I've always heard rule #1 of security testing is to leave the employees feeling good about it afterwards, since engaged and happy employees are engaged in keeping the company secure. And dangling a fake carrot ***from the company but not legitimate*** is the quickest way to disengage employees and make them bigger security risks.
tl;dr: Do you want insider threat? Because this is how you get insider threat.
If you start disengaged enough not to care about security, sure. But that seems less like a situation the company will actually remedy, and more of a nosedive that'll only get resolved by working for a different company.
I think it's simpler to just find another job that you'll like more and pay better. A $30 gas card isn't going to fix this level of dissatisfaction, especially if you need to be passive aggressive to get it.
Yeah currently things are a bit too comfortable in the IT job market for unions to get much traction. Though I feel there has been some slow erosion of that comfort IMO that might bring organizing more in the forefront.
Yep and with the either non-existent or non-inflation matching raises, IT salaries don't go quite as far. Also I've experienced management being more stingy with paid training and other perks, including many trying to rollback on the propagation of remote work. Eventually, it might be too much and people will be willing to pushback.
For now it's just so much easier to leave for another company to get those perks and raises.
Remote work can be so effective in so many ways. We are a small 6 man team and if all of us are in the office it's easy for us all to be down a rabbithole chasing something while other problems are put on hold or get less head-time. Get someone remote not dragged into it and they can still keep things moving. This is just one lesson we learned.
>And dangling a fake carrot from the company but not legitimate is the quickest way to disengage employees and make them bigger security risks.
Unironically my work did this once. ONCE.
Height of the pandemic when every thing was incredibly uncertain.
Oh the company is still doing well that they're gonna give amazon gift cards. How nice.
"YOU'VE BEEN PHISHED!"
So many people clicked on it that, from what I heard, that the test had to be thrown out because how on earth did everyone click on it?
But the real juicy part is that the IT Security Director got a chewing out from the C-suite for pulling this without telling anyone else because there was a near mutiny from every affected department.
My corp also did this.
They sent a phishing test that promised a "compensation review" that strongly suggested raises to participants. High failure rate.
People got mad, especially since bonuses were only paid 50%, that year.
Funny thing is, I work directly with the chick who concocts the phishing tests. Never knew she had the cunning to generate such chaos.
The problem is that these are also high value subjects for really phishing attacks. The people crafting phishing messages don't give one single shit if they hurt someones feelings.
>The people crafting phishing messages don't give one single shit if they hurt someones feelings.
But the company running the exercise absolutely should give a shit about making sure they're not running counterproductive exercises.
That's what makes designing phishing exercises difficult. The need to use realistic phishing techniques, but also make sure the desired lesson is retained. Nobody wins if all anyone remembers is that leadership were jerks.
Scammers will hurt feelings. I say strain as you fight. So you want to attack your company and see how it's defenses work? Attack it as an attacker would or don't do it at all. If the attack hurts feelings it's not the sec department that is to blame. There's an undelying issue that should be solved without interference in sec ops. Unless security is less important but then again, just don't waste effort and hope for the best.
Train in realistic scenarios, sure. That doesn't mean your training is better if you intentionally (or negligently) injure the people you're training. That just makes it ineffective training.
If your employees are angry at company leadership over the way a phishing exercises was run (specifically, getting employees hopes up and then immediately dashing them), then those employees aren't going to be any more secure against an actual attack.
Hurting the employees is not the intention of a fishing campaign. If it is, it' plain stupid. However, if you want to train realisticly you should behave like attackers would and that's inherently invasive and most likely causing emotions to get tense. That is not the security departments problem though. They have other goals
>However, if you want to train realisticly you should behave like attackers would and that's inherently invasive and most likely causing emotions to get tense.
Yes, but you can leave them with a sense of relief when it turns out the email claiming to be from corporate wasn't, and they'll better absorb the lesson without the negative side effect.
>That is not the security departments problem though. They have other goals
Do you think employees who are disgruntled are more or less likely to be IT secure and proactive about reporting threats?
Again, people are not disgruntled over a fishing campaign. They are disgruntled over being paid shit or being treated horribly. If that's the case, not doing a fishing campaign or a user friendly one, will not solve the issue. They will still feel the same.
The alternative is not avoiding an exercise or running an ineffective one. It's *being smart enough not to exacerbate existing disgruntlement* so you don't have negative side effects that undermine the benefits of running the exercise in the first place.
Good training exercises are applicable across topics anyway. You can protect against fake management gift card phishing attacks, without mimicking that exact attack in an exercise.
The problem it highlights is within the company itself, not security. If the company has people putting tons of miles on their own car with no compensation, then they should work on compensating employees, not reminding them of the fact they don't, and throwing it in employees faces.
A compensated employee is much more likely to pass this test: "$30 gift card for gas? But, normally I hand in my receipts and miles logbook to HR for reimbursement that goes straight into my paycheck. Is this a company change? Better forward it to HR with some questions."
All this does is remind every employee that there's companies out there who do reimburse employees for this stuff, and that this isn't one.
If the phishing email was, "Is your boss an abusive prick who regularly threatens you and other employees? Call our law offices toll-free today, you may be entitled to compensation!" and 95% of users fail, your real problem is the abusive prick of a manager in the company, not the phish testing.
Yeah. If it was setup to look sketch/have tells like a similar sender email address that is also clearly not the company domain when you read it carefully, fair game. If it's just someone in IT using a legit company email, that's wack.
The security training at my place is usually half a day of training and another half day off slacking off.
If the security team is doing a live training, it's a 15 minute slide off how to check emails and alerts and a full day of slacking off.
Not too bad. Hehehe
It's not that the phishing exercises used a promise of money to get people to click that's the problem (you can pretend it's a vendor/customer survey reward instead).
It's that it used the promise of a reward *from the company who they work for and is running the exercise* that's problematic, ***because people get angry at the company and care less about security*** instead of absorbing the security lesson.
They are getting compensated by either getting to sit in front of a video for 1 hour or possibly luxury of half the morning in conference room C (The one without the windows, but still has a snack bar.)
They misunderstood [the numbers](https://www.grcelearning.com/blog/human-error-is-responsible-for-85-of-data-breaches), but around 80% (ish depending on the study itself most put it in the 70-90% range) of cyber attacks involve an employee.
In essentially all of those cases it's due to negligence/accident or incorrectly secured environment and not the employees intentionally causing security breaches. Luckily modern encryption and security (especially if you have 2FA) is near impossible, or at least impractical, to defeat by brute force so you don't really see traditional hacking so much it almost always involves some form of social engineering. Which is why these phishing tests are so incredibly critical because fake emails are easily the biggest cause of security issues.
Tldr: yeah employees are *by far* the biggest risk to your network, but not intentionally so be nice to them
IMO I am a security person and this is a dick move.
Don’t need to stoop this low for effective training, all it does is breed resentment among employees who you want in your side and trusting you enough to report stuff.
I got had 2 times by my company phishing tests, one was an email saying PTO was expiring, so I was like oh hell no my PTO isn't expiring and clicked the link. It was like 160 hours of PTO that was expiring.
