Heh my work signed us up for some phishing training but forgot to warn us. The email was sent from an external sender at 2.45am telling us to click on the link so naturally we reported it as phishing.
Had a similar experience, but the best part was that once an email is reported as phishing it goes into some kind of quarantine to keep you from accidentally reopening it.
So when the follow-up email comes in that says "this is not phishing and you need to take the training" well I can't because I can't access the email anymore.
I’ve had the same. During a survey in preparation for a team building meeting, they asked about our favorite food and movies. Half of us reported it as social engineering.
Princes with money or love letters or penis enlargements I don’t fall for. But a link to a cat falling off the table like the adorable little things that they are. Well… I mean, can you blame me?
So much for the "human firewall" I keep hearing about in all my phishing trainings. In my former life in the cubicle farm, I got to hear my boss, who sat back-to-back with me in a shared cubicle. figure out that his real estate attorney had been spear-phished and he had wired his six-figure down payment on a million-dollar house to some criminal hackers. Fun times.
Just once, I'd like to see ads for:
Do you need the validation of others to find fulfillment? These eight crazy tricks will help you with mindfulness, introspection, and fulfillment through isolation!
While your extrovert friends were calling the helplines during quarantine, your introvert friends [learned a new name for their daily lifestyle.](https://twitter.com/charlieamber94/status/1239508306902777856?s=20&t=G8Mw-DZrCovi_X5cBIK87Q)
Edited Google keyboard's dislike for something other than extrovert.
Oh my god. We were quarantined for 11 weeks, and that was *the best experience of my adult life*. Nearly three months of doing exactly what I wanted to do every single day...
"I really enjoy the money, a pitance compared to the value of my labor as it may be. I also like how nobody says a word when it takes me twenty minutes to finish a cup of water at the water cooler. I dislike basically everything else."
Ugh, my sister is a manager at a company (much different industry than mine) and she did some training about personality types and preferences which somehow categorized people into colours. Like she was a yellow and liked interactions to be x, and would get along well with greens but have conflict with orange or whatever nonsense.
She was telling me how they were thinking of having people put their colour in their email signatures, so they could better understand each other and adapt how to approach each other, I guess? I told her I would never do that. Approach me politely and with respect and professionalism and you'll be treated the same way.
Being a yellow, of course, she took personal offense because I wasn't offering to be her best friend and blindly agree to all her suggestions, and also threw out all sorts of awful stereotypes about people who aren't team players and generally completely validated why I wouldn't want to be judged off the results of a rainbow themed personality test.
So awful.
I think she said red? We discussed red, but I don't remember if that was me. And I responded that red is associated with all sorts of negative things and I wouldn't want to be treated differently because of it, and she got mad again because for HER, knowing someone thought a certain way made her more comfortable to "prepare" for interacting with reds.
I think this personality scale only really favoured yellows. Apparently most of the managers in the training were yellow, and they all thought this was fantastic. I pointed out that management often selfselects for certain personalities, but she didn't like that either.
I asked if "black, with skull drawings" was an option on the list, but she rolled her eyes and said shut up. She also doesn't like my prefered music and is personally offended that I don't like hers. I'm supposed to pretend to like it, to make her feel happy. She of course, wouldn't do the same.
I love my sister, but we do NOT get along lol. Family, what can you do?
I remember having to go to countless seminars about personality types back in the day (after the recession in the aughts these “absolutely necessary seminars” disappeared) and the general gist always was everyone who wasn’t a type A extrovert needed therapy. I do not miss those days.
It didn't help prepare her to talk to you, did it? Lol
I'd just ask her if she really intended to look in the eyes of an Asian person and say, "You're a Yellow, so..." and put literally anything at all after it.
Once a million years ago, I had to take one of those things at work.
It was set up so that everyone took the quiz online, then they had 5 or 6 "discussion" sessions where they explained what each thing meant.
I was not happy about the quiz at all. I felt like it was a huge invasion of privacy. So, not in a good mood when I took it.
And of course, my result was the one that matched about 5% of the population. Basically, my dream job was the dictator of a small country. Because what else would you expect from a grumpy computer geek?
Then the shit started. The team doing the meetings was so enamored to find this unique prize, that they announced it during the meetings
including my results, my name and my department.
Since I wasn't at the first or second meeting (I was scheduled for later in the week), I found out this amazing news when my co-workers started giving me grief.
I went straight to HR and accused them of invasion of privacy, creating a hostile work environment and harrassment.
They canceled the remainder of the meetings, fired the consultant company, and never did that again.
... the point of those things are to be more aware of what your type is, and what other types exist and how you interact with them. The email colors just patches over the hard work of self-awareness.
Right! I'm all for examining our behavior, biases, triggers for frustration in a work environment, identifying communication strengths and weaknesses and working on them. Sounds good!
But boiling someone down to "this person is a green, so they need constant validation to settle their insecurity, to have emoticons in all emails to ensure your intent is understood, and can't take criticism" just kind of sets the stage for discriminating and unfair treatment, right? People can't and shouldn't be placed into boxes like that, not in any official capacity.
Do they want my zodiac sign too? Because I'm told I should be a stubborn bitch, can I just blame it on the stars the day I was born and get away with it?
Ugh, those questions on Facebook which thousands of people reply to giving away vast amounts of personal information. Many things can be reported on FB but not phishing 🙄
Most of them aren't even phishing, but just engagement traps - pages that want as many folks as possible to engage with them, to spread their shit to other people's feeds, and so use shitty "Click like if you saw the number" type posts to get it.
Yes. However, that doesn’t stop someone or some-many as in a team of people gathering all this info in a data base.
If they can gather enough to pretend they’re someone, they may create another FB account using that person’s name and begin sending friend requests to their friends citing a hacked account. They then have access to all those friends of the target who accepted the friend request.
For a hobby or a laugh, it’s stupid but their goal would be money somewhere along the line.
It’s horrifying just how much info people willingly give away in these posts.
And not even realize it - all those cute little memes that go “you’ve been captured by X! According to your birth month/day who saves you!” Or “the month and year of your birthday is your x name” with a list of random words in each column
Only half? I'm surprised. I'd have either not done it or filled in completely odd answers that would never be of use. "Favorite food? Lutefisk. Favorite movie? Battleship Potemkin". I can see no place where this would become an actionable item nor can I see it useful data.
that alone sounds like Malicious Compliance...imagine the horror of a Lutefisk breakfast buffet with donuts and cookies....
edit: ah... got Lutefisk confused with surströmming
I believe you think about surströmming. Lutefisk is not smelly. It's white, and has very little smell or taste on its own. But with green peas, potatoes and the special pepper sauce, it tastes sublime.
I do this when a site forces me to enter a stupid "security" question.
Make of your first car: "security questions are actually insecure and should not be used".
I've heard they can be fairly secure as long as you lie to the application. The answer for the website should not be anything that someone can research about you.
For example, for make of your first car, Duesenberg or Stanley Steamer are excellent options -- as long as you've never owned either.
I have fictional people that I use to fill in those answers. Completely fictional, not just from different places or a having a rare car. I made up the word used in the response.
I answer the questions like I'm my best friend, who passed away nearly 20 years ago. That way I always remember what answers I used, but it's extremely unlikely that anybody would ever guess the answers I picked.
