Why Cybercriminals Are Like Trout

Four lessons every business leader and CISO should learn from flyfishing

Any seasoned fly angler will tell you that trout are highly selective, continuous feeders. Their entire survival strategy centers on conserving energy, staying close to a safe holding place, and getting the maximum protein intake for the minimum movement. To fool a wily trout, the angler "matches the hatch," presenting an artificial fly that resembles whatever the trout are currently feeding on, drifted right past the fish's nose.

Cybercriminals behave exactly the same way.

They rarely waste time and resources hammering a company's firewall. As cybercrime has become more and more professionalized, controlled by criminal gangs and nation states, it has become highly targeted. The modern attacker looks for the easiest and quickest way through your defenses, and that path almost always runs through a human being.

• 88%  of cyber breaches are caused by human error, poor cyber hygiene, mismanagement or insider actions.

• 2%  the share of most cybersecurity budgets spent on the employees who are the actual attack surface.

• 10x  the total cost of a breach, in downtime, lost revenue and reputation damage, compared to the ransom itself.

Here are four parallels between the river and the boardroom that every leader should understand.

1. Trout and Hackers Both Conserve Energy

Attacking firewalls wastes time and energy 

Trout hold in slow water behind rocks, waiting for food to drift to them. They do not chase. They do not waste calories. Cybercriminals operate on the same logic. Rarely do they waste time, energy, and resources bombarding a company's firewall. Cybercriminals today look for the easiest and quickest way through a company's security defenses, often focusing on individual employees using an approach called social engineering.

The implication for business leaders is uncomfortable: the most expensive part of your security stack is probably not where the attack will land. The attack will land in an inbox, on a phone, or in a hurried conversation with a deep fake pretending to be the CFO.

2. They Both Match the Hatch

Generic phishing fails.  Tailored phishing succeeds.

A good fly angler studies the insect life on a specific stretch of river, the feeding times, the water temperature, and even talks to local guides before tying on a fly. Cybercriminals do their homework in exactly the same way.

A cybercriminal spends a great amount of time researching the company they are targeting. They scour LinkedIn profiles, search company websites for the names and titles of employees, gather information about employees on Facebook, Tinder, Instagram, Snapchat and other social media platforms. In many cases, employee emails and other confidential information can be easily and cheaply purchased from other criminal groups on the Dark Net.

They then impersonate a senior executive and demand that a lower-level employee (often in finance) wire money immediately to a fake client account. All too often, when the "urgent" email from a named senior executive hits the inbox, the employee complies. The fly looked real enough.

3. They Both Target the Most Eager

New hires are easy prey. Peer learning is the best defense.

Experienced trout have seen dozens of artificial flies and learned to be wary. Less fished or actively feeding trout are much easier to fool.

Cybercriminals know that new employees are easier to fool as well. This is especially true when cybersecurity training is minimal, and there is little peer-to-peer education about what to watch out for when it comes to email phishing and social engineering.

Remote and hybrid work has made this harder. When new hires cannot lean across a desk and ask a colleague, "Does this look legit to you?", the informal peer-to-peer learning that catches most phishing attempts simply does not happen. And in formal training classes, few employees want to be the one asking the "naïve" question.

4. They Both Hunt in Murky Water

Silence protects attackers. Transparency exposes them.

Trout in crystal-clear water are wary. They can see unnatural-looking flies coming and are harder to fool. In murky water, they lose that advantage. The same is true in your organization.

Clarity of water in a trout stream is easily equated with openness, transparency, and cross-functional communication in the corporate world. Learning from others and ongoing communication about attempted cyberattacks and successful breaches allow everyone to learn quickly and become more aware and accountable.

Yet 61% of cyber victims never report the incident. Shame, fear of blame, and opaque reporting processes keep the water murky, which is exactly the condition attackers need to keep exploiting undisturbed.

The Bottom Line: Build a Strong Human Firewall

98% of the cybersecurity budget goes to technology. 88% of breaches are caused by humans. 

The math is not working. Technology is necessary but not sufficient. If cybercriminals act like trout, leaders need to think like savvy river guides: know the vulnerabilities and teach the next generation how to spot the difference between a real email or video and a fake one.

It's time senior leaders begin to prioritize the human firewall. Otherwise, cybercrime will continue to grow and pose an ever-growing threat to our global economy and way of life.

 About the Author

John R. Childress is a leadership advisor, corporate culture consultant, and author with four

decades of experience advising boards and executive teams across Fortune 500 and FTSE 250 organizations. He is co-founder of Senn-Delaney Leadership Consulting Group and Chairman of Pyxis Culture Technologies, whose data-driven platform helps organizations identify, map, and mitigate hidden risks in cybersecurity, safety, and conduct. He is also the author of Culture 4.0: The Future of Corporate Culture (LID Publishing, 2026) and co-author of Fly Fishing for Leadership (www.flyfishingforleadership.com)

Where is the murky water in your organization right now? The places where incidents go unreported and new hires are swimming without cover? I'd welcome your thoughts in the comments.

To see how Pyxis maps the hidden drivers of cybersecurity culture and turns them into measurable action, visit www.pyxisculture.com.

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organisations understand and improve the drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organisations close the gap between strategy and everyday behaviour.

Our approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create performance and risk challenges and provide effective solutions you can immediately implement.

• We link organisational culture to business and financial metrics, showing a clear ROI for strengthening alignment and performance.

Connecting the dots

See how PYXIS helps organisations identify the conditions that weaken secure behaviour, encourage workarounds, and leave training carrying too much of the load.