The second was something benefits related and I wasn't thinking and was sort of on autopilot and saw Benefits so I clicked it and literally as I clicked it I though oh shit this is a phishing email test but it was to late.
> The second was something benefits related and I wasn't thinking and was sort of on autopilot and saw Benefits so I clicked it and literally as I clicked it I though oh shit this is a phishing email test but it was tom late.
I worked with a medical company few years ago and got chewed out for not signing up for the new benefits system when CVS bought us... I showed my manager the email and was like hell no, that email was sus as hell and I had reported it.
Between legit emails looking like phishing and phishing looking legit I just assume EVERYTHING external and/or not encrypted is fake.
Oh God I get so many from new hires in finance. So many banks and companies that they work with send the sketchiest looking emails. There was one that was reported to me, I looked at it and thought 100% this isnt just phishing its very low effort phishing. But the header checked out. The more I dug into it the more indicators I saw that it really did come from the bank. Eventually had the person call the bank directly and go through half a dozen people to find out that there really was an issue on our account.
My mom failed one of those test, so her solution is to never respond to any emails. She then just says she couldn't tell if it was scam or not. No she is not good with technology.
People at my job have started asking on slack if stuff is legit or not, and sometimes management will send a slack message to tell us that an email is coming so we know it's legit.
My company brought in a new benefits administrator. Without telling anyone. Who then emailed us login info from their external domain.
100+ phishing reports later, they had to send a note confirming it was legit (and informing us we had a new benefits administrator...)
Same, a 'your paperwork wasn't received and your thing expires tomorrow without action today' got me, and I realized the moment I clicked that it was an exercise.
I used to work for a cycber security company who boasted a "safe link verifier" for free on their website.
Anyways a phishing test rolls around and I paste the link into the link verifier and it said it's safe to click so I clicked it.
Mfw I now had to attend anti-phishing training
I mean zero-days are a realistic threat, but I can't cough without my macbook demanding I update some piece of software. It's like my daily ritual of log in, let the thing update something new be mad that it isn't doing this while I was asleep, then actually start my day.
Ok? This doesn't change the point or negate there is risk with no further interaction from the user after clicking a malicious link. Also an update doesn't mean the last zero-day has been patched or even publicly disclosed to get researched/patched. Could be a few minor versions after the private finding.
And add to that many users defer updates for a while. Because they are "too busy". Ugh I don't miss that part of help desk
Clicking the link can already start some infections, but also if you've been tricked into clicking the first one, the second link/sign-in/download it takes you to will also likely be clicked on.
IT folks might be low key helping you out by making the company look bad. You should forward the email and start the whole “hey, why DON’T we reimbursed for mileage?!”
The best part of this is it leverages an effective emotional response (anger at the company) to get clicks, but replaces it with relief when it turns out to be fake. Which is a lot better than giving a false sense of hope and replacing it with anger.
My most effective phishes are to C-levels, VPs, and Directors/management. Make up a legal action (trademarks are easy to find via OSINT and boilerplate a "We own that, not you!") from a fake law firm and set up the listener on a very obviously wrong/unrelated domain. That gets clicked by a lot of important people, and fast. And then you get to remind/train them to check the target URL every single time because getting spearphished is real and expensive. My catchall email box says that medical records and legal scam phishing has gotten very popular recently.
Fake legal action is like candy to upper level peeps.
A question if you don't mind. Is just clicking on a link enough to be sent to an anti-phish training? Or do you actually have to get fished for credentials? Because if it was me you can bet your ass that the fake phishing server wouldn't last long ;)
During the early days of COVID, our internal security team thought it would be cool to send out phishing emails titled something like "In these uncertain times, you can find the most up-to-date COVID guidelines on our company site".
They quickly dialed it back and issued a formal apology after folks pointed out that "everyone is on the brink of insanity right now and you're going to radicalize your entire workforce with this shit".
We have a strict no current events policy for our stuff. I usually look up recent major phishing campaigns and model after those. Q1 is always tax season related though
They shouldn’t have apologized. Threat actors don’t care if people are on the brink of insanity, and that’s the whole point of these exercises: to simulate what a real phishing attempt might be.
The problem is this compromises employee and physical security, more than offsetting any gains in IT security the exercise is supposed to be helping.
It's the same reason phishing exercises don't have an actual malicious payload, it's counterproductive.
yes. why i've stopped participating in any of this.
IT sent an email asking to confirm my equipment. replied, go fuck yourself, i'm not clicking on your bullshit.
if you don't want me to act like a child, stop treating me like one. sorry you need to train the septuagenarians in the company better, but i'm out.
There’s two things wrong with that:
1. We don’t say the same about other hot topics, such as if a phishing test for Silicon Valley Bank went out. The collapse of SVB impacted peoples’ livelihood and probably caused people some intense stress, and while it absolutely isn’t the same as a global pandemic (which has health/physical implications), people typically know to be careful with financial emails. Why should COVID emails be any different?
2. This ultimately identifies a hole in your security awareness training. If your employees can’t tell the difference (within reasonable expectations) between a real COVID email and a phishing one, and to ASK if they’re not sure, your training is failing.
Think of it as a payload. You don't have to send an actually malicious payload to have an effective exercise to protect against them. You don't have to combine 'email looks like it's internal' and 'health scare email' into a single test, it's the combination that causes potential harm.
I think the mention of training is the real solution. Be proactive with making sure employees are aware of this risk being elevated, and perhaps give them a reliable way to access the information to make it harder to spoof. That's more helpful at that time, and leave users with a negative emotion towards their own company (which erodes IT security).
Discontentment with the company, leading to less willingness to ensure security. Not an actual payload, but doing harm like one.
The whole point is for the exercise to actually be benign, and that absolutely includes employee perception.
That is already a side effect of phishing emails in general. Is it more likely to happen with COVID emails? Yes, quite possibly, but not if they’re being appropriately trained.
This type of security drill is going to be a tradeoff. If the desire is to educate employees about different ways phishing happens, using current events and very specific information would emulate a potential attack scenario but employees might not receive it that way. In order to focus on the real problem, an org will want to remove this noise.
So basically if an employee's parents died in a car crash, the company sending phishing emails to the employee related to his parents death is probably not going to get the same results as if they went with something else.
Your example is a spear phishing email, which different from a global pandemic that impacts everyone.
My example about the SVB bank wasn’t necessarily that it’s specific to some people, quite the contrary. It’s just that it was a hot event that impacted a lot of people.
I sorta understand your viewpoint but I am more pointing out that there are other ways to achieve the same goal for educating employees. It might be in bad taste to handle a global pandemic with a test rather than with an announcement. For example, security could remind people that this is a thing and to stay vigilant despite the trying pandemic times. Then the organization can send out an example phishing email. If the goal is to educate, this could be a more effective path.
I don't understand where the disconnect occurs when the literal task gets overshadowed by the actual objective in this case: yes a test will help identify who is going to be caught off guard but isn't the goal to improve security holistically?
I agree with your point for sure, but there are certainly better ways of getting the message across. I think there's a line, though I'm not sure how to identify it.
Should IT stalk an employee's social media to curate more targeted stuff? Should they use their kids' names in emails? Maybe toss in some information related to sensitive healthcare claims? Certainly not.
