Phishing has also evolved. Microsoft’s 2025 Digital Defence Report highlights that AI-generated phishing emails now have a 54% click rate—over four times that of traditional scams. AI is being used to clone websites, craft targeted messages in local languages, and even replicate voices or deepfake communications, making attacks more convincing than ever.
Phishing Still Leads the Way in Cybercrime
Data from Verizon shows phishing is responsible for 73% of initial compromises, far ahead of other methods. Business email compromise, ransomware, and credential theft all frequently stem from simple human error—often by well-meaning users deceived by convincing lures.
The Path Forward
Arctic Wolf’s closing advice? Focus on leadership behaviour, continuous education, and transparency. The best defence isn’t zero tolerance—it’s zero shame. Organisations that foster openness, simulate real-world threats, and lead by example recover faster and face fewer incidents.
What Should Your Business Take Away?
This research presents a critical takeaway: punishing staff for falling victim to phishing attacks may feel assertive but can backfire. It erodes morale, suppresses reporting, and even invites legal trouble. Instead, investing in training and building a supportive culture yields better outcomes, both in resilience and reputation.
Ultimately, cyber security isn’t just about firewalls and filters. It’s about people. And the organisations that remember that are the ones best positioned to thrive in an ever-changing threat landscape.
