Alt text: Michael Scott Handshake meme. Managers text: “My company Congratulating me on avoiding a phishing test email”. Michael Scott text: “Me, terminally behind on answering email.”
I eventually clicked the link in the test email out of curiosity, I got a nice popup telling me I fucked up
Have fun watching training videos for an hour and a half. It’s just free money
Nah, I got fired like a week later for no reason
Damn that’s extremely. Sorry to hear that.
I created an inbox rule for these. The 3rd party phishing shame-and-train company my employer uses always has a certain domain in the email header (even though they always change the ‘from’ address). Has worked perfectly for over 6 months. I’m generally not dumb enough to click on them anyway. But anyone can have a bad day and/or get into a rush and make a mistake. And my boss is a sadistic prick who delights in making workers feel dumb. Yet I’m 100% sure he exempts himself from the phishing shit tests.
Knowbe4? That’s who we use and their stuff is pedestrian
“Let’s also make our users follow really complex password requirements but have our password creation/change page be different from the actual login screen so they have a really hard time using a password manager”-dumbass IT department
My current employer actually just changed our password policy to greatly extend the password expiration date. We have cranked up the password requirements a tad, every login has 2FA and permissions are locked down to the size of a gnats asshole. Users seem to like it better since they don’t have to come up with a new password as often and we are telling ourselves it’s harder to brute force.
Change your password every 30 days, and never reuse one, and don’t use a password manager, and don’t write it down anywhere, and…
15 character minimum passwords that expire every 90 days and require MFA to remote in from home with 3 separate login sessions just to get to your PC, along with stripped down rights for everyone, even IS. The rights are so strict that if you wanted to, for instance, update a trusted application like Notepad++ because a recent exploit was found which would be a security concern, you can’t use the auto-update feature of the application; you have to download it manually from their repository, and run it using a special admin account created for you that doesn’t have an associated email address but also has a 90 day password requirement. But you wouldn’t been able to use their repository 6 months ago because we block any IP address outside the US and their previous service was located in UK, so if you wanted to keep that piece of software up-to-date with security and vulnerability patches (which they’ve harped on a number of times before) you’d have to find alternative download services located in the US regardless of how shady.
I wish I was joking.
Where I work you only pass the test if you report it to IT, otherwise it’s 3 hours of training with the rest of the idiots.
Does IT want useless reports? Because that’s how you get useless reports?
No, it’s better to get some useless reports than to get no reports at all because “somebody will surely report this”.
Also people stay alert when punishment is an option.
The IT people send out the phising mail themselves as part of a test. It isn’t an actual phising mail, just something made to look and act like one. In the end they have a report which people fell for it, which ignored it (or were ooo) and which reported it.
Reporting is done via the report phising feature in Outlook. For consumers it’s sent to Microsoft, but for businesses you can configure those reports to do what you want. It’s actually a really good feature and people should always use it.
Does your IT team tell you that they’re performing the test and to report, or is reporting phishing always constantly recommended. I’ve managed a small org ( <100 ) email server and we tried to have people report suspicious emails and it was so much noise and wasted so much time. Of course the CEO isn’t requesting you buy gift cards, what am I going to do about it. I’d say the money would be better spent on a better system rather than hope one human forwards it to another human.
They don’t tell us they are testing, it’s done at random. Reporting is policy, it needs to be done with every phising mail that gets past the filters. It’s one of the big ways a company is vulnerable, an employee clicks on a link in a mail, opens something they shouldn’t and before you know it there’s been a databreach. I don’t think they are especially worried about the employee leaking his personal info, they are worried about targeted attacks and corporate espionage.
I’m sure there are a lot of false positives. Even though I work in a technical company, we have plenty of people who aren’t as handy with tech. People get training regularly and if one person reports a lot of useless I’m sure they will train that person extra. I think for a lot of people except maybe sales something like 80% of all mail is internal. And the other part is probably 50% repeating automated mails. So the number of mails that could even be phishing are limited. It’s a mid sized company with about 1000 employees.
Sounds like your email software needs fixing…
I see the benefit of reporting to catch false negatives of the filters, but in reality, if I received more than one report in a week or two, id consider a new system for scanning. A 20% false negative rate is pretty bad. Most emails should be easily identified, and I think it’s unreasonable for end users to check if the sender domain name is newly registered, has utf-8 characters which look like ASCII characters, etc. The metric for success shouldn’t be a high number of end users reporting phishing emails, but that seems to be what upper management wants to see, which just incentives less resources invested in better scanners with less than a 20% false negative rate.
This is how they justify their jobs.
I spent longer than I care to admit today trying to convince someone that the Save As dialog during a file download did not mean that the entire internet could see the files on his computer.
That’s how I justify my job. Well, that and the actually productive things I can manage to do when I’m not trying to explain completely trivial shit to someone who should have retired in 1953.
No. Technically illiterate users, that’s how we justify our jobs.
Mine gives useless bonus points for forwarding the test email or an actual phishing mail to their special security scanner account.
Why not just have the security scanner before it hits an inbox?
There is, but if one gets through, they want us to forward it to this account that will be used to train, fine tune and improve the scanner for all mailboxes, as well as security training for employees.
That makes sense, I thought the security scanner was only triggered if someone forwarded an email after it landed in an inbox.
Downvote for spelling.
I always right-clicked for the “more info” (or whatever it was) with any suspicious email. It would look like a bunch of html code that I didn’t really understand, but buried in there would be a company name that was usually obvious, like “phishtesting.com” or some bullshit.
I always had a 100% report rate, and always joked that I was waiting to get a prize for my accuracy. And obviously, also a joke to ever think I would get anything for it