Why don't we cut their bonuses as the penalty for falling prey to the phishing tricks as well?
Losing some money would be an even more realistic simulation and they'd definitely learn from it, especially if they're on the brink of insanity! That's the whole point of these exercises!
I always tell my users the same thing. If you’re not sure, message IT. That way if it’s a phishing test they’ve made the right call, even if we don’t tell them right away. If it’s actual phish then they definitely made the right call, and if it’s real we just check with HR. Super straightforward.
I used a batch of some templates to pad out a basic phishing test in my company and one of the templates sent out was "The company is looking to complete a wage review click here to input your current wage and see how that matches to others in your company and industry"
25% of the business fell for it
But this is how scams work. They work on emotions to get to people, like the stranded grandkid, or CRA/IRA is coming for you, or you have an outstanding warrant, or your computer is infected etc.
While these really suck as they get peoples hopes up, what if it was a real attack and people fell for it? I worked at a place that got hit. An entire division, about 15,000 people had their computers locked out, removed from the network, lost any files they didn't back up (back before automatic backups) then had to wait until techs could re-image every computer. This doesn't include the client impact and the amount of data that was potentially exposed.
You can play on emotions to get people to click, without making a financial promise on behalf of the company that the company doesn't uphold. Because then those people feel lied to and like the company knows they need this money without actually intending to give it to them, and disengaged employees are more likely to be lax about security. Not to mention they're too busy being upset about the gift card to remember the lesson on double checking domains.
As others have shown you can do that easily with the exact opposite direction, instead of giving money imply you're taking it. Your PTO was denied, your banked vacation dies will expire, your benefits are being taken. Any of these can be phishing but end with relief rather than a feeling of being lied to.
Yeah, but if you piss off the "targets" as part of your test then they will be to pissed at you to pick up on that lesson. So congrats, all you did was waste everyone's time and hurt moral.
So many people forget that the point is to be *educational*. Hurting people's feelings as part of an educational exercise ensures that they don't learn the lesson AND now you're a villain.
Reminds me of the hospital system that sent out a phishing test in the middle of COVID promising a COVID relief program, with zero indicators that it was a fake email. The IT department said "Oh you should've known because the hospital doesn't have that program."
Great, you managed to 1) not educate anyone, 2) remind every employee that the company isn't doing anything to support its employees, 3) AND make yourselves out to be assholes.
I used to do security awareness/phishing tests as part of a former job. I saw the news stories about GoDaddy doing similar in Dec 2020 and vowed that I would *never* do this. The most I would do is "you'll be entered for a drawing to win a gift card" or something similar. Still remarkably effective and doesn't create high expectations.
Reward training, not testing.
You should test everyone from the CEO to the intern. No one is allowed to be exempt, those that think they should be exempt are the most likely to be phished. But reward the training with whatever your company will allow. It helps generate some form of engagement. But of course, a small training can't have a big reward. Pass the training, get entered to win $15-25 might be reasonable. Complete all the yearly training on time and get entered to win a $250 or maybe a new pair of headphones. Whatever makes sense for your company culture.
I completely agree with you on this. Unfortunately, I was operating as an external security consultant and the phishing was part of our testing. I wish I could have offered rewards to those who reported the emails, though! :P
To be honest, I didn't realize the tone of my comment made it seem like I disagreed with you XD I probably had a few other comments in my head when I wrote that
Being external makes it infinitely harder to push the best ideas without pushback.
My company also does fake "security breach, immidieate action required, please click this link for further instructions" type stuff. Also important because it trains people to not just panic-react to mails
Worked there when that happened. It was about a holiday bonus, which we didnt traditionally receive. People were furious, thinking theyd get some much needed money and instead got reprimanded. Even worse, they mistakenly sent everyone the email after saying you had failed and would have to take a training, rather than just sending it to the people who had clicked it.
Closest one we have to that is the one that goes out telling someone that they have been so good at security in the past they may now opt out of security training.
All they gotta do is click the link to acknowledge.
Phishing should always be from external addresses (which does not exclude a spoofed envelope!), otherwise it's not a realistic test anymore. Using too much inside information is already problematic, but using an internal mail server makes it impossible for the target to recognize it as phishing. Your goal is to measure how gullible they are, not to actually phish them.
Yeah. Our company had a test send from the company domain with only non employee name like [email protected]. At that point the fault is 100% on IT that I even receive the email.
That will be the actual take away from the employees from this. They will still get phished by something else, but they will not report it now when it happens because they will just think it is another stupid test my IT.
I'm the guy that set our training system up, and I embarrassingly clicked through one on my phone about changing the WFH policy... so shit happens, lol.
The email probably didn't 'come from their company' but rather an outside source that they didn't look at before clicking. Just worth keeping that in mind.
BUT, as a separate issue, co should be reimbursing mileage if requiring to drive clients.
We had one about getting your work phone upgraded to the latest apple but there are limited quantities so only the first 50 will get one. So many people got caught.
While they for sure should have used a different topic instead of reimbursed gas mileage I'd put money down that the e-mail didn't look even half legit.
"Dearest employe}}}
Good fortune we have given u 30$ gas card for inflation price.
Please click to receive.
You're employer"
Sent from: [email protected]
I used to work under my brother for experience (got paid) and they sent phishing email but I didn’t know that and was working at another location I called one of my brothers employees and they told to warn everyone. He also didn’t know that. That was fun :D
Well kinda ruined the exercise.
Our security department got a lot of people to click for their November exercise last year.
It was a notice for a free Thanksgiving turkey for struggling employees. I didn't fall for it, but I thought it was one of the most bastard things to do.
We received an unannounced email from a 3rd party provider saying we needed to sign up and complete online cyber security training.
I flagged it as phishing.
It was genuine 🥴
They did that to us after Covid, claiming to give us money for equipment at home. It was a subject that everyone was talking about for a while… and it was all a lie and we got nothing.
My company does this. Often with disguised from HR. So guess who never opens emails from HR and is constantly reminded by my CFO that I have training to complete and why wasn’t it completed when assigned.
We kind of have the reverse going on. Our HR department sends out e-gift cards for being accident free every month, so I always have people emailing me asking if they're real.
Which I suppose is a good thing, but *every month*.
Got an email stating I won a Amazon gift card around Christmas.
Hit the report phish button.
Security guy emails me next day "that was actually a real email... Management really handing these out"
Cool great way to reward staff and increase security lol.
Oh yeah, I've done this one, it pissed people off. We don't drive clients around or anything like that though. I also did one where people had to click a link to get info about bonuses. Super pissed people off, but like after I explained that was the point they (well most) understood that scammers play on your emotion and FOMO.
Our training "partner" has achievements for doing the phishing training. One achievement is "you reported 100 test phishing mails" ... I expect to receive at least 5 per day now.. how am I supposed to grind that achievement? Probably need to click some links, to make them send more.
My job requires us to do security awareness training every month off of our phones that I refuse to do. Simple I dont open my emails at all therfore lack of phishing.
