The shame following a phishing attack is unjustified

About
Hulpartikel
identify
The shame following a phishing attack is unjustified
Every year, budgets are allocated for phishing training. Employees click on a fake email, receive a notification that they have "fallen for it," and are told to do better next time.
Rick Swinkels
Commercial Lead
Hulpartikel
identify
The shame following a phishing attack is unjustified
Every year, budgets are allocated for phishing training. Employees click on a fake email, receive a notification that they have "fallen for it," and are told to do better next time.
Rick Swinkels
Commercial Lead

Start making vulnerable passwords impossible today

Thank you for your request! We will contact you within 1 business day.
Please fill in all fields before submitting the form

Statistics improve slightly, the CISO reports progress to the board, and meanwhile, phishing remains the primary entry point for cyberattacks worldwide. The approach feels productive, but the numbers tell a different story.

According to the Microsoft Digital Defense Report 2025, identity-based attacks rose by 32 percent in the first half of 2025, with more than 97 percent of those attacks consisting of large-scale password attacks. AI has made phishing so convincing that click-through rates are now 4.5 times higher than with traditional phishing. The threat is growing, while the security industry continues to sell the same solution year after year.

Wij houden ons de hele dag bezig met inloggen. Daardoor zien we hoe vaak er spraakverwarring is: we gebruiken dezelfde termen, maar bedoelen iets anders. In een serie artikelen behandel ik daarom de basis.

Lees ook de andere artikelen in deze serie:

Four big names, millions of victims, (likely) the same cause

The past few months have shown what is at stake. At Odido, the personal data of more than 6 million accounts was compromised, presumably through unauthorized access to their Salesforce environment. At Booking.com, attackers gained access to customer reservation data by first deceiving hotel staff with a convincing phishing campaign, after which stolen credentials opened the door to the partner platform. In April 2026, Basic-Fit and Rituals followed, with each experiencing unauthorized access to customer data. Four big names, in a short time, resulting in millions of affected customers.

What these incidents have in common is not primarily a technical flaw in code or infrastructure, but a chain where access was gained through the human factor and compromised identities. Yet, the industry's response is almost always identical: the affected organizations advise customers to be alert to phishing and not to share sensitive information. In other words, the responsibility is shifted back to the people who have already become victims.

Responsibility is being placed in the wrong hands

Awareness training is based on the assumption that people are capable of distinguishing fake from real. That assumption is fundamentally flawed because attacks are now so sophisticated that it is objectively impossible to tell the difference. AI generates phishing messages that are flawless, context-rich, and personalized, compiled using publicly available information. 

If a security expert can no longer distinguish a fake message from a real one, it is unreasonable to expect an employee under work pressure to do so. Once you acknowledge that, the logical conclusion becomes inevitable: training that teaches people to recognize fake from real is solving a problem that cannot be solved technically through human discernment.

Yet we continue to invest in the same model. Employees are trained, simulated-attacked, assessed, and retrained. When things go wrong, the conclusion is quickly that someone wasn't paying enough attention. This shifts the responsibility for a structural technical problem onto the individual who happened to lose focus for a moment. That is not only unfair, it also solves nothing.

The technical solution already exists, but most organizations don't know it yet

What sets MindYourPass apart from other password managers is its methodology. Instead of storing a password and filling it in wherever requested, MindYourPass generates a unique password for every website that is inextricably linked to the exact URL of that site. That password is calculated based on three factors: the URL, the account, and a personal password for MindYourPass. If one of those factors changes, the generated password changes automatically.

That is exactly what happens during credential phishing. The URL of a phishing site always differs from the real site, no matter how small the difference. As a result, MindYourPass generates a different password on the phishing site than it does on the legitimate site. The attacker receives a password, but that password doesn't work anywhere. The damage that usually follows a moment of inattention is avoided.

Most password managers work differently: they check if a website is known to be malicious and warn the user before the password is filled in. This works reasonably well for known phishing sites, but new domains, cleverly disguised URLs, and attacks not yet in a database simply slip through. Furthermore, people often ignore warnings, especially when they are under time pressure or the situation feels familiar. In such cases, the password manager has done its job, but the attacker still gets the password. MindYourPass bypasses this problem entirely because its protection does not rely on retrospective detection, but is built into the way the password is generated.

The premise the industry refuses to address

As long as phishing sites yield usable passwords, phishing will continue to work. This is not news, but it is a conclusion the industry needs to act upon. If awareness training hasn't structurally improved the numbers for years, and attacks are only becoming more sophisticated due to AI, then the answer is not more of the same. The logical next question is not how to technically eliminate the damage of human error, but how to prevent the human error itself. Not by training people better, but by building a system where a mistake has no consequences because the stolen password simply doesn't work anywhere.

The solution exists on two levels, and that distinction is important. The first level is the email infrastructure: ensuring that phishing emails do not reach the user at all. Technologies such as DMARC, DKIM, and SPF, supplemented by AI-driven filtering, make it possible to intercept a large portion of attacks at the gate.

The second level applies to cases where that fails, because those cases will always exist. There, the question is not how to make the user more alert, but how to ensure that a phished password causes no damage. The user is caught between these two layers, and that is exactly where the industry has left them to fend for themselves for years. By taking both layers seriously, you provide structural relief to the user, instead of training them year after year on a problem that is technically solvable.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

“Juist de collega’s die in het begin sceptisch waren, werden later de grootste ambassadeurs,”- addsadasd

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Get in touch with us.

Let MindYourPass make your organization safe.

Thank you for your request! We will contact you within 1 business day.
Please fill in all fields before submitting the form
Want to read more?
See other articles
More articles
The MindYourPass Solution

Log in securely with ease.
At home and at work.

Triple-i™ improvement method

Wachtwoordveiligheid meten om doelgericht te verbeteren

Elke verandering begint met het verkrijgen van volledig inzicht in de huidige situatie. Om vanuit daar met behulp van een concreet en praktisch plan toe te werken naar de gewenste situatie: het gebruik van kwetsbare wachtwoorden binnen jouw organisatie onmogelijk maken.

Learn more about Triple-i™

Learn more about cybersecurity

See all articles
Resource
Does a domain-bound password also protect against phishing and AiTM?
Hulpartikel
"We hebben SSO voor alle applicaties." Dit is waarom dat in praktijk zelden klopt.
Hulpartikel
Eigen digitale hygiëne een worsteling, zelfs voor security-professionals
Resource
MindYourPass launches updated dashboard with real-time insight into identity risks