Transcript
Panel 1: [Coworker in a red tie with dark hair leans into the cubicle of IT who is busy on a computer, a key card or ID hangs around his neck]
Coworker: I clicked an email link and it says I need training?
Panel 2: [IT stops working and looks irritated]
IT: Ah yes. The Training.
Panel 3: [IT sprays the coworker with a spray bottle]
FSHSSSH
FSHSSSH
FSHSSSH
IT: BAD! THAT WAS BAD!
Panel 4: [IT continues spraying the coworker, now crouching down hands raised defensively as the water is sprayed in his face. IT ha a look of glee on his face as another coworker walks by with a look of concern on her face, papers in hand.]
FSHSSSH
FSHSSSH
FSHSSSH
FSHSSSH
FSHSSSH
Coworker: HISSS!
Alt Text
The next training module unlocks after three hisses
.
You must log in or register to comment.
I clicked on that link once, can confirm this is what happens.
Someone at my company clicked on a phishing link and actually entered their AD login password when asked.
We nuked his account and recreated it using p.lastname instead of the usual peter.lastname as username.We told the C-Suite this is necessary as the former e-mail address is now known to attackers as a potential mark. But internally, the senior admin called it “Learning through pain”.
Later found out his colleagues called him Pee-Dot behind his back for a while.
The only phishing mails I receive are phishing tests from within the company…
I recently had one that was like “Due to recent events, we feel it necessary to remind everyone about the regulations in the Code of Conduct about accepting gifts from clients. Please read the CoC if you have not done so and confirm you have read it via this link. Signed HR”. The link was fake, and the sender address was, too. It was a good fake though, because we actually do have a CoC and have to read/confirm about once a year. So I’m pretty sure it was a test to select people for training.
Yes, you can identify them by the X-Phish header. I hope real phishing mails have it too
My rule of thumb is: if it’s something nice for me, it’s not real (more money, goodies, more vacation days, …) and it worked pretty good so far. There was only one fake cyber security training invitation which kind of felt like not the most constructive idea…
Yeah, also urgency is a big red flag for me. Almost all phishing messages are like “log in immediately or something bad happens”
tbf I got one that was trying to warn me of incorrect tax info which needs to be resolved only a month after I started lol.
Wasn’t gonna click the link but I did do a double take because they formed it really well like a proper spear phish email would.
Of course my job at some point involved memeing with gophish templates so I don’t think they’ll ever get me, especially when I’m using a proper client that lets me immediately swap to HTML and see the blocked image tracker tag lol.
Something good happens to me -> wait a minute, this is a trap!
Something bad happens to me -> all according to plan
Words to live by.
If phish.me or kn4b are in the header I assume it’s spam and I have rules in every email account to scrap them to a special folder so I can report them to give the false positive that I identified the test.
I work at a large well established company. I get so many legitimate emails from outside our domain that I am required to click on. Performance reviews, company surveys, corporate training…
Then they wonder why people click fishing links. Bugs the crap out of me. I’m not going to remember the exact domain of the survey company we use, what are you crazy?
I’m not going to remember the exact domain of the survey company we use, what are you crazy?
I agree, and have decided to err on the side of caution, and also put the irritation over on higher-ups. If I get some link I’m required to click that I’m not actively expecting from an unrecognised address, just trash the email. A couple times, I’ve gotten follow-up from a superior asking me why I haven’t responded to <survey>, and I just tell them I haven’t seen it and that it probably got caught in my spam filter. They send me the link in question, and I respond.
I quite quickly realised that most of those surveys they need “everyone” to respond to will just slide quietly by when I do this, so I don’t need to spend time on them. My reasoning is that if it’s actually important, I’ll get it through a reliable channel, and so far that’s worked.
To be fair, I also dump anything that comes from some variant of “noreply” to junk. I figure that if I can’t reply, and I’m not actively expecting the email enough that I check my junk folder, it isn’t important.
Look at the URL before you click. Enforcing plain text mails makes it easier.
Spam/phishing also usually neglect the plain-text part in copying company mails. Yeah, a lot of shitstain companies too, but spam still looks different in plain text.We use mimecast, so all links in emails are replaced with links through mimecast for them to check.
That means you can’t see the original link easily though… So makes it harder to check if they are iffy.
Email viruses can’t affect me because I never read my emails 😤
There’s so much bullshit that I just erase quicker than my shadow. When that thing on the bottom left pops up, there’s a trashcan on the notification.
I erase anything that is not addressed to me directly in that split second.
We did that at a former workplace. Everyone failed.
My former workplace stopped publishing the stats on which department had the most failures when the first round showed more than half of the executives clicked the scam link in their email.
They do that here routinely. The last time they sent it using the email account that is basically the one email that you do not ignore because they use it for urgent “please push the patch asap” type emails.
If that email is compromised they got bigger issues.
that email is compromised they got bigger issues.
Sending an email doesn’t have authentication. I can send an email as literally anyone. It’s a very trusting protocol.
Now, if your company is particularly good they might have set up protections from this. But it’s not required, and not super common.
What would that be testing, whether the users are psychic? If the email sender is legitimate, then what else would users need to do?
my team actually does pretty good with the cyber security checks. the people running the have to meet a certain amount of metrics so they figured “hey if we send it from this one email, everyone is going to trust us!” … because that’s what they’re supposed to do… Which makes a terrible thing to do. because now they’re always going to be asking if this new email is another test.
(Bruh. if you want us to go to training, just ask.)
They bought a domain name similar to ours and sent out emails with links to the domain and a clone login page. Pretty sneaky.
At a previous job, they used to send them fairly often, using various tricks to keep people on their toes. I found it fun
All of ours have phishing in the URLs or in the email headers, if only real phishers were so nice!
Jokes on them, I don’t open any emails. For security, of course.
“I’m sorry, I marked you as spam.”
Did they complain to HR about the squirt bottles?
Employees who fail our phishing test will have anchovies thrown at them
![Acceptable Use Pawlicy [TrueNuff]](https://lemmy.world/pictrs/image/c1e2ddf4-6afb-48f1-aede-85c3359f36ad.jpeg){kind=link}