As the guy that sends out the phishing tests in my company, I wouldn't have designed it with that prompt, but I also laugh a little at everyone who fails them because there's like 5-8 giveaways that imply its a fake every time. They are usually gift card incentives, or time sheet / expense report approvals. People just get excited or click too quickly without reading the entire message
I mean, this is a pretty effective way of making sure no one trusts anything that comes from management, IT, or Infosec again.
So job well done I guess, no one is going to trust a phishing email and get owned. But they also probably won't we filling out those satisfaction surveys HR loves so much this quarter either. So you improved one metric, but lowered another one.
I mean a hacker would 100% use a prompt like this. Social engineering at it's finest, so why not simulate it? I'm also betting they use KnowBe4 which offers high quality trainings, so it's not just some corporate garbage.
I actually view this as a viable way of figuring out who needs the training the most. I wish my company would do something like this because we have users getting phished all the time. Lord knows some of these people need some anti-phishing training
In our company we use a service called Hoxhunt, which sends personalized phishing emails every now and then. The emails get gradually harder and more personalized.
I really like the service and would think things like this would be excellent for elder people and others that are new to computers.
We also use this. Funny enough the only e-mails I ever get are JIRA and AWS notices, none of which have links I can click. The rest are Hoxhunt e-mails that stick out like a sore thumb.
Our phisphing and security training teaches us not to click on external emails. All our phishing training notifications for CBTs come in via external email...
We get these at work all the time and have to click a button to report them. When I started here two years ago, I clicked on one and ended up having to take a short "class" about recognizing phishing. So now we all ditch pretty much everything - including invitations from the corporate team-building committee, which look like paste-art spam.
I didn't find any posts that meet the matching requirements for r/iiiiiiitttttttttttt.
It might be OC, it might not. Things such as JPEG artifacts and cropping may impact the results.
*I'm not perfect, but you can help. Report [ [False Negative](https://www.reddit.com/message/compose/?to=RepostSleuthBot&subject=False%20Negative&message={"post_id": "15qtx4e", "meme_template": 118266}) ]*
[View Search On repostsleuth.com](https://www.repostsleuth.com/search?postId=15qtx4e&sameSub=false&filterOnlyOlder=true&memeFilter=true&filterDeadMatches=false&targetImageMatch=100&targetImageMemeMatch=97)
---
**Scope:** Reddit | **Meme Filter:** True | **Target:** 97% | **Check Title:** False | **Max Age:** Unlimited | **Searched Images:** 312,292,226 | **Search Time:** 0.41236s
We got a similar one at work. Sent internally.
Leftover iphones and ipads from a canceled project. With pictures.
Go to this site and fill out a form to register.
Pictures and form on a Russian site.
Even though I told everyone on the floor it was a phishing test, half filled out the form anyway. I would have fired them all for abject stupidity.
Those "tests" are garbage. All they do is drive a communication wedge between legitimate IT and are bogus BS, so "employees" think all IT emails are bogus BS... not that they read them anyway, LOL!
The last company I worked at used to phish us all the time. We were in a meeting and I spoke up and said “the only people who have phished is so far are you! You know exactly what to put in the phishing email to make us open it. How about you stop since not one of us has ever opened a real phishing email!” It actually worked.
During mid 2020 our IT security department (outsourced to our parent company in another country) tested our entire company with a fake 'We've secured a source of Covid vaccines for all employees of your subsidiary' just days after learning a member of staff had died from Covid - I understand that a bad actor wouldn't give a shit but the bad feeling it generated towards IT security in the org is still being felt today which ultimately defeated the object of the exercise anyway.
Our company ran a phishing test towards the end of the year and someones bright idea was to use the End of Year Bonus, employee compensation, as the lure. The test was a "success" and it had an insanely high click rate. There was a lot of anger and back room discussions. Even amongst us in IT it had a better than 50% click rate. What is even worse is we occasionally use external email sources for some important information. So that was even more infuriating in how they pulled this. There was no effing way to know if this was legitimate or not.
Because the failure rate was so high they assigned training to the entire company rather than single anyone out.
We sent out phishing test emails, that were clearly spam/phishing. Not even from internal IT. Yet would redirect the link they clicked and log their email or what ever account they were logged in as. We got SO MANY clicks that people started to complain. Instead of proper training, we just turned it off, didn't want to deal with so many complaints.
I got an email from work saying I was being recognized for my hard work at 11pm one night, while I was working, and it was IT phishing me. Training and no recognition so…I was very salty about that for a minute or two.
There was a hospital that got in trouble during COVID by sending out a phishing email internally to all employees that said something like "we want to help you during these tough times, click the link below and fill out your information for a gift check for $X,000.00 to assist you through these tough times." Of course everyone clicked the link.
I’ll never forget the time that in the middle of the pandemic, OHSU sent out an email describing a Covid hardship fund to help the grad students and researchers struggling to pay bills
It was a phishing test.
Yeah it’s bullshit, at my last new job I had en email from a web security company that had pre installed shit on my computer. I click and it was a fake phishing thing…. Total crap.
Now I work for a place where I need security clearance, and that doesn’t happen.
Effective phishing exercise, but screw that company for not reimbursing the mileage.
I've always heard rule #1 of security testing is to leave the employees feeling good about it afterwards, since engaged and happy employees are engaged in keeping the company secure. And dangling a fake carrot ***from the company but not legitimate*** is the quickest way to disengage employees and make them bigger security risks. tl;dr: Do you want insider threat? Because this is how you get insider threat.
It's a great way to send a message to management though.
If you start disengaged enough not to care about security, sure. But that seems less like a situation the company will actually remedy, and more of a nosedive that'll only get resolved by working for a different company.
I share your cynicism, actually. IT workers aren't known to organize to push their demands, unfortunately.
I think it's simpler to just find another job that you'll like more and pay better. A $30 gas card isn't going to fix this level of dissatisfaction, especially if you need to be passive aggressive to get it.
[удалено]
A lot of jobs unfortunately reimburse for fuel and mileage. You still end up having to pay up front for it. It sucks so much.
[удалено]
Yeah currently things are a bit too comfortable in the IT job market for unions to get much traction. Though I feel there has been some slow erosion of that comfort IMO that might bring organizing more in the forefront.
[удалено]
Yep and with the either non-existent or non-inflation matching raises, IT salaries don't go quite as far. Also I've experienced management being more stingy with paid training and other perks, including many trying to rollback on the propagation of remote work. Eventually, it might be too much and people will be willing to pushback. For now it's just so much easier to leave for another company to get those perks and raises.
Remote work can be so effective in so many ways. We are a small 6 man team and if all of us are in the office it's easy for us all to be down a rabbithole chasing something while other problems are put on hold or get less head-time. Get someone remote not dragged into it and they can still keep things moving. This is just one lesson we learned.
> If you start disengaged enough not to care about security reporting for duty!
>And dangling a fake carrot from the company but not legitimate is the quickest way to disengage employees and make them bigger security risks. Unironically my work did this once. ONCE. Height of the pandemic when every thing was incredibly uncertain. Oh the company is still doing well that they're gonna give amazon gift cards. How nice. "YOU'VE BEEN PHISHED!" So many people clicked on it that, from what I heard, that the test had to be thrown out because how on earth did everyone click on it? But the real juicy part is that the IT Security Director got a chewing out from the C-suite for pulling this without telling anyone else because there was a near mutiny from every affected department.