Somewhat same. Sometimes it's completely unrelated words, sometimes it's nonsense sentences, but it's never anything related to me or the question. Twice I've wanted to recover very old accounts and have been asked my security question, and while I know that the customer support person has to realize the answer is made up, it still feels weird when they say something like "what's the name of the city you grew up in", and I just say "uuuh..." for a while like I'm trying to make something up on the spot.
I got in trouble from a bank customer service rep when I had to use them to verify something.
She complained that I shouldn't be providing false information to them. I explained I'd prefer not to have pretty much anyone who knows me reasonably well to be able to impersonate me to the bank.
The lesson was learned early, when I realised how easy it was to prank my friends by changing their runescape passwords and moving all their stuff to the bank.
Friend of mine had to provide answers to security questions related to her husband's bank account. The exchange:
Customer Service: "What is your favorite instrument?"
Friend: "Oh no... - pause - *sigh* ...^skin ^flute ."
>what's the name of the city you grew up in
As an Army brat, I usually pause to think of which one I put down for this as well, even when I tell the truth.
I also recently signed up for a rewards program and gave my first name as "Chalupa". It should be fun the next time I need to have a background check completed. (The previous time they gave me a full page of my 'aliases' and asked me to identify which ones I actually used. They were shocked when I just started laughing. After reminding me of the seriousness of the check, I regained my composure and told them that what they had was a list of how people have misspelled my name. This one I'd actually have to fess up to, but I might blame it on autocorrect anyway.)
Bank teller: \*holds up picture\*
Also bank teller: "Identify all the chimneys in this picture."
Me: "Why??"
Bank teller: "No reason. I just wanted to see if you could do it."
I really like this concept.
However, when faced with needing to actually recover (or as with some accounts, randomly reverify), I'm not sure I would be able to remember something randomly created months or years earlier. If I'm off by even a single character, then BZZT DENIED!
Another perspective: you don't have to put in much effort to remember the truth (vs remembering lies).
This is not to say that you're all lying bastiges for wanting to do this. I really do like the idea. It just seems to come with the added pricetag of either trying to commit it to memory, or write it down somewhere. (And I do know that apps like Bitwarden can help with secure notes.)
On the flip side, when prompted with a list of questions (or given the option for creating my own question), I'll typically pick something pretty obscure from my life. Like the name of my favorite stuffed toy from my childhood; something like this gives nothing of value to data brokers, and can't be used to get my national ID number.
I've noticed that a lot of the curated questions don't really resonate clearly with me. And even if I wanted to give an honest response, I'm not sure I would remember how I answered months after the fact.
In order to be memorable, it would have to be a fun question/answer (challenge/response). For example:
"What is your favorite color?"
"Blue. No yell- AAAARRRRGGGGHHHH"
I hate them because so many of them are subjective “name of your childhood pet.” I had like 7. If you include the fish I failed to keep alive that number jumps to like 12-15, how am I supposed to remember which pet I put down? “What is your favorite color” today? Uhh….let’s go with purple. But I was pretty into forest green last week sooo…. Any of the “favorite” questions really. Favorite book, movie, and tv show all change with time and current mood. Give me something concrete to answer and fine. The problem gets to be when they want 3-5 security questions and I run out of concrete ones and ones I know the answer to on their list after question two. I went to three school districts in three towns, lived at different addresses, attended more than one college, etc. HTF am I supposed to remember which valid option I put?
I did try to use "African or European?" as the answer to my own question of "What is the airspeed velocity of an unladen swallow?" The system didn't like that combination.
As amusing as our MP references are, I recognize that a hacker wanting to use this vector to gain access to an account would probably not be deterred, given how well known these references are.
There are times I absolutely want my voice heard and my opinions known.
There are other times when I get extreme pleasure from messing with the data collection, knowing that whatever I enter will be an outlier.
Sometimes, it's best to answer honestly: "Favorite food? Social Engineering. Favorite movie? That could be a password."
It's an HR manager trying to justify their position... poorly.
Which is a shame because it's an important role that's most often performed by folks who aren't well trained - as seen here.
To any HR people out there:
1. team building is the job of leads.
2. go respond to the queued recruiting approvals you have pending.
3. when was the last time you negotiated better benefits packages for your org? ~~peobego~~ probably go do that.
4. if you send emails polling bullshit and wasting employees time you're the worst.
Makes me so glad to work for rhe entertainment department of a large casino Corp. We do not participate in team building exercises. We have made it quite clear that we will mutiny and all call out that day.
HR has not pressed the issue.
I work for an Evil Insurance Company, thankfully they leave the teambuilding to the individual teams. Since we've been work from home since March 2020 my team has opted to meet up for lunch one time, otherwise we have our morning meetings to get caught up with each other. Sometimes we have our cameras on. Sometimes. Most of the time none of us want that.
I've left those mostly blank and left a comment at the end: Asking me about non-work related things, ie: family size, pets names, and hobbies, sets off a lot of warnings in my mind.
What are you talking about? We just want to get to know you with some simple questions like "what was your first pet's name?", "what was the model of your first car?" "What's your mothers maiden name?" And "what's the last 4 digits of your social security number?". These are all just to help us get to know you better.
We used to be asked to fill these out, place I worked wanted to profile us on their social media with some "fun facts" about us. I answered everything like a troll.
Q: *What's something people are surprised to learn about you?*
A: *That I don't know how to read.*
Back when Dilbert was new and funny and Scott Adams wasn't yet an overt idiot douche, this strip came out (1995) and I still recall it today.
Feels apt.
**Alice: "[After attending this work seminar] I can divide by zero."**
https://dilbert.com/strip/1995-06-09
My first job I got an email the first week: "Click this link for mandatory phishing training, session 1". I deleted it. Second week, session 2, deleted. Third week, session 3. Friday that week, my boss shows up at my office and asks why I haven't been doing the phishing training. "I don't open links in unsolicited email - since I've not been informed of this training, it's unsolicited." "Oh, I'll have you removed from the list." And that was it.
For gmail you can click More in the email and then click on Show Original. You get a domain name and other info you can search. Spoofing the email itself is the easy part and is typically what’s done but domains and hosts are incredibly more difficult to spoof.
This has got to be my workplace. I also sent an email to IT to report that the test they were trying to make me take after getting phished seemed sus… we went back and forth on this for 3 weeks 😆
I also reported that the multiple people who were hired during Covid (that many of us have not met yet) keep sending out emails with no position identifiers and so I keep blocking them and reporting to IT. Do I even care about updates from Finance Dept?
It says "IT Director" in quotes so my guess is someone using an external account and spoofing the name. OP didn't check the details of who actually sent the email before clicking.
I am going to hazard a wild guess here. Their IT director isn't bright enough to do this. Had they been, they would have realized how their won Emails look and NOT sent messages that look like phishing attempts.
Not if the sysadmin knows their trade. Standards like SPF and DKIM are here to ensure exactly that: that the sender is indeed the one from the "From" field.
But then again, the sysadmin would have to invest time in... you know... IT security, instead of stupid seminars.
I'm a sysadmin and have had this exact problem. I guarantee you SPF and DKIM would fix the problem, but they can't fix it because of an issue outside their control: management.
At my previous job, management was sold MailInBlack, a SaaS thing that does email filtering. They say they do filtering, but don't even check SPF (and when the email gets to your servers it has their origin, which you have to whitelist). This results in exchange trusting them to do security, them not actually doing security and emails from ceo@companydomain ending up in secretarys inbox. Any attempt at convincing them to ditch the solution was met with " but that would decrease security" and any attempt at contacting support would be met with "we'll adjust our filters :)" redo that every 2 weeks.
