We found out that 10% of our users entered their password.
I’m not in cyber security. My role requires me to interact with a lot of people, work on a bunch of different SharePoint links, and on top of that corporate sends a shit pile of email links to training, peakon surveys, and stuff like that. When I started my new job (3 years ago now), I had a pile of training to do as well as my usual work.
I would be fully focused, keyboard clacking loudly and ding! Email. grumble who the fuck is this now? Oh some stupid training link… wham. Phishing training. Fell for it 3 times.
The whole Microsoft 365 system seems to be quite vulnerable to phishing. Sometimes SSO works, sometimes you need a password, maybe 2FA, maybe not. Many microsoft notification emails come from external sources (with a big banner “this email comes from an external sender, be cautious”).
This makes it hard for our brains to spot the small differences that make a phishing campaign successful.
The solution is to suspect every external message and send them all to the phishing mailbox. Tell your boss that you are following the phishing training that you did first.
They will have to get their shit together and send important messages from internal mail addresses. That’s just laziness.
Haha, love it
If employers don’t want employees to get phished, a good first step is to not overwork them…
Especially with the HR/Corp BS
At my work, the bogus phishing attacks are overly believable. They’ll even come from a known in-house email account.
I’ve been dinged twice while otherwise occupied. I’ve stopped checking my email altogether. Play stupid games, win stupid prizes. I am being paid to do a job.
Same. IT has inside info no real phishers will have. So far only got dinged once, but that’s enough. I was already terrible about answering emails, now I’ll be worse.
I never got phished by the simulations because I never open my emails. If there’s something that needs my attention either someone will Slack me or a ticket on Jira made.
password123
Oh wait, that wasn’t the question?
Put an ! at the end and it will be more secure.
Lol, we use the same password
I’m 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone’s supervisor and made it look like an urgent Teams message was pending.
Usually, if you get phished you lose your bonus. They made an exception that one time.
You lose your bonus? What basement-dwelling neanderthal executive came up with that hogwash?
To be fair, my job involves very sensitive medical data. We’ve seen entire businesses shut down because of data breaches.
Phishing simulations should be about educating employees, not punishing them. Train them on what they missed and if training material is available check where it might be lacking. Nobody learns from having their bonus taken away. It also only serves to stimulate a culture were people prefer not reporting possible security issues they might have caused, in order to avoid further pay cuts.
If someone is consistently falling for phishing emails (real, or from the IT department), shouldn’t that person eventually be fired? Isn’t that a punishment?
If there is neither a punishment nor a reward, what is the incentive to learn? Some people may not need one. Many others do.
I agree that a single failure resulting in the loss of significant income might be harsh, but I think there needs to be a way to convince people to take the issue seriously, and a punishment of some kind is therefore always warranted (e.g. eventual firing).
You can balance out the issue by creating a reward system as well, e.g. if you report all of the test emails sent to you in a year (i.e. not just ignore them), your bonus is increased by X% or something. Similarly, if you report an actual phishing email, your bonus is increased by some percent, even if you initially fell for it. I think it is possible to foster a consciousness and honest culture, with a system that includes punishments.
I dunno…If you’re in a position to get a bonus, you should be smart enough to not click on random links and enter your work password.
I am extremely pro-worker but I would be fuckin pissed if an employee so easily gave a potential hacker access to our systems and that’s what the test is for
My understanding is that the phishing awareness mail is part of the training, and NOT a test. But company culture varies of course
I can only imagine how frustrating it would be to get a financial punishment for clicking on links.
Easy, never read or open mails. NEVER!
They tried a similar one on me once. Sent a email saying my boss (by name) sent me a virtual gift card. I immediately knew it was one of their “phishing tests” as my boss is a giant douche who would rather take the time to throw me under a bus than do anything that nice.
They haven’t fooled me yet. They’re actually fairly easy to spot.
The last round my company did was pretty damn good. The email itself was well done and professional looking. They even registered a domain that was one letter different than the company name for the source email domain and the phishing form.
It was still one of those things that makes you hesitate like “your password has expired, click here to reset it” and the email client blatantly flagged it as being from outside our true domain. The client warning was the easy thing to spot, the rest was really well done.
That’s the odd thing with where I work, until recently all the phishing simulations were from within the company domain and so lacked the [External…]
It’s not impossible for an already infiltrated network, but I still expect to see that it came from outside. Maybe that’s me, tho.
Wdits: spullings <- like those
Wow, that is impressively sneaky to use the legitimate domain.
In my company about half the services in use, that require SSO login, are flagged as “external” when receiving emails. Along with the fact that quite a few of the services don’t use https, so all downloads from them (doc services) are flagged as untrusted in modern browsers.
Users are just used to ignoring the warnings designed to stop the majority of easily identified flags, because the actual work requires it.
I got phished circa 2001. Got about three thousand drained from my bank account which I shockingly got back. (Though Elon’s PayPal threatened to sue me over it but never did when I told them to come and get me over the failure of their own security)
I’ve never responded to any email requesting login since no matter how legitimate it may be.
They blast us with the dumbest most obvious phishing simulations. Then send out legitimate “register for this new app” email, which large numbers of people report and the director gets pissed, despite the fact it meets the bulk of the “signs of a phishing email”. Then a month later we get hit by a phishing attack that automated software blocked.
My company ones are always super obvious. One of the best ones though was on valentines day spoofing a valentines ecard from a coworker in your organization
Yes but the only relevant metric is how many reported it. Doesn’t matter if they delete, read, click or enter data. We’re only interested in the information that a phish got through our security controls (=we failed our users), so we can investigate (and clean up if needed) the impacted mailboxes and accounts.
No, this is about the fake phishing emails that are released inside the network to test user response. If clicked, they report to IT which users need more training.
Yes I know. We do simulations but we only measure who reports them and provide training how to report them (In the mail itself). No shaming for user who click them and no additional training on how to look at details.
It makes no sense training the user in looking at for example the links if all the big vendors use suspicious links anyway. For example the phishers use OneNote shares to phish, but those are hosted on Microsoft which by itself is legitimate. The only way a user really is able to recognize a phish is if it is unsolicited (report the mail as spam) or if it looks legit but asks for credentials (report it, we use SSO everywhere possible and you should never be asked for credentials for one of our platforms). We cannot do this for all vendors however and the users are encouraged and trained on using Passkeys or Autofill by the company provided password manager so that they get suspicious when no autofill is possible, then they can report the mail.
It’s not always possible to recognize phishing from the get go and security is better suited to investigate than rando from the logistics department.
My company is the only one trying to phish me at work
So long as its a 50/50 between your boss being mad or the company losing money employees are going to open the email.
I need that template :D