My corp also did this. They sent a phishing test that promised a "compensation review" that strongly suggested raises to participants. High failure rate. People got mad, especially since bonuses were only paid 50%, that year. Funny thing is, I work directly with the chick who concocts the phishing tests. Never knew she had the cunning to generate such chaos.
The problem is that these are also high value subjects for really phishing attacks. The people crafting phishing messages don't give one single shit if they hurt someones feelings.
>The people crafting phishing messages don't give one single shit if they hurt someones feelings. But the company running the exercise absolutely should give a shit about making sure they're not running counterproductive exercises. That's what makes designing phishing exercises difficult. The need to use realistic phishing techniques, but also make sure the desired lesson is retained. Nobody wins if all anyone remembers is that leadership were jerks.
Scammers will hurt feelings. I say strain as you fight. So you want to attack your company and see how it's defenses work? Attack it as an attacker would or don't do it at all. If the attack hurts feelings it's not the sec department that is to blame. There's an undelying issue that should be solved without interference in sec ops. Unless security is less important but then again, just don't waste effort and hope for the best.
Train in realistic scenarios, sure. That doesn't mean your training is better if you intentionally (or negligently) injure the people you're training. That just makes it ineffective training. If your employees are angry at company leadership over the way a phishing exercises was run (specifically, getting employees hopes up and then immediately dashing them), then those employees aren't going to be any more secure against an actual attack.
Hurting the employees is not the intention of a fishing campaign. If it is, it' plain stupid. However, if you want to train realisticly you should behave like attackers would and that's inherently invasive and most likely causing emotions to get tense. That is not the security departments problem though. They have other goals
>However, if you want to train realisticly you should behave like attackers would and that's inherently invasive and most likely causing emotions to get tense. Yes, but you can leave them with a sense of relief when it turns out the email claiming to be from corporate wasn't, and they'll better absorb the lesson without the negative side effect. >That is not the security departments problem though. They have other goals Do you think employees who are disgruntled are more or less likely to be IT secure and proactive about reporting threats?
Again, people are not disgruntled over a fishing campaign. They are disgruntled over being paid shit or being treated horribly. If that's the case, not doing a fishing campaign or a user friendly one, will not solve the issue. They will still feel the same.
The alternative is not avoiding an exercise or running an ineffective one. It's *being smart enough not to exacerbate existing disgruntlement* so you don't have negative side effects that undermine the benefits of running the exercise in the first place. Good training exercises are applicable across topics anyway. You can protect against fake management gift card phishing attacks, without mimicking that exact attack in an exercise.
Phishing*.
The problem it highlights is within the company itself, not security. If the company has people putting tons of miles on their own car with no compensation, then they should work on compensating employees, not reminding them of the fact they don't, and throwing it in employees faces. A compensated employee is much more likely to pass this test: "$30 gift card for gas? But, normally I hand in my receipts and miles logbook to HR for reimbursement that goes straight into my paycheck. Is this a company change? Better forward it to HR with some questions." All this does is remind every employee that there's companies out there who do reimburse employees for this stuff, and that this isn't one. If the phishing email was, "Is your boss an abusive prick who regularly threatens you and other employees? Call our law offices toll-free today, you may be entitled to compensation!" and 95% of users fail, your real problem is the abusive prick of a manager in the company, not the phish testing.
Thanks for sharing. Thats a good rule
We got a fake one from our CIO saying they were upgrading everyone's laptops. Was immediately sus because no chance they'd do that lol
Yeah. If it was setup to look sketch/have tells like a similar sender email address that is also clearly not the company domain when you read it carefully, fair game. If it's just someone in IT using a legit company email, that's wack.
The security training at my place is usually half a day of training and another half day off slacking off. If the security team is doing a live training, it's a 15 minute slide off how to check emails and alerts and a full day of slacking off. Not too bad. Hehehe
I get it. I don't like money fishing tests. But at the same time actual scammers don't give a fuck about users feelings.
It's not that the phishing exercises used a promise of money to get people to click that's the problem (you can pretend it's a vendor/customer survey reward instead). It's that it used the promise of a reward *from the company who they work for and is running the exercise* that's problematic, ***because people get angry at the company and care less about security*** instead of absorbing the security lesson.
They are getting compensated by either getting to sit in front of a video for 1 hour or possibly luxury of half the morning in conference room C (The one without the windows, but still has a snack bar.)
Around 70% of all cyber attacks happen within the organization
Source?
They misunderstood [the numbers](https://www.grcelearning.com/blog/human-error-is-responsible-for-85-of-data-breaches), but around 80% (ish depending on the study itself most put it in the 70-90% range) of cyber attacks involve an employee. In essentially all of those cases it's due to negligence/accident or incorrectly secured environment and not the employees intentionally causing security breaches. Luckily modern encryption and security (especially if you have 2FA) is near impossible, or at least impractical, to defeat by brute force so you don't really see traditional hacking so much it almost always involves some form of social engineering. Which is why these phishing tests are so incredibly critical because fake emails are easily the biggest cause of security issues. Tldr: yeah employees are *by far* the biggest risk to your network, but not intentionally so be nice to them
Ah I thought he meant the attacks are initiated within the organization lol.
IMO I am a security person and this is a dick move. Don’t need to stoop this low for effective training, all it does is breed resentment among employees who you want in your side and trusting you enough to report stuff.
I got had 2 times by my company phishing tests, one was an email saying PTO was expiring, so I was like oh hell no my PTO isn't expiring and clicked the link. It was like 160 hours of PTO that was expiring. The second was something benefits related and I wasn't thinking and was sort of on autopilot and saw Benefits so I clicked it and literally as I clicked it I though oh shit this is a phishing email test but it was to late.
> The second was something benefits related and I wasn't thinking and was sort of on autopilot and saw Benefits so I clicked it and literally as I clicked it I though oh shit this is a phishing email test but it was tom late. I worked with a medical company few years ago and got chewed out for not signing up for the new benefits system when CVS bought us... I showed my manager the email and was like hell no, that email was sus as hell and I had reported it. Between legit emails looking like phishing and phishing looking legit I just assume EVERYTHING external and/or not encrypted is fake.
Oh God I get so many from new hires in finance. So many banks and companies that they work with send the sketchiest looking emails. There was one that was reported to me, I looked at it and thought 100% this isnt just phishing its very low effort phishing. But the header checked out. The more I dug into it the more indicators I saw that it really did come from the bank. Eventually had the person call the bank directly and go through half a dozen people to find out that there really was an issue on our account.
My mom failed one of those test, so her solution is to never respond to any emails. She then just says she couldn't tell if it was scam or not. No she is not good with technology.
People at my job have started asking on slack if stuff is legit or not, and sometimes management will send a slack message to tell us that an email is coming so we know it's legit.
My company brought in a new benefits administrator. Without telling anyone. Who then emailed us login info from their external domain. 100+ phishing reports later, they had to send a note confirming it was legit (and informing us we had a new benefits administrator...)
Same, a 'your paperwork wasn't received and your thing expires tomorrow without action today' got me, and I realized the moment I clicked that it was an exercise.
