You must log in or register to comment.
we do monthly phishing tests and some of our people are so bad that we put in the test email “this is a phishing email, do not click sign in” above and below the sign in box and they still give creds
seccomp sent pre-notice emails out about the phishing tests that were coming.
75% of the company reported the pre-notice email as phishing (even the CEO).
we did it mostly because the seccomp team was a huge thorn and caused so many unnecessary delays due to them injecting themselves into every single process.
the CSO quit soon after and some of their lackeys with them. we then hired a competent leader that worked with the org to meet compliance and regulatory requirements instead of being a blocker.
People see the word “phishing” and automatically remember that phishing mails exist, so their first reaction is to report them, not read them.
Had to setup a fake phishing system as well.
Before the training was setup, people rarely reported mails. But the moment we send out mails about the phishing training, a ton of those got reported.
If phishing mails actually told you they were phishing, we wouldn’t need training.
“Blah blah blah… ‘click sign in’… Okay, gotcha!”
I read an interesting report about how most of these courses are rather ineffective because it adds knowledge but doesn’t change behaviors.
https://www.cybersecuritydive.com/news/cybersecurity-awareness-training-research-flaws/803201/
For us they just make the people that click them do some online training. I don’t think anyone learns anything during that but I suspect not having to do the training serves as a great incentive to be careful.
It doesn’t help though that we’ve had multiple cases of obvious phishing mails everyone just deleted that were followed up by a “no those mails were legit please click the link” by HR…
That is what really irks me. People who write mails exactly like phishing mails.
Just some bland text asking for urgent action, with one link in the middle that is obscured. No signature, no company images, just a name at the bottom.
Better to delete those than to click on actual phishing mails though.
And the link goes to one of the Office 365 things that asks you to sign in every single time for some fucking stupid reason.
A previous (huge) company of mine sent out a lot of phishing test emails, some of which were pretty convincing.
As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red “Phishing test!” label.
Assuming that’s disabled -
experienced folks can get caught (e.g. maybe waking up before dawn or something)
Can be a good reminder, a little humbling!
Did it also label real phishing mails?
Because those tests are send out for a reason. And in my experience, developers are some of the worst at cybersecurity.
Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.
And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.
… You must be one of my co-workers. Except that we just delete ours rather than labeling them.
We needed to label them because the requirement was not only that we don’t click them, but that we use the “report phishing” function on them.
Also some of them were pretty funny.
Was it hoxhunt? It’s a bit spammy but they seem to push for a more gamefied approach over collective punishment.
Not in my case, no. The content was completely custom to the organisation. I assume they were big enough that they felt like a lot of the risk would come from coordinated spearphishing carefully crafted to look like genuine corp email.
I fucking hate hoxhunt. Just let me send shit to the junk folder and ignore it.
Aren’t you supposed to report them though
In my case, the phishing tests originated with the organization that owns my employer, rather than within my employer itself. Our email states are entirely distinct so, while we can report the emails, no one would ever care.
I have the same thing. All the emails come from nova.phishme.com so I have outlook set to mark them as junk so I can “report” the phishing attempt.
X-Phish
My favorite band from 1999
Where I work they use the microsoft phishing simulation, for which they publish a list of domains they send from.
Thanks for the tip!
The head of IT at one of my old jobs won 3 or 4 iPhones circa 2007
Shit… I’m doing that course in normal business hours. Get fucked brenda!
For real! A course is work. If I’m working I get paid for my time. End of story.
Don’t let them rob you! (any more than they already are)
I wish I could get my flock of idiots in for a course. I’m sick of uninstalling swift browser
If a coworker leaves their pc unlocked near me I like to click the phishing emails so they have to do the course. Tee hee!
It is a good practice to start what we call “Hasslehoffing”
It is where you change the background to a picture of David Hasslehoff every time someone leaves their PC unlocked for a long enough time to change the background. The more it happens, the sexier he gets.
I urge other colleagues to do the same. The only defense there is against that is to lock your PC every time you leave your desk. It really works.
I worked at a company where everyone would try and send an email to themselves from an unlocked PC. That mail contained a heads up that the victim willl bring cake into the office e.g. next tuesday. They then were typically forwarded to the whole team while thanking them for their generosity.
It really hammered that lesson home and the victims did honor the cake-mails. Only downside was, that this led to people to tryimg to bait each other into leaving their PCs unlocked and creative countermeasures, such as delaying mails containing the word ