Transcript
Panel 1: [Coworker in a red tie with dark hair leans into the cubicle of IT who is busy on a computer, a key card or ID hangs around his neck]
Coworker: I clicked an email link and it says I need training?
Panel 2: [IT stops working and looks irritated]
IT: Ah yes. The Training.
Panel 3: [IT sprays the coworker with a spray bottle]
FSHSSSH
FSHSSSH
FSHSSSH
IT: BAD! THAT WAS BAD!
Panel 4: [IT continues spraying the coworker, now crouching down hands raised defensively as the water is sprayed in his face. IT ha a look of glee on his face as another coworker walks by with a look of concern on her face, papers in hand.]
FSHSSSH
FSHSSSH
FSHSSSH
FSHSSSH
FSHSSSH
Coworker: HISSS!
Alt Text
The next training module unlocks after three hisses
.
- Message Details
- xxxx.ThreatSim. org (or something similar)
- Report Phishing
- Thank you for detecting this phish sim and keeping us safe
A decade with 100% accuracy, and I still haven’t gotten a prize. Worst game ever
I failed an internal phishing test one time, the first time I’ve been on the receiving end of the tests instead of the one making it up and sending it out
Anyway, I was still new at the company so I wasn’t sure of all the usual domains and processes they have. During an all-hands meeting, the CEO mentioned that we will be receiving our bonuses soon and to make sure to adjust your settings if you want to avoid it all going into your 401k or something. A week later, I get an email saying that I need to adjust my payroll settings for the upcoming bonus. Turns out, it was a phishing test. Jokes on me, the real email to adjust those settings came 4 months later.
Someone at my company clicked on a phishing link and actually entered their AD login password when asked.
We nuked his account and recreated it using p.lastname instead of the usual peter.lastname as username.We told the C-Suite this is necessary as the former e-mail address is now known to attackers as a potential mark. But internally, the senior admin called it “Learning through pain”.
Later found out his colleagues called him Pee-Dot behind his back for a while.
MY NICKNAME HAS NOTHING TO DO WITH WHIZZING MY PANTS
honestly i’d lean into it if my coworkers started calling me Pee-Dot. That’s hella funny.
The only phishing mails I receive are phishing tests from within the company…
Yes, you can identify them by the X-Phish header. I hope real phishing mails have it too
My rule of thumb is: if it’s something nice for me, it’s not real (more money, goodies, more vacation days, …) and it worked pretty good so far. There was only one fake cyber security training invitation which kind of felt like not the most constructive idea…
Yeah, also urgency is a big red flag for me. Almost all phishing messages are like “log in immediately or something bad happens”
Friend got “log into your bank account in 15 minutes to prevent deletion due to inactivity” on their work email for a bank the company doesn’t even use lol
tbf I got one that was trying to warn me of incorrect tax info which needs to be resolved only a month after I started lol.
Wasn’t gonna click the link but I did do a double take because they formed it really well like a proper spear phish email would.
Of course my job at some point involved memeing with gophish templates so I don’t think they’ll ever get me, especially when I’m using a proper client that lets me immediately swap to HTML and see the blocked image tracker tag lol.
Something good happens to me -> wait a minute, this is a trap!
Something bad happens to me -> all according to plan
Words to live by.
If phish.me or kn4b are in the header I assume it’s spam and I have rules in every email account to scrap them to a special folder so I can report them to give the false positive that I identified the test.
I recently had one that was like “Due to recent events, we feel it necessary to remind everyone about the regulations in the Code of Conduct about accepting gifts from clients. Please read the CoC if you have not done so and confirm you have read it via this link. Signed HR”. The link was fake, and the sender address was, too. It was a good fake though, because we actually do have a CoC and have to read/confirm about once a year. So I’m pretty sure it was a test to select people for training.
That’s a badly designed test though, from a psychological standpoint.
Lots of people reading it will subconsciously remember “oh, someone in this company receives and accepts expensive gifts from clients”. And then wonder who it might be.
It’s bad for morale.
We did that at a former workplace. Everyone failed.
They do that here routinely. The last time they sent it using the email account that is basically the one email that you do not ignore because they use it for urgent “please push the patch asap” type emails.
If that email is compromised they got bigger issues.
They bought a domain name similar to ours and sent out emails with links to the domain and a clone login page. Pretty sneaky.
At a previous job, they used to send them fairly often, using various tricks to keep people on their toes. I found it fun
All of ours have phishing in the URLs or in the email headers, if only real phishers were so nice!
What would that be testing, whether the users are psychic? If the email sender is legitimate, then what else would users need to do?
my team actually does pretty good with the cyber security checks. the people running the have to meet a certain amount of metrics so they figured “hey if we send it from this one email, everyone is going to trust us!” … because that’s what they’re supposed to do… Which makes a terrible thing to do. because now they’re always going to be asking if this new email is another test.
(Bruh. if you want us to go to training, just ask.)
I wish they’d take the test ones one step further and actually try to phish some information. I failed one of those tests but realized it right after clicking the link, but it didn’t matter because they assume that clicking the link means you’re going to provide everything else they are looking for.
Not sure what kind of links your regular urgent emails usually have, but if you’re regularly clicking strange links as part of your job, they should really take it to the next step and see if you were going to provide credentials or something before failing the test because otherwise it just means people are afraid to do their jobs because it might be another test.
that email is compromised they got bigger issues.
Sending an email doesn’t have authentication. I can send an email as literally anyone. It’s a very trusting protocol.
Now, if your company is particularly good they might have set up protections from this. But it’s not required, and not super common.
An email service can check every email and catch the vast majority of spoofed headers pretty easily.
You’re right, it’s possible that the email is spoofed and passed the header checks, or that email is already compromised, or something.
That said, using one’s one legitimate email in a phishing test. They said the same stuff. So we spent about a month calling them for every email they sent (including the “you need to sign up for training”)
It creates more problems than it’s worth, and they caught the point pretty quickly.
spent about a month calling them for every email
Hah! I did the same with every spam email that got through the filter.
My former workplace stopped publishing the stats on which department had the most failures when the first round showed more than half of the executives clicked the scam link in their email.
Jokes on them, I don’t open any emails. For security, of course.
“I’m sorry, I marked you as spam.”
Did they complain to HR about the squirt bottles?
Email viruses can’t affect me because I never read my emails 😤
There’s so much bullshit that I just erase quicker than my shadow. When that thing on the bottom left pops up, there’s a trashcan on the notification.
I erase anything that is not addressed to me directly in that split second.
IT the next day “We spent an absurd amount of money on a new 3rd party service without telling anyone and for some reason nobody is opening the emails that company sent to our employees. Are they stupid or something?”.
We had a mandatory training earlier this year (the typical “don’t harass your coworkers stuff”), but the account they sent the link from was a a 32 character string of random letters and numbers followed by a domain I didn’t recognize. I reported it as phishing since none of the links led to the company’s domain. I got in trouble about a month later because the deadline had passed and I hadn’t taken the training.
Jokes on you, I click on that link to waste a 1/2 hour of paid time “training”.
Click on it too much, you’ll be deemed a unfixable risk and bye bye job. Just be careful out there!
Maybe, but I work at a university. With all of the faculty refusing to use the institution’s hardware and bringing their own, students with God knows what, and some of our infrastructure still running windows 95 because they won’t buy new software, I’m pretty sure the whole place is unfixable. Half of our IT rage quits every few months
some of us like the ol’ spray bottle and newspaper tho, has nothing to do with being a risk. i mean there’s so much shit management out there they’d never invest the time to learn how to communicate properly with their employees. have you ever heard of any company anywhere doing that? I haven’t.
I work at a large well established company. I get so many legitimate emails from outside our domain that I am required to click on. Performance reviews, company surveys, corporate training…
Then they wonder why people click fishing links. Bugs the crap out of me. I’m not going to remember the exact domain of the survey company we use, what are you crazy?
I’m not going to remember the exact domain of the survey company we use, what are you crazy?
I agree, and have decided to err on the side of caution, and also put the irritation over on higher-ups. If I get some link I’m required to click that I’m not actively expecting from an unrecognised address, just trash the email. A couple times, I’ve gotten follow-up from a superior asking me why I haven’t responded to <survey>, and I just tell them I haven’t seen it and that it probably got caught in my spam filter. They send me the link in question, and I respond.
I quite quickly realised that most of those surveys they need “everyone” to respond to will just slide quietly by when I do this, so I don’t need to spend time on them. My reasoning is that if it’s actually important, I’ll get it through a reliable channel, and so far that’s worked.
To be fair, I also dump anything that comes from some variant of “noreply” to junk. I figure that if I can’t reply, and I’m not actively expecting the email enough that I check my junk folder, it isn’t important.
We use mimecast, so all links in emails are replaced with links through mimecast for them to check.
That means you can’t see the original link easily though… So makes it harder to check if they are iffy.
Look at the URL before you click. Enforcing plain text mails makes it easier.
Spam/phishing also usually neglect the plain-text part in copying company mails. Yeah, a lot of shitstain companies too, but spam still looks different in plain text.
Employees who fail our phishing test will have anchovies thrown at them
I clicked on that link once, can confirm this is what happens.
![Acceptable Use Pawlicy [TrueNuff]](https://lemmy.world/pictrs/image/c1e2ddf4-6afb-48f1-aede-85c3359f36ad.jpeg){kind=link}