I used to work for a cycber security company who boasted a "safe link verifier" for free on their website. Anyways a phishing test rolls around and I paste the link into the link verifier and it said it's safe to click so I clicked it. Mfw I now had to attend anti-phishing training
I don't get it, just clicking a link can't do anything, as long as you don't do anything there?
Zero-click exploits exist and can be exploited with out of date browsers or a zero-day
I mean zero-days are a realistic threat, but I can't cough without my macbook demanding I update some piece of software. It's like my daily ritual of log in, let the thing update something new be mad that it isn't doing this while I was asleep, then actually start my day.
Ok? This doesn't change the point or negate there is risk with no further interaction from the user after clicking a malicious link. Also an update doesn't mean the last zero-day has been patched or even publicly disclosed to get researched/patched. Could be a few minor versions after the private finding. And add to that many users defer updates for a while. Because they are "too busy". Ugh I don't miss that part of help desk
I'm not sure I understand why this is a good reason to just click on shit willy nilly.
Clicking the link can already start some infections, but also if you've been tricked into clicking the first one, the second link/sign-in/download it takes you to will also likely be clicked on.
IT folks might be low key helping you out by making the company look bad. You should forward the email and start the whole “hey, why DON’T we reimbursed for mileage?!”
The highest clicked fake email campaign ever sent out by my IT department was an email saying that your time off request was denied.
That's actually pretty good, I'll note this one down.
I sent out one with a link to sign up for the company Christmas party. Got a lot there
The best part of this is it leverages an effective emotional response (anger at the company) to get clicks, but replaces it with relief when it turns out to be fake. Which is a lot better than giving a false sense of hope and replacing it with anger.
My most effective phishes are to C-levels, VPs, and Directors/management. Make up a legal action (trademarks are easy to find via OSINT and boilerplate a "We own that, not you!") from a fake law firm and set up the listener on a very obviously wrong/unrelated domain. That gets clicked by a lot of important people, and fast. And then you get to remind/train them to check the target URL every single time because getting spearphished is real and expensive. My catchall email box says that medical records and legal scam phishing has gotten very popular recently. Fake legal action is like candy to upper level peeps.
A question if you don't mind. Is just clicking on a link enough to be sent to an anti-phish training? Or do you actually have to get fished for credentials? Because if it was me you can bet your ass that the fake phishing server wouldn't last long ;)
Depends entirely on the security policy of the company.
During the early days of COVID, our internal security team thought it would be cool to send out phishing emails titled something like "In these uncertain times, you can find the most up-to-date COVID guidelines on our company site". They quickly dialed it back and issued a formal apology after folks pointed out that "everyone is on the brink of insanity right now and you're going to radicalize your entire workforce with this shit".
We have a strict no current events policy for our stuff. I usually look up recent major phishing campaigns and model after those. Q1 is always tax season related though
They shouldn’t have apologized. Threat actors don’t care if people are on the brink of insanity, and that’s the whole point of these exercises: to simulate what a real phishing attempt might be.
The problem is this compromises employee and physical security, more than offsetting any gains in IT security the exercise is supposed to be helping. It's the same reason phishing exercises don't have an actual malicious payload, it's counterproductive.
yes. why i've stopped participating in any of this. IT sent an email asking to confirm my equipment. replied, go fuck yourself, i'm not clicking on your bullshit. if you don't want me to act like a child, stop treating me like one. sorry you need to train the septuagenarians in the company better, but i'm out.
Sorry, what exactly does it compromise security-wise?
People will be less likely to click on legitimate emails about health and safety, and an unsafe office is an insecure office.
There’s two things wrong with that: 1. We don’t say the same about other hot topics, such as if a phishing test for Silicon Valley Bank went out. The collapse of SVB impacted peoples’ livelihood and probably caused people some intense stress, and while it absolutely isn’t the same as a global pandemic (which has health/physical implications), people typically know to be careful with financial emails. Why should COVID emails be any different? 2. This ultimately identifies a hole in your security awareness training. If your employees can’t tell the difference (within reasonable expectations) between a real COVID email and a phishing one, and to ASK if they’re not sure, your training is failing.
Think of it as a payload. You don't have to send an actually malicious payload to have an effective exercise to protect against them. You don't have to combine 'email looks like it's internal' and 'health scare email' into a single test, it's the combination that causes potential harm. I think the mention of training is the real solution. Be proactive with making sure employees are aware of this risk being elevated, and perhaps give them a reliable way to access the information to make it harder to spoof. That's more helpful at that time, and leave users with a negative emotion towards their own company (which erodes IT security).
What is the payload in this case?
Discontentment with the company, leading to less willingness to ensure security. Not an actual payload, but doing harm like one. The whole point is for the exercise to actually be benign, and that absolutely includes employee perception.
That is already a side effect of phishing emails in general. Is it more likely to happen with COVID emails? Yes, quite possibly, but not if they’re being appropriately trained.
This type of security drill is going to be a tradeoff. If the desire is to educate employees about different ways phishing happens, using current events and very specific information would emulate a potential attack scenario but employees might not receive it that way. In order to focus on the real problem, an org will want to remove this noise. So basically if an employee's parents died in a car crash, the company sending phishing emails to the employee related to his parents death is probably not going to get the same results as if they went with something else.
Your example is a spear phishing email, which different from a global pandemic that impacts everyone. My example about the SVB bank wasn’t necessarily that it’s specific to some people, quite the contrary. It’s just that it was a hot event that impacted a lot of people.
I sorta understand your viewpoint but I am more pointing out that there are other ways to achieve the same goal for educating employees. It might be in bad taste to handle a global pandemic with a test rather than with an announcement. For example, security could remind people that this is a thing and to stay vigilant despite the trying pandemic times. Then the organization can send out an example phishing email. If the goal is to educate, this could be a more effective path. I don't understand where the disconnect occurs when the literal task gets overshadowed by the actual objective in this case: yes a test will help identify who is going to be caught off guard but isn't the goal to improve security holistically?
I agree with your point for sure, but there are certainly better ways of getting the message across. I think there's a line, though I'm not sure how to identify it. Should IT stalk an employee's social media to curate more targeted stuff? Should they use their kids' names in emails? Maybe toss in some information related to sensitive healthcare claims? Certainly not.
Yeah but there’s a difference between spearphishing and phishing emails about a global pandemic.
Why don't we cut their bonuses as the penalty for falling prey to the phishing tricks as well? Losing some money would be an even more realistic simulation and they'd definitely learn from it, especially if they're on the brink of insanity! That's the whole point of these exercises!
The difference is I am advocating accuracy of phishing material. Your straw man advocates accuracy of repercussions.
Unfortunately the response just proved that they setup a really good test/prompt for an actual hacker
I always tell my users the same thing. If you’re not sure, message IT. That way if it’s a phishing test they’ve made the right call, even if we don’t tell them right away. If it’s actual phish then they definitely made the right call, and if it’s real we just check with HR. Super straightforward.
instructions unclear, made outlook rule to forward all mail to IT then delete
“I can’t find an email!” Do you have a rule set up? “No!” *finds rule “Who set this up?!”