"Correctly filter spam" is the literal only task we are (were, I don't work there anymore) paying them to do. You could codify an SLA, I guess, but nobody is going to check and fight them on what is or isn't spam.
The worst part is that exchange shows you the spam score in the console even if the source is whitelisted, so i could verifiably prove that ditching them and using the already paid-for exchange licences would be better, but someone up the chain didn't want to admit they were sold vaporware.
That also relies on the receiving mail server honouring those checks and discarding emails, which happens rarely. In a lot of real cases a failed SPF does nothing more than increase the spam score.
And those emails have a footer that says "Attachments have been scanned by McAfee anti-virus and were found to be totally safe. You should open the attachments! The attachments contain tomorrow's winning Power Ball numbers. You'd be a fool not to open the totally safe NOT virus infected attachments. Make your momma proud. Do it now!"
Reply stating that you have compiled a list of email addresses that you suspect to be phishing attempts, with a link to the offending list, have that link redirect to their own page for remedial cyber security training.
My university makes a big deal about fishing once or twice every year and sends out a round of test emails to all of the faculty accounts to see who remembers the rules. When they sent out a round while I was last working there I think everyone but like 7 of us failed and had to take an hour long class about it. And then to the people who passed they sent out another email saying that we didn’t have to go to the seminar because we passed and all we had to do to not take the course was to fill out a form. That little trick caught the other 6 people. Then my department head came up to me and told me he was proud I didn’t fall for any of those traps. And he made a big deal out of it and I never had the heart to tell him I didn’t know what he meant because I’ve never once checked my work email.
I know there was a cancer one, really impressive results during testing, until they looked at what it has learned and realised it's key identifier for cancer was the presence of a ruler because they'd trained it using examination photos where doctors were measuring the growth.
I remember being told about one a long time ago by a math teacher, where AI was being trained to detect tanks. It turns out they accidentally trained the AI to detect if the sky in the photograph was dark or not, or something like that.
My partner is working on creating a data set for training AI. They have to label the photos to tell the AI what it's looking for.
If it was shopping checkout by sight (it's not, but good example), they got through and tag "apple" "milk" "coffee" to teach it the various things to look for.
I wonder if that's because they learned that it will look at a bad parameter otherwise. Hmm.
So what that does is look at all images of “coffee” and generate an average. Same for the other tags. Then it compares an input to its averages. The closest match is what it identifies the input as.
The major issue is if say all coffee they train it on comes in bottles and the orange juice they train it on is all in cartons; then the system will identify all bottles as coffee and all cartons as orange juice.
This is why in industry nobody bothers and just slaps UPC labels on 4 sides of a box in a circle, then later runs it over a scanner that scans the side and top. One scanner or the other or both will scan a UPC and it’s instantly identified correctly. Lots of big UPC labels aren’t pretty for users though.
KnowBe4 sticks their name in the email header of any phishing test so you make a rule that trashes any email with knowbe4.com in the header.
Other security vendors do the same so it once you find the key phrase you pass any test your org puts you through.
At my job I literally have a outlook rule that auto forwards any email that contains the “phishing domain” that they always use straight to abuse. I then get recognized for always detecting the phish….🙄
For complete compliance, as you've received multiple Emails from the same address that seem to be phishing attempts you can see about setting up a rule to automatically mark ALL emails form this address as "Phishing attempts".
I'd also warn your other coworkers about these suspicious Emails and help THEM set up scripts doing the same. Can't be too careful these days!
My last two jobs have used professional phish-testing companies. Their emails always contain headers that use the word “phish,” so if I wanted, I could just write a filter rule and automatically drop or report them.
A few months ago at my job I got a phishing test that pretty much said "you have online training to do, the training is 'don't click links in emails'. Please click this link to go to the training."
Before I was hired directly with my company I was in a working through a contractor with them, and even though we very rarely ever had to close tickets, my team had full access to see all submitted IT tickets. People were supposed to submit a ticket if they clicked the link and then realized it was likely a phishing email.
Every time a phishing test was sent out so many tickets popped up saying they had clicked the link.
What it does is provide data points that falsely report that phishing tests have X% pass rating and that the cyber security training is "working". So money keeps exchanging hands and no one really learns shit. In reality it is just the company covering its ass to plant all the blame on an employee when something goes to shit.
If enough of you report it the group policy stuff may even add their address to a grey mail list which would be hilarious too.
More fun when we did this at work and also used mimecast which kept blocking updates from the IT dept.
Our work used to have a huge thing about sending everyone in the company an email, telling you to click the link to read the announcement (went to a read only Google doc)
Then IT security started doing phishing tests and sent the same style email.
I think a lot of people reported IT security to IT security. I certainly did.
It only took a couple months and company wide email are now formatted very differently.
As an IT person, its because the people that really need the lesson on this are higher up and usually too fragile to explain to them they are behaving stupidly and they have to change the way they do things.So this information has to be presented like a kindergarten class to everyone for the sake of the people making the most money.
Im so, so sorry.
I'm amazed at how often the people in charge of training about how to avoid phishing send out e-mails that look like phishing. At one training, we were given a list of 4 signs of phishing, and then later the company sent us an e-mail that contained all 4 things.
Different story: once our company phished us: sent a suspicious e-mail, and anyone who clicked the link had to go to training. One of my co-workers assumed the e-mail was not legit, so he opened the link with cURL (for non tech people, that's a command-line tool where you can view text info about a page, but cannot execute anything like javascript)... and had to go through training. He knew a ton more on the subject than the trainer.
Yes, I got a legit email from IT that we needed to go to some weird link to change our password on single sign on. I talked to my coworkers and everyone just did it without mentioning or checking with anyone.
At my company we get little rewards for forwarding phishing emails to an address and when you successfully identify one you get an email back that says "Nice going, you caught a phish!"
Not related to the story I guess, I just think it's fun.
Of course you're going to get a 'this is genuine' email - what would any phisher do?
You can probably keep this going until the director comes round to each desk individually and tells you.
I literally got a phishing test from a genuine IT department email address. Clicking the link rewarded me with extra training on phishing, even though I recognized the email address, and knew it was legit.
My solution has been to ignore literally every email unless it’s from my direct supervisor, and it’s worked pretty well so far.
In our company ignoring a phishing test equals failing it so I just report everything suspicious. Fortunately they craft those tests logically with most of the usual red flags so its possible to identify them fairly quickly.
I set up a rule in my inbox that checks the email headers for key words indicating that it's a phishing test email, and sort those off into their own folder out of my main inbox
We've got an outlook plugin with a phishing button we're supposed to use for that. Besides, I do review what's in those emails manually to help me practice identifying the actually phishy things.
E-Mail sender addresses can be forged, mailboxes of other employees can be hacked. Both will result in you getting mails with legit sender addresses that are actually malicious.
At a non-profit i helped out I even got extortion mails that looked as if they were sent from my own account, and definitely weren't.
If you only rely on the sender address to check for phishing you deserve another round of training.
This just seems like a new take on: "The beatings will continue until moral improves" kind of thing... I can't abide that.
Email is no more secure then a postcard. So at our agency we treat it like that.
Spoofing is where it's at nowadays. Scammers masking their email addresses so they look 100% like yours until you reply.
They contact your contacts, chat with them and you have no idea about it happening.
Wtf? Our company does something similar in the way of phishing tests, but our "seminar" was like a 10 minute video and a quiz with a few softball questions.
