Send message to Author

Paper short abstract

Simulated phishing emails are cuckoo workflows that cause disruption to daily work. We observe that employees create loopholes, such as inbox rules, to detect and dismiss them automatically. These evasions keep work running smoothly while still producing metrics that appear compliant.

Paper long abstract

Simulated phishing attacks are a common method for teaching employees how to recognize and react to phishing emails. These simulated phishing emails insert themselves into everyday work email much like a cuckoo, an imposter demanding time and attention from workers. To create the cuckoo, security staff must bypass the organization's own spam filters and craft messages that use the same social engineering techniques used by criminal networks.

Drawing on interviews and observation with IT professionals, we explore how employees develop a range of loopholes to tame the cuckoo. Some use simple inbox rules to filter out unwanted messages. Others use the technical header information in emails to automate the workflow of phishing training, exploiting the same mechanisms that makes the training possible. By automating the response to phishing training, employees avoid the disruption caused by remedial training and maintain the smoothness of everyday work.

The work of managing the cuckoo goes largely undetected. Dashboards used to monitor phishing training cannot differentiate between engagement and evasion. Whether an employee spots the phishing attempt in earnest or catches it through a loophole, both behaviors still produce metrics that assure compliance with cybersecurity obligations.

We argue that these loopholes are not failures of security culture but mundane techniques for stabilizing everyday work under the pressures of compliance. By tracing the interplay between cuckoo workflows and employee‑led evasions, we show how loopholes sustain organizational order even as they subtly undermine the interventions meant to reshape it.