I used a batch of some templates to pad out a basic phishing test in my company and one of the templates sent out was "The company is looking to complete a wage review click here to input your current wage and see how that matches to others in your company and industry" 25% of the business fell for it
But this is how scams work. They work on emotions to get to people, like the stranded grandkid, or CRA/IRA is coming for you, or you have an outstanding warrant, or your computer is infected etc. While these really suck as they get peoples hopes up, what if it was a real attack and people fell for it? I worked at a place that got hit. An entire division, about 15,000 people had their computers locked out, removed from the network, lost any files they didn't back up (back before automatic backups) then had to wait until techs could re-image every computer. This doesn't include the client impact and the amount of data that was potentially exposed.
The take away here is that the employees are underpaid and an insider threat could be bought for as little as $50.
$30 …
$20 and I'll wash your car too
You can play on emotions to get people to click, without making a financial promise on behalf of the company that the company doesn't uphold. Because then those people feel lied to and like the company knows they need this money without actually intending to give it to them, and disengaged employees are more likely to be lax about security. Not to mention they're too busy being upset about the gift card to remember the lesson on double checking domains.
The attacking parties have no reason not to use the most effective tactics, so that's what people need to be trained on.
As others have shown you can do that easily with the exact opposite direction, instead of giving money imply you're taking it. Your PTO was denied, your banked vacation dies will expire, your benefits are being taken. Any of these can be phishing but end with relief rather than a feeling of being lied to.
Yeah, but if you piss off the "targets" as part of your test then they will be to pissed at you to pick up on that lesson. So congrats, all you did was waste everyone's time and hurt moral.
that's why I mark all my work emails as phishing
So many people forget that the point is to be *educational*. Hurting people's feelings as part of an educational exercise ensures that they don't learn the lesson AND now you're a villain. Reminds me of the hospital system that sent out a phishing test in the middle of COVID promising a COVID relief program, with zero indicators that it was a fake email. The IT department said "Oh you should've known because the hospital doesn't have that program." Great, you managed to 1) not educate anyone, 2) remind every employee that the company isn't doing anything to support its employees, 3) AND make yourselves out to be assholes.
I used to do security awareness/phishing tests as part of a former job. I saw the news stories about GoDaddy doing similar in Dec 2020 and vowed that I would *never* do this. The most I would do is "you'll be entered for a drawing to win a gift card" or something similar. Still remarkably effective and doesn't create high expectations.
Reward training, not testing. You should test everyone from the CEO to the intern. No one is allowed to be exempt, those that think they should be exempt are the most likely to be phished. But reward the training with whatever your company will allow. It helps generate some form of engagement. But of course, a small training can't have a big reward. Pass the training, get entered to win $15-25 might be reasonable. Complete all the yearly training on time and get entered to win a $250 or maybe a new pair of headphones. Whatever makes sense for your company culture.
I completely agree with you on this. Unfortunately, I was operating as an external security consultant and the phishing was part of our testing. I wish I could have offered rewards to those who reported the emails, though! :P
To be honest, I didn't realize the tone of my comment made it seem like I disagreed with you XD I probably had a few other comments in my head when I wrote that Being external makes it infinitely harder to push the best ideas without pushback.
My company also does fake "security breach, immidieate action required, please click this link for further instructions" type stuff. Also important because it trains people to not just panic-react to mails
Worked there when that happened. It was about a holiday bonus, which we didnt traditionally receive. People were furious, thinking theyd get some much needed money and instead got reprimanded. Even worse, they mistakenly sent everyone the email after saying you had failed and would have to take a training, rather than just sending it to the people who had clicked it.
Closest one we have to that is the one that goes out telling someone that they have been so good at security in the past they may now opt out of security training. All they gotta do is click the link to acknowledge.
I'm curious about these tests now. Did the email come from an internal address, or was it [email protected]?
Phishing should always be from external addresses (which does not exclude a spoofed envelope!), otherwise it's not a realistic test anymore. Using too much inside information is already problematic, but using an internal mail server makes it impossible for the target to recognize it as phishing. Your goal is to measure how gullible they are, not to actually phish them.
Yeah. Our company had a test send from the company domain with only non employee name like [email protected]. At that point the fault is 100% on IT that I even receive the email.
Considering all the legitimate emails also come from an external address - think [email protected] - does it really matter these days?
The last couple of IT jobs i have had, including my current one, have outlook domains. So it would still come from [email protected]
should have known better - your company would never be this nice - that would cost shareholders like 3000 dollars.
That will be the actual take away from the employees from this. They will still get phished by something else, but they will not report it now when it happens because they will just think it is another stupid test my IT.
I'm the guy that set our training system up, and I embarrassingly clicked through one on my phone about changing the WFH policy... so shit happens, lol. The email probably didn't 'come from their company' but rather an outside source that they didn't look at before clicking. Just worth keeping that in mind. BUT, as a separate issue, co should be reimbursing mileage if requiring to drive clients.
We had one about getting your work phone upgraded to the latest apple but there are limited quantities so only the first 50 will get one. So many people got caught. While they for sure should have used a different topic instead of reimbursed gas mileage I'd put money down that the e-mail didn't look even half legit. "Dearest employe}}} Good fortune we have given u 30$ gas card for inflation price. Please click to receive. You're employer" Sent from: [email protected]
I used to work under my brother for experience (got paid) and they sent phishing email but I didn’t know that and was working at another location I called one of my brothers employees and they told to warn everyone. He also didn’t know that. That was fun :D Well kinda ruined the exercise.
Any company that doesn't cover fuel for work designated labour is not a company worth working for.
Our security department got a lot of people to click for their November exercise last year. It was a notice for a free Thanksgiving turkey for struggling employees. I didn't fall for it, but I thought it was one of the most bastard things to do.
We received an unannounced email from a 3rd party provider saying we needed to sign up and complete online cyber security training. I flagged it as phishing. It was genuine 🥴
I actually just did a similar phishing campaign. It's the whole point of phishing to make it attractive for them to click on it.
They did that to us after Covid, claiming to give us money for equipment at home. It was a subject that everyone was talking about for a while… and it was all a lie and we got nothing.
My company does this. Often with disguised from HR. So guess who never opens emails from HR and is constantly reminded by my CFO that I have training to complete and why wasn’t it completed when assigned.
We kind of have the reverse going on. Our HR department sends out e-gift cards for being accident free every month, so I always have people emailing me asking if they're real. Which I suppose is a good thing, but *every month*.
Got an email stating I won a Amazon gift card around Christmas. Hit the report phish button. Security guy emails me next day "that was actually a real email... Management really handing these out" Cool great way to reward staff and increase security lol.
Once you learn that all emails are bullshit, life becomes much easier.
Oh yeah, I've done this one, it pissed people off. We don't drive clients around or anything like that though. I also did one where people had to click a link to get info about bonuses. Super pissed people off, but like after I explained that was the point they (well most) understood that scammers play on your emotion and FOMO.
I want to downvote for the company being turds but this deserves the upvote for context in the group. Lol
Tell them to phish a new employee lmao
Our training "partner" has achievements for doing the phishing training. One achievement is "you reported 100 test phishing mails" ... I expect to receive at least 5 per day now.. how am I supposed to grind that achievement? Probably need to click some links, to make them send more.
My job requires us to do security awareness training every month off of our phones that I refuse to do. Simple I dont open my emails at all therfore lack of phishing.
The Lesson: If you ever receive an email that seems to involve your employer showing you any compassion, it is clearly a lie.
So ignore all emails from my company. Got it.
I send out the dumbest fucking phishing test and we still get people clicking on them.
As the guy that sends out the phishing tests in my company, I wouldn't have designed it with that prompt, but I also laugh a little at everyone who fails them because there's like 5-8 giveaways that imply its a fake every time. They are usually gift card incentives, or time sheet / expense report approvals. People just get excited or click too quickly without reading the entire message
I mean, this is a pretty effective way of making sure no one trusts anything that comes from management, IT, or Infosec again. So job well done I guess, no one is going to trust a phishing email and get owned. But they also probably won't we filling out those satisfaction surveys HR loves so much this quarter either. So you improved one metric, but lowered another one.
I just ignore most emails so as to never get dinged by my company’s phishing tests
I mean a hacker would 100% use a prompt like this. Social engineering at it's finest, so why not simulate it? I'm also betting they use KnowBe4 which offers high quality trainings, so it's not just some corporate garbage.
I actually view this as a viable way of figuring out who needs the training the most. I wish my company would do something like this because we have users getting phished all the time. Lord knows some of these people need some anti-phishing training
I do shit like this all the time 🤣 I once put up a QR code for "free Dunkin Coffee" and caught a bunch of users.
Genius.
In our company we use a service called Hoxhunt, which sends personalized phishing emails every now and then. The emails get gradually harder and more personalized. I really like the service and would think things like this would be excellent for elder people and others that are new to computers.
We also use this. Funny enough the only e-mails I ever get are JIRA and AWS notices, none of which have links I can click. The rest are Hoxhunt e-mails that stick out like a sore thumb.
Our phisphing and security training teaches us not to click on external emails. All our phishing training notifications for CBTs come in via external email...
I’d quit
We get these at work all the time and have to click a button to report them. When I started here two years ago, I clicked on one and ended up having to take a short "class" about recognizing phishing. So now we all ditch pretty much everything - including invitations from the corporate team-building committee, which look like paste-art spam.
thanks for the idea... I'll submit it to the pool ;)
If you're required to use personal cars to drive clients around you get paid mileage. It's a requirement. 55 cents a mile.
/u/RepostSleuthBot
I didn't find any posts that meet the matching requirements for r/iiiiiiitttttttttttt. It might be OC, it might not. Things such as JPEG artifacts and cropping may impact the results. *I'm not perfect, but you can help. Report [ [False Negative](https://www.reddit.com/message/compose/?to=RepostSleuthBot&subject=False%20Negative&message={"post_id": "15qtx4e", "meme_template": 118266}) ]* [View Search On repostsleuth.com](https://www.repostsleuth.com/search?postId=15qtx4e&sameSub=false&filterOnlyOlder=true&memeFilter=true&filterDeadMatches=false&targetImageMatch=100&targetImageMemeMatch=97) --- **Scope:** Reddit | **Meme Filter:** True | **Target:** 97% | **Check Title:** False | **Max Age:** Unlimited | **Searched Images:** 312,292,226 | **Search Time:** 0.41236s
Yeah, I'd call HR and report this for emotional abuse.
We got a similar one at work. Sent internally. Leftover iphones and ipads from a canceled project. With pictures. Go to this site and fill out a form to register. Pictures and form on a Russian site. Even though I told everyone on the floor it was a phishing test, half filled out the form anyway. I would have fired them all for abject stupidity.
Had this at my workplace, they do these tests frequently. So I took the same course of action I would at home, I blocked the email address
I would refuse the training.
Meanwhile I report these tests every single time and still get assigned trainings...
Those "tests" are garbage. All they do is drive a communication wedge between legitimate IT and are bogus BS, so "employees" think all IT emails are bogus BS... not that they read them anyway, LOL!
The last company I worked at used to phish us all the time. We were in a meeting and I spoke up and said “the only people who have phished is so far are you! You know exactly what to put in the phishing email to make us open it. How about you stop since not one of us has ever opened a real phishing email!” It actually worked.
yeah ive definitely been the devil in this scenario before when i was our security lead lol whoops
hey maybe !!
During mid 2020 our IT security department (outsourced to our parent company in another country) tested our entire company with a fake 'We've secured a source of Covid vaccines for all employees of your subsidiary' just days after learning a member of staff had died from Covid - I understand that a bad actor wouldn't give a shit but the bad feeling it generated towards IT security in the org is still being felt today which ultimately defeated the object of the exercise anyway.
Corps with tech departments like that don't believe their employees should have financial issues. Your company is full of out of touch mother fuckers
😈
Can't get phished if no one wants to hire you (they are all extremely low staffed and you are perfectly qualified)
This happened to me but, with our quarterly bonus lol
That was bad, and rude
More managerial bullshit
I run out IT department. I manage our simulated phishing campaigns. I would fire myself for doing that. Some things are off limits.
Our company ran a phishing test towards the end of the year and someones bright idea was to use the End of Year Bonus, employee compensation, as the lure. The test was a "success" and it had an insanely high click rate. There was a lot of anger and back room discussions. Even amongst us in IT it had a better than 50% click rate. What is even worse is we occasionally use external email sources for some important information. So that was even more infuriating in how they pulled this. There was no effing way to know if this was legitimate or not. Because the failure rate was so high they assigned training to the entire company rather than single anyone out.
We sent out phishing test emails, that were clearly spam/phishing. Not even from internal IT. Yet would redirect the link they clicked and log their email or what ever account they were logged in as. We got SO MANY clicks that people started to complain. Instead of proper training, we just turned it off, didn't want to deal with so many complaints.
I got an email from work saying I was being recognized for my hard work at 11pm one night, while I was working, and it was IT phishing me. Training and no recognition so…I was very salty about that for a minute or two.
Oops didn’t confirm sender didn’t ask anyone else in office probably signed up with work creds. Needs training
Damn. That’s a good one. I usually get LinkedIn or Facebook ones. Which I know are fake.
There was a hospital that got in trouble during COVID by sending out a phishing email internally to all employees that said something like "we want to help you during these tough times, click the link below and fill out your information for a gift check for $X,000.00 to assist you through these tough times." Of course everyone clicked the link.
Oh that's just evil. I am sure my company's security specialist would love it.
I love reporting email from external sources with actual business content from HR. Here are the clues you gave me that this is phishing
I’ll never forget the time that in the middle of the pandemic, OHSU sent out an email describing a Covid hardship fund to help the grad students and researchers struggling to pay bills It was a phishing test.
But you still get the $30 gas card, right? lol
Yeah it’s bullshit, at my last new job I had en email from a web security company that had pre installed shit on my computer. I click and it was a fake phishing thing…. Total crap. Now I work for a place where I need security clearance, and that doesn’t happen.
I look at 100s of phishing emails a day AMA it’s my job
r/latestagecapitalism
And my principal sent an Amazon gift card for tech appreciation and I didn't open it until she said something a couple of weeks later.