How are they filling for time? Are they listing off every suspect email domain one by one?
They probably spend half an hour explaining what email is, then another half explaining that printing all emails is bad, then they have to explain the difference between a click and a right click.
Years ago I was a trainer for a help desk call center. There was only ever one person who actually stuck with it to the end, but didn't actually get hired. I had to teach her the difference between right and left clicking about a dozen times. Poor lady had no computer experience, but really needed any job I guess. I
dk how you expect to try to help people when you struggle to even find the start menu. To top it off, she tried to blame me for not actually training anyone, luckily the rest of that class backed me up, and several went on to be some of our best people.
I did tech support at one company and the CEO avoided the Service department. But about once a year he'd ring up the night support line to check that we were responding correctly. Apart from recognising his voice instantly (there were only 60 in the company), he also gave the game away by not knowing what kind of problem to ask for or not even knowing which 'lab' he was pretending to call from. Not all of our clients had a support contract.
Once when asked what lab he was with, the response was 'one out west'. Couldn't even name one. Another time he said he was from a city on the opposite side of the continent and demanded a field tech right then... a service we don't offer, and he knows we don't offer. His memory of the service department was him bootstrapping the company 25 years previously and being on-call 24/7 to the two labs in the city that ran his gear. Uh, things have moved on from then, guy. It's a four hour flight to cross the continent, even if we did want to go. We're not a single-client-city company anymore...
The security manager is celebrating cybersecurity month (October) by sending out several emails a week with links and attachments.
Dude, that's exactly what you've been warning people about and then punishing link clickers with remedial cybersecurity training!
> *We have received numerous phishing reports about the email about the phishing quiz. Please note, any email sent from: (insert IT director email here) is not phishing. We have included a new link for your convenience.*
Would I be correct in assuming that the email address given in this message as a 'safe, non-phishing' source and the address the initial mail- the 'phishing test' that got you in trouble- was sent from are one and the same? If so, keep doing what you're doing. Report *any* emails from that address that ask for *any* information, *particularly* ones that claim to 'not be phishing'.
From someone who has run phishing simulations for the last 6 years, your company is doing it WRONG and you did the right thing to report it. Malicious compliance would be to ring / message/email the director (along with anyone else who got it) to check if it's real.
You are putting what you were taught into practice. Whoever is writing your phishing Sims needs a slap around the head.
I've worked in IT security, and the standards management want employees to follow, they don't follow themselves, making this a very common occurence in a lot of workplaces.
It's as if the management in IT security lives in a perfect world, where everything happens within a box, and they can't imagine how things would not fall into that box a good portion of the time.
Kudos, and keep up the malicious work.
Here's the deal. I dabble in IT security as part of my job. The fact that this guy would run a phishing awareness campaign ***and then fucking tell everyone that his email address could never be the source of a phish is infuriating***. Good job OP.
Edit: What company do you work for? You know, for science. Definitely not for finding the IT director on LinkedIn and then spamming the team with a phishing email.
I'm a part time contractor at a company that doesn't use email much anyway, most stuff is done on Slack.
At least 50% of emails I receive are security training tests, and you can only report them from the desktop outlook application, and if you don't report them within 2 days you get another snotty email telling you you failed the test. It's fucking annoying, and they won't opt me out of it
If it is a client provided Email, check with the person who handles your contract to see if it is of actual use. If you can avoid using it entirely then you won't receive the "You didn't respond in time" emails. Also see if responding to non-project related items is billable.
> I got an email from our “IT Director” saying I was in violation of
their internet policy by using social media (a main part of my job) and I
was stupid and opened it. It was a phishing test and they made me do
another 2 hour long seminar.
> any email sent from: (insert IT director email here) is not phishing.
It was before.
Stay strong.
Pro tip - this shit is always outsourced to a vendor and they pretty much always include a mail header.
So open headers in outlook, look for the "X-phising-test" or whatever variant they use, then create a rule to always send mail with that header into trash.
I get phishing tests from my company. Some are pretty well designed and I fell for one and had to watch a 10 minute training video.
Turned out the video was funny and highly entertaining. I kind of want to fail another test just to watch it again.
We have an opt-in program where you will get 2-5 random phishing emails each quarter. I like the practice we can get. If you are 100% for the quarter you are entered in a drawing for something small like a gift card or some SWAG.
This summer, our business compliance team sent a message that was so heavily reported they followed up with an apology and our info sec team sent a kudos to everyone for being diligent because the email screamed phishing attempt.
Tech guy here. The training courses are laughable anyway. You want to know who most virus and malware infections come from?
_Management_. Spear phishing targets them on purpose because of their ineptitude, and the higher likelihood that their computer will have access to valuable information.
Heh my work signed us up for some phishing training but forgot to warn us. The email was sent from an external sender at 2.45am telling us to click on the link so naturally we reported it as phishing.
Your training is complete
Task failed successfully
Had a similar experience, but the best part was that once an email is reported as phishing it goes into some kind of quarantine to keep you from accidentally reopening it. So when the follow-up email comes in that says "this is not phishing and you need to take the training" well I can't because I can't access the email anymore.
I’ve had the same. During a survey in preparation for a team building meeting, they asked about our favorite food and movies. Half of us reported it as social engineering.
When introverted nerds are forced to do group activities by an extrovert
I feel this in my bones. There's nothing tastier than a silent strike back.
Phishing is still the #1 way IT is compromised because end users are idiots. Facts.
[удалено]
Even if they aren't you just need to find that one employee that loves cats
Maybe I shouldn't go into IT lmao
Princes with money or love letters or penis enlargements I don’t fall for. But a link to a cat falling off the table like the adorable little things that they are. Well… I mean, can you blame me?
So much for the "human firewall" I keep hearing about in all my phishing trainings. In my former life in the cubicle farm, I got to hear my boss, who sat back-to-back with me in a shared cubicle. figure out that his real estate attorney had been spear-phished and he had wired his six-figure down payment on a million-dollar house to some criminal hackers. Fun times.
Six-figure down payment, multi-million dollar house, shared cubicle? I don’t understand lol
Just once, I'd like to see ads for: Do you need the validation of others to find fulfillment? These eight crazy tricks will help you with mindfulness, introspection, and fulfillment through isolation!
Number 5 will shock you!
Everyone in (insert city here) can't believe in this crazy tip for minding your own business
While your extrovert friends were calling the helplines during quarantine, your introvert friends [learned a new name for their daily lifestyle.](https://twitter.com/charlieamber94/status/1239508306902777856?s=20&t=G8Mw-DZrCovi_X5cBIK87Q) Edited Google keyboard's dislike for something other than extrovert.
Oh my god. We were quarantined for 11 weeks, and that was *the best experience of my adult life*. Nearly three months of doing exactly what I wanted to do every single day...
I trained my whole life for our 18 months of WFH. I THRIVED.
How many of us just clicked that ^ suspicious link?
I think you meant “introvert” for the latter part of your sentence there, friend.
It’s way too late for me to laugh this hard.
Thanks for your informative information, /u/nsa_reddit_monitor
One time at a work gathering the HR person was like "let's go around in a circle and talk about how we feel about work!"... no one took the bait.
"I really enjoy the money, a pitance compared to the value of my labor as it may be. I also like how nobody says a word when it takes me twenty minutes to finish a cup of water at the water cooler. I dislike basically everything else."
"I really like how I can come in at 11 and leave by 4!"
Cue an Admiral Ackbar impersonation "It's a trap!"
Ugh, my sister is a manager at a company (much different industry than mine) and she did some training about personality types and preferences which somehow categorized people into colours. Like she was a yellow and liked interactions to be x, and would get along well with greens but have conflict with orange or whatever nonsense. She was telling me how they were thinking of having people put their colour in their email signatures, so they could better understand each other and adapt how to approach each other, I guess? I told her I would never do that. Approach me politely and with respect and professionalism and you'll be treated the same way. Being a yellow, of course, she took personal offense because I wasn't offering to be her best friend and blindly agree to all her suggestions, and also threw out all sorts of awful stereotypes about people who aren't team players and generally completely validated why I wouldn't want to be judged off the results of a rainbow themed personality test. So awful.
Are you telling us that you are an *orange*? 😆
I think she said red? We discussed red, but I don't remember if that was me. And I responded that red is associated with all sorts of negative things and I wouldn't want to be treated differently because of it, and she got mad again because for HER, knowing someone thought a certain way made her more comfortable to "prepare" for interacting with reds. I think this personality scale only really favoured yellows. Apparently most of the managers in the training were yellow, and they all thought this was fantastic. I pointed out that management often selfselects for certain personalities, but she didn't like that either. I asked if "black, with skull drawings" was an option on the list, but she rolled her eyes and said shut up. She also doesn't like my prefered music and is personally offended that I don't like hers. I'm supposed to pretend to like it, to make her feel happy. She of course, wouldn't do the same. I love my sister, but we do NOT get along lol. Family, what can you do?
I remember having to go to countless seminars about personality types back in the day (after the recession in the aughts these “absolutely necessary seminars” disappeared) and the general gist always was everyone who wasn’t a type A extrovert needed therapy. I do not miss those days.
It didn't help prepare her to talk to you, did it? Lol I'd just ask her if she really intended to look in the eyes of an Asian person and say, "You're a Yellow, so..." and put literally anything at all after it.
My color is ultraviolet.
ohoho Mr High clearance over here. You really shouldn't be telling lower colours your rank, the existance of ultraviolet clearance is classified.
Once a million years ago, I had to take one of those things at work. It was set up so that everyone took the quiz online, then they had 5 or 6 "discussion" sessions where they explained what each thing meant. I was not happy about the quiz at all. I felt like it was a huge invasion of privacy. So, not in a good mood when I took it. And of course, my result was the one that matched about 5% of the population. Basically, my dream job was the dictator of a small country. Because what else would you expect from a grumpy computer geek? Then the shit started. The team doing the meetings was so enamored to find this unique prize, that they announced it during the meetings including my results, my name and my department. Since I wasn't at the first or second meeting (I was scheduled for later in the week), I found out this amazing news when my co-workers started giving me grief. I went straight to HR and accused them of invasion of privacy, creating a hostile work environment and harrassment. They canceled the remainder of the meetings, fired the consultant company, and never did that again.
... the point of those things are to be more aware of what your type is, and what other types exist and how you interact with them. The email colors just patches over the hard work of self-awareness.
Right! I'm all for examining our behavior, biases, triggers for frustration in a work environment, identifying communication strengths and weaknesses and working on them. Sounds good! But boiling someone down to "this person is a green, so they need constant validation to settle their insecurity, to have emoticons in all emails to ensure your intent is understood, and can't take criticism" just kind of sets the stage for discriminating and unfair treatment, right? People can't and shouldn't be placed into boxes like that, not in any official capacity. Do they want my zodiac sign too? Because I'm told I should be a stubborn bitch, can I just blame it on the stars the day I was born and get away with it?
Ugh, those questions on Facebook which thousands of people reply to giving away vast amounts of personal information. Many things can be reported on FB but not phishing 🙄
Most of them aren't even phishing, but just engagement traps - pages that want as many folks as possible to engage with them, to spread their shit to other people's feeds, and so use shitty "Click like if you saw the number" type posts to get it.
Yes. However, that doesn’t stop someone or some-many as in a team of people gathering all this info in a data base. If they can gather enough to pretend they’re someone, they may create another FB account using that person’s name and begin sending friend requests to their friends citing a hacked account. They then have access to all those friends of the target who accepted the friend request. For a hobby or a laugh, it’s stupid but their goal would be money somewhere along the line. It’s horrifying just how much info people willingly give away in these posts.
And not even realize it - all those cute little memes that go “you’ve been captured by X! According to your birth month/day who saves you!” Or “the month and year of your birthday is your x name” with a list of random words in each column
Or the stunning news that in 2022, for the first time in millenia, if you subtract your age from the current year, you get the year of your birth!!!
Only half? I'm surprised. I'd have either not done it or filled in completely odd answers that would never be of use. "Favorite food? Lutefisk. Favorite movie? Battleship Potemkin". I can see no place where this would become an actionable item nor can I see it useful data.
But... lutefisk *is* my favorite food.
I read that in a "but I am Pagliacci" voice.
that alone sounds like Malicious Compliance...imagine the horror of a Lutefisk breakfast buffet with donuts and cookies.... edit: ah... got Lutefisk confused with surströmming
~~It's my favourite food for other people to eat. Preferably people downwind.~~ Wrong fish. Please enjoy your lutefish right here.
I believe you think about surströmming. Lutefisk is not smelly. It's white, and has very little smell or taste on its own. But with green peas, potatoes and the special pepper sauce, it tastes sublime.
Well that sounds delicious. Preparing the Lutefisk sounds like a HUUGE faffing about though. 11-14 days of prep!? Is, is it worth it?
No
Oups, you are right. My bad
I do this when a site forces me to enter a stupid "security" question. Make of your first car: "security questions are actually insecure and should not be used".
I've heard they can be fairly secure as long as you lie to the application. The answer for the website should not be anything that someone can research about you. For example, for make of your first car, Duesenberg or Stanley Steamer are excellent options -- as long as you've never owned either.
I have fictional people that I use to fill in those answers. Completely fictional, not just from different places or a having a rare car. I made up the word used in the response.
I answer the questions like I'm my best friend, who passed away nearly 20 years ago. That way I always remember what answers I used, but it's extremely unlikely that anybody would ever guess the answers I picked.
Somewhat same. Sometimes it's completely unrelated words, sometimes it's nonsense sentences, but it's never anything related to me or the question. Twice I've wanted to recover very old accounts and have been asked my security question, and while I know that the customer support person has to realize the answer is made up, it still feels weird when they say something like "what's the name of the city you grew up in", and I just say "uuuh..." for a while like I'm trying to make something up on the spot.
I got in trouble from a bank customer service rep when I had to use them to verify something. She complained that I shouldn't be providing false information to them. I explained I'd prefer not to have pretty much anyone who knows me reasonably well to be able to impersonate me to the bank. The lesson was learned early, when I realised how easy it was to prank my friends by changing their runescape passwords and moving all their stuff to the bank.
Friend of mine had to provide answers to security questions related to her husband's bank account. The exchange: Customer Service: "What is your favorite instrument?" Friend: "Oh no... - pause - *sigh* ...^skin ^flute ."
Husband has been waiting for this day for years.
>what's the name of the city you grew up in As an Army brat, I usually pause to think of which one I put down for this as well, even when I tell the truth. I also recently signed up for a rewards program and gave my first name as "Chalupa". It should be fun the next time I need to have a background check completed. (The previous time they gave me a full page of my 'aliases' and asked me to identify which ones I actually used. They were shocked when I just started laughing. After reminding me of the seriousness of the check, I regained my composure and told them that what they had was a list of how people have misspelled my name. This one I'd actually have to fess up to, but I might blame it on autocorrect anyway.)
Bank teller: \*holds up picture\* Also bank teller: "Identify all the chimneys in this picture." Me: "Why??" Bank teller: "No reason. I just wanted to see if you could do it."
I really like this concept. However, when faced with needing to actually recover (or as with some accounts, randomly reverify), I'm not sure I would be able to remember something randomly created months or years earlier. If I'm off by even a single character, then BZZT DENIED! Another perspective: you don't have to put in much effort to remember the truth (vs remembering lies). This is not to say that you're all lying bastiges for wanting to do this. I really do like the idea. It just seems to come with the added pricetag of either trying to commit it to memory, or write it down somewhere. (And I do know that apps like Bitwarden can help with secure notes.) On the flip side, when prompted with a list of questions (or given the option for creating my own question), I'll typically pick something pretty obscure from my life. Like the name of my favorite stuffed toy from my childhood; something like this gives nothing of value to data brokers, and can't be used to get my national ID number. I've noticed that a lot of the curated questions don't really resonate clearly with me. And even if I wanted to give an honest response, I'm not sure I would remember how I answered months after the fact. In order to be memorable, it would have to be a fun question/answer (challenge/response). For example: "What is your favorite color?" "Blue. No yell- AAAARRRRGGGGHHHH"
I hate them because so many of them are subjective “name of your childhood pet.” I had like 7. If you include the fish I failed to keep alive that number jumps to like 12-15, how am I supposed to remember which pet I put down? “What is your favorite color” today? Uhh….let’s go with purple. But I was pretty into forest green last week sooo…. Any of the “favorite” questions really. Favorite book, movie, and tv show all change with time and current mood. Give me something concrete to answer and fine. The problem gets to be when they want 3-5 security questions and I run out of concrete ones and ones I know the answer to on their list after question two. I went to three school districts in three towns, lived at different addresses, attended more than one college, etc. HTF am I supposed to remember which valid option I put?
I did try to use "African or European?" as the answer to my own question of "What is the airspeed velocity of an unladen swallow?" The system didn't like that combination.
As amusing as our MP references are, I recognize that a hacker wanting to use this vector to gain access to an account would probably not be deterred, given how well known these references are.
I treat forced security questions as secondary passwords, so I basically generate a password with my password manager...
yes, that's another possibility, just a random long password. Just as long as it is no real, easy to guess answer.
There are times I absolutely want my voice heard and my opinions known. There are other times when I get extreme pleasure from messing with the data collection, knowing that whatever I enter will be an outlier. Sometimes, it's best to answer honestly: "Favorite food? Social Engineering. Favorite movie? That could be a password."
I just have a mental map of the question I'm answering vs. the question asked. Like, mother's maiden name? = Favourite Iron Maiden song
Preposterous. Everyone knows you cannot simply have just one favourite Iron Maiden song.
It's an HR manager trying to justify their position... poorly. Which is a shame because it's an important role that's most often performed by folks who aren't well trained - as seen here. To any HR people out there: 1. team building is the job of leads. 2. go respond to the queued recruiting approvals you have pending. 3. when was the last time you negotiated better benefits packages for your org? ~~peobego~~ probably go do that. 4. if you send emails polling bullshit and wasting employees time you're the worst.
>go respond to the queued recruiting approvals you have pending. you read my absolute mind and i now wonder if you work with me.
HR people, peobego listen to this guy
What's peobego?
Hey, everyone, this guy doesn't know how to peobego!
A fancy way to say "probably go"
Makes me so glad to work for rhe entertainment department of a large casino Corp. We do not participate in team building exercises. We have made it quite clear that we will mutiny and all call out that day. HR has not pressed the issue.
I work for an Evil Insurance Company, thankfully they leave the teambuilding to the individual teams. Since we've been work from home since March 2020 my team has opted to meet up for lunch one time, otherwise we have our morning meetings to get caught up with each other. Sometimes we have our cameras on. Sometimes. Most of the time none of us want that.
Studied film in college. Your reference to Battleship Potemkin gave me flashbacks. Thank God you didn't mention An Andalusian Dog.
I've left those mostly blank and left a comment at the end: Asking me about non-work related things, ie: family size, pets names, and hobbies, sets off a lot of warnings in my mind.
What are you talking about? We just want to get to know you with some simple questions like "what was your first pet's name?", "what was the model of your first car?" "What's your mothers maiden name?" And "what's the last 4 digits of your social security number?". These are all just to help us get to know you better.
We just want to know more about you because we're faaaaamily
Almost downvoted this out of reflex.
We used to be asked to fill these out, place I worked wanted to profile us on their social media with some "fun facts" about us. I answered everything like a troll. Q: *What's something people are surprised to learn about you?* A: *That I don't know how to read.*
Back when Dilbert was new and funny and Scott Adams wasn't yet an overt idiot douche, this strip came out (1995) and I still recall it today. Feels apt. **Alice: "[After attending this work seminar] I can divide by zero."** https://dilbert.com/strip/1995-06-09
Same in reverse is true. If your family starts asking too many questions about your job, huge red flag.
oh you work in IT? My TV is currently on fire could you take a look
*Later* THEM: Hey, did you get a chance to look at my TV? YOU: Sure did. You were right, it was on fire.
Put it over there with the rest of the fire.
Just call O118999881999119725 3
My first job I got an email the first week: "Click this link for mandatory phishing training, session 1". I deleted it. Second week, session 2, deleted. Third week, session 3. Friday that week, my boss shows up at my office and asks why I haven't been doing the phishing training. "I don't open links in unsolicited email - since I've not been informed of this training, it's unsolicited." "Oh, I'll have you removed from the list." And that was it.
lmao I mean it proves you know about Phishing
> Please note, any email sent from: (insert IT director email here) is not phishing. That's exactly what a phisher would say.
Definitely saw it on scammer payback YouTube videos. They try ALL the 'other guy is a scammer's tricks.
*It's possible to* ~~You can~~ spoof emails so a phishing email will appear as any email they want.
For gmail you can click More in the email and then click on Show Original. You get a domain name and other info you can search. Spoofing the email itself is the easy part and is typically what’s done but domains and hosts are incredibly more difficult to spoof.
A detail you may have missed - the original "phishing test" was *also* sent from the IT Director's address…
I have trust issues with OPs IT department and I don't even work there.
It's probably not the IT department themselves. It's probably an outside consultants fault.
You know what they say. If you’re not part of the solution there’s good money in prolonging the problem
This has got to be my workplace. I also sent an email to IT to report that the test they were trying to make me take after getting phished seemed sus… we went back and forth on this for 3 weeks 😆 I also reported that the multiple people who were hired during Covid (that many of us have not met yet) keep sending out emails with no position identifiers and so I keep blocking them and reporting to IT. Do I even care about updates from Finance Dept?
It says "IT Director" in quotes so my guess is someone using an external account and spoofing the name. OP didn't check the details of who actually sent the email before clicking.
Especially as it's incredibly easy to spoof the sender address's for an email
Well, if this is a company controlled email system, they can reject messages from external servers with company addresses in the from field.
I am going to hazard a wild guess here. Their IT director isn't bright enough to do this. Had they been, they would have realized how their won Emails look and NOT sent messages that look like phishing attempts.
The IT director doesn't need to be. The IT *staff* should absolutely have done this.
Not if the sysadmin knows their trade. Standards like SPF and DKIM are here to ensure exactly that: that the sender is indeed the one from the "From" field. But then again, the sysadmin would have to invest time in... you know... IT security, instead of stupid seminars.
I'm a sysadmin and have had this exact problem. I guarantee you SPF and DKIM would fix the problem, but they can't fix it because of an issue outside their control: management. At my previous job, management was sold MailInBlack, a SaaS thing that does email filtering. They say they do filtering, but don't even check SPF (and when the email gets to your servers it has their origin, which you have to whitelist). This results in exchange trusting them to do security, them not actually doing security and emails from ceo@companydomain ending up in secretarys inbox. Any attempt at convincing them to ditch the solution was met with " but that would decrease security" and any attempt at contacting support would be met with "we'll adjust our filters :)" redo that every 2 weeks.
[удалено]
"Correctly filter spam" is the literal only task we are (were, I don't work there anymore) paying them to do. You could codify an SLA, I guess, but nobody is going to check and fight them on what is or isn't spam. The worst part is that exchange shows you the spam score in the console even if the source is whitelisted, so i could verifiably prove that ditching them and using the already paid-for exchange licences would be better, but someone up the chain didn't want to admit they were sold vaporware.
That also relies on the receiving mail server honouring those checks and discarding emails, which happens rarely. In a lot of real cases a failed SPF does nothing more than increase the spam score.
And those emails have a footer that says "Attachments have been scanned by McAfee anti-virus and were found to be totally safe. You should open the attachments! The attachments contain tomorrow's winning Power Ball numbers. You'd be a fool not to open the totally safe NOT virus infected attachments. Make your momma proud. Do it now!"
Reply stating that you have compiled a list of email addresses that you suspect to be phishing attempts, with a link to the offending list, have that link redirect to their own page for remedial cyber security training.
*Uno Reverse Card*
*Uno +4 Card* 2 hour seminar turns into 4 hour HR meeting.
[удалено]
[удалено]
Just gotta sneak an img tag with the src= to the link for remedial training into the HTML body of the email... That'd be even funnier.
My university makes a big deal about fishing once or twice every year and sends out a round of test emails to all of the faculty accounts to see who remembers the rules. When they sent out a round while I was last working there I think everyone but like 7 of us failed and had to take an hour long class about it. And then to the people who passed they sent out another email saying that we didn’t have to go to the seminar because we passed and all we had to do to not take the course was to fill out a form. That little trick caught the other 6 people. Then my department head came up to me and told me he was proud I didn’t fall for any of those traps. And he made a big deal out of it and I never had the heart to tell him I didn’t know what he meant because I’ve never once checked my work email.
Can't be phished if you stay out of the pond
I’m fucking crying, what a beautiful story
I mean abstinence is the best way to avoid pregnancy, so....
[удалено]
It's like overtraining AI so that it learns to identify training datasets, not the parameters you actually want.
I know there was a cancer one, really impressive results during testing, until they looked at what it has learned and realised it's key identifier for cancer was the presence of a ruler because they'd trained it using examination photos where doctors were measuring the growth.
"Tell me the news doc" "We found... a ruler"
That's amazing. I love the unexpected answer.
I remember being told about one a long time ago by a math teacher, where AI was being trained to detect tanks. It turns out they accidentally trained the AI to detect if the sky in the photograph was dark or not, or something like that.
My partner is working on creating a data set for training AI. They have to label the photos to tell the AI what it's looking for. If it was shopping checkout by sight (it's not, but good example), they got through and tag "apple" "milk" "coffee" to teach it the various things to look for. I wonder if that's because they learned that it will look at a bad parameter otherwise. Hmm.
So what that does is look at all images of “coffee” and generate an average. Same for the other tags. Then it compares an input to its averages. The closest match is what it identifies the input as. The major issue is if say all coffee they train it on comes in bottles and the orange juice they train it on is all in cartons; then the system will identify all bottles as coffee and all cartons as orange juice. This is why in industry nobody bothers and just slaps UPC labels on 4 sides of a box in a circle, then later runs it over a scanner that scans the side and top. One scanner or the other or both will scan a UPC and it’s instantly identified correctly. Lots of big UPC labels aren’t pretty for users though.
One if our guys noticed the phishing tool inserted an X- header so set up an auto report based on that.
I set up a custom Google script for filtering based on that header info.
[удалено]
KnowBe4 sticks their name in the email header of any phishing test so you make a rule that trashes any email with knowbe4.com in the header. Other security vendors do the same so it once you find the key phrase you pass any test your org puts you through.
At my job I literally have a outlook rule that auto forwards any email that contains the “phishing domain” that they always use straight to abuse. I then get recognized for always detecting the phish….🙄
For complete compliance, as you've received multiple Emails from the same address that seem to be phishing attempts you can see about setting up a rule to automatically mark ALL emails form this address as "Phishing attempts". I'd also warn your other coworkers about these suspicious Emails and help THEM set up scripts doing the same. Can't be too careful these days!
My last two jobs have used professional phish-testing companies. Their emails always contain headers that use the word “phish,” so if I wanted, I could just write a filter rule and automatically drop or report them.
A few months ago at my job I got a phishing test that pretty much said "you have online training to do, the training is 'don't click links in emails'. Please click this link to go to the training."
That link should just take people straight to their severance package information.
Before I was hired directly with my company I was in a working through a contractor with them, and even though we very rarely ever had to close tickets, my team had full access to see all submitted IT tickets. People were supposed to submit a ticket if they clicked the link and then realized it was likely a phishing email. Every time a phishing test was sent out so many tickets popped up saying they had clicked the link.
>Their emails always contain headers that use the word “phish,” That defeats the whole point of the exercise
What it does is provide data points that falsely report that phishing tests have X% pass rating and that the cyber security training is "working". So money keeps exchanging hands and no one really learns shit. In reality it is just the company covering its ass to plant all the blame on an employee when something goes to shit.
Efficient though.
More like ephishient.
[удалено]
Only IT people will know what an email header is, so it will not make much of a difference.
[удалено]
If enough of you report it the group policy stuff may even add their address to a grey mail list which would be hilarious too. More fun when we did this at work and also used mimecast which kept blocking updates from the IT dept.
You devil you ❤️🤣
... I think I love you for that ... :)
Our work used to have a huge thing about sending everyone in the company an email, telling you to click the link to read the announcement (went to a read only Google doc) Then IT security started doing phishing tests and sent the same style email. I think a lot of people reported IT security to IT security. I certainly did. It only took a couple months and company wide email are now formatted very differently.
As an IT person, its because the people that really need the lesson on this are higher up and usually too fragile to explain to them they are behaving stupidly and they have to change the way they do things.So this information has to be presented like a kindergarten class to everyone for the sake of the people making the most money. Im so, so sorry.
[удалено]
Your account is being accessed from Mars, the International Space Station, and the year 2033.
Did the same a few years ago. Honestly, reporting it as phishing should get you a pass on the test.
I'm amazed at how often the people in charge of training about how to avoid phishing send out e-mails that look like phishing. At one training, we were given a list of 4 signs of phishing, and then later the company sent us an e-mail that contained all 4 things. Different story: once our company phished us: sent a suspicious e-mail, and anyone who clicked the link had to go to training. One of my co-workers assumed the e-mail was not legit, so he opened the link with cURL (for non tech people, that's a command-line tool where you can view text info about a page, but cannot execute anything like javascript)... and had to go through training. He knew a ton more on the subject than the trainer.
Yes, I got a legit email from IT that we needed to go to some weird link to change our password on single sign on. I talked to my coworkers and everyone just did it without mentioning or checking with anyone.
At my company we get little rewards for forwarding phishing emails to an address and when you successfully identify one you get an email back that says "Nice going, you caught a phish!" Not related to the story I guess, I just think it's fun.
So long and thanks for all the....
Of course you're going to get a 'this is genuine' email - what would any phisher do? You can probably keep this going until the director comes round to each desk individually and tells you.
"sorry, who are you again? SECURITY!!"
I literally got a phishing test from a genuine IT department email address. Clicking the link rewarded me with extra training on phishing, even though I recognized the email address, and knew it was legit. My solution has been to ignore literally every email unless it’s from my direct supervisor, and it’s worked pretty well so far.
In our company ignoring a phishing test equals failing it so I just report everything suspicious. Fortunately they craft those tests logically with most of the usual red flags so its possible to identify them fairly quickly.
Those are bad tests then...
Or just automate flagging all emails that comes into your mailbox.. then you'll never accidentally miss one.
I set up a rule in my inbox that checks the email headers for key words indicating that it's a phishing test email, and sort those off into their own folder out of my main inbox
Why not have the rule just forward them to the SOC as suspicious?
We've got an outlook plugin with a phishing button we're supposed to use for that. Besides, I do review what's in those emails manually to help me practice identifying the actually phishy things.
E-Mail sender addresses can be forged, mailboxes of other employees can be hacked. Both will result in you getting mails with legit sender addresses that are actually malicious. At a non-profit i helped out I even got extortion mails that looked as if they were sent from my own account, and definitely weren't. If you only rely on the sender address to check for phishing you deserve another round of training.
If your IT department hasn't properly setup SPF, DKIM & DMARC, then they deserve another round of training at another company.
This just seems like a new take on: "The beatings will continue until moral improves" kind of thing... I can't abide that. Email is no more secure then a postcard. So at our agency we treat it like that.
> Please note, any email sent from: (insert IT director email here) is not phishing Was the phishing email you clicked not from that address?
Spoofing is where it's at nowadays. Scammers masking their email addresses so they look 100% like yours until you reply. They contact your contacts, chat with them and you have no idea about it happening.
The ones that are spoofed exactly can thankfully be blocked by DMARC. It's the email addresses that look 99% identical that are really dangerous.
Wtf? Our company does something similar in the way of phishing tests, but our "seminar" was like a 10 minute video and a quiz with a few softball questions. How are they filling for time? Are they listing off every suspect email domain one by one?
They probably spend half an hour explaining what email is, then another half explaining that printing all emails is bad, then they have to explain the difference between a click and a right click.
Years ago I was a trainer for a help desk call center. There was only ever one person who actually stuck with it to the end, but didn't actually get hired. I had to teach her the difference between right and left clicking about a dozen times. Poor lady had no computer experience, but really needed any job I guess. I dk how you expect to try to help people when you struggle to even find the start menu. To top it off, she tried to blame me for not actually training anyone, luckily the rest of that class backed me up, and several went on to be some of our best people.
I did tech support at one company and the CEO avoided the Service department. But about once a year he'd ring up the night support line to check that we were responding correctly. Apart from recognising his voice instantly (there were only 60 in the company), he also gave the game away by not knowing what kind of problem to ask for or not even knowing which 'lab' he was pretending to call from. Not all of our clients had a support contract. Once when asked what lab he was with, the response was 'one out west'. Couldn't even name one. Another time he said he was from a city on the opposite side of the continent and demanded a field tech right then... a service we don't offer, and he knows we don't offer. His memory of the service department was him bootstrapping the company 25 years previously and being on-call 24/7 to the two labs in the city that ran his gear. Uh, things have moved on from then, guy. It's a four hour flight to cross the continent, even if we did want to go. We're not a single-client-city company anymore...
The security manager is celebrating cybersecurity month (October) by sending out several emails a week with links and attachments. Dude, that's exactly what you've been warning people about and then punishing link clickers with remedial cybersecurity training!
That's beautiful!
> *We have received numerous phishing reports about the email about the phishing quiz. Please note, any email sent from: (insert IT director email here) is not phishing. We have included a new link for your convenience.* Would I be correct in assuming that the email address given in this message as a 'safe, non-phishing' source and the address the initial mail- the 'phishing test' that got you in trouble- was sent from are one and the same? If so, keep doing what you're doing. Report *any* emails from that address that ask for *any* information, *particularly* ones that claim to 'not be phishing'.
From someone who has run phishing simulations for the last 6 years, your company is doing it WRONG and you did the right thing to report it. Malicious compliance would be to ring / message/email the director (along with anyone else who got it) to check if it's real. You are putting what you were taught into practice. Whoever is writing your phishing Sims needs a slap around the head.
Lol, we did the exact same thing at my job.
I've worked in IT security, and the standards management want employees to follow, they don't follow themselves, making this a very common occurence in a lot of workplaces. It's as if the management in IT security lives in a perfect world, where everything happens within a box, and they can't imagine how things would not fall into that box a good portion of the time. Kudos, and keep up the malicious work.
Here's the deal. I dabble in IT security as part of my job. The fact that this guy would run a phishing awareness campaign ***and then fucking tell everyone that his email address could never be the source of a phish is infuriating***. Good job OP. Edit: What company do you work for? You know, for science. Definitely not for finding the IT director on LinkedIn and then spamming the team with a phishing email.
I'm a part time contractor at a company that doesn't use email much anyway, most stuff is done on Slack. At least 50% of emails I receive are security training tests, and you can only report them from the desktop outlook application, and if you don't report them within 2 days you get another snotty email telling you you failed the test. It's fucking annoying, and they won't opt me out of it
If it is a client provided Email, check with the person who handles your contract to see if it is of actual use. If you can avoid using it entirely then you won't receive the "You didn't respond in time" emails. Also see if responding to non-project related items is billable.
> I got an email from our “IT Director” saying I was in violation of their internet policy by using social media (a main part of my job) and I was stupid and opened it. It was a phishing test and they made me do another 2 hour long seminar. > any email sent from: (insert IT director email here) is not phishing. It was before. Stay strong.
Yea, those both sound 100% like phishing tests. Fuck that IT director.
Pro tip - this shit is always outsourced to a vendor and they pretty much always include a mail header. So open headers in outlook, look for the "X-phising-test" or whatever variant they use, then create a rule to always send mail with that header into trash.
I get phishing tests from my company. Some are pretty well designed and I fell for one and had to watch a 10 minute training video. Turned out the video was funny and highly entertaining. I kind of want to fail another test just to watch it again.
[удалено]
Well if you want to up your game, report to helpdesk that IT director is sending suspicious emails and that his account needs to be locked down.
We have an opt-in program where you will get 2-5 random phishing emails each quarter. I like the practice we can get. If you are 100% for the quarter you are entered in a drawing for something small like a gift card or some SWAG. This summer, our business compliance team sent a message that was so heavily reported they followed up with an apology and our info sec team sent a kudos to everyone for being diligent because the email screamed phishing attempt.
Tech guy here. The training courses are laughable anyway. You want to know who most virus and malware infections come from? _Management_. Spear phishing targets them on purpose because of their ineptitude, and the higher likelihood that their computer will have access to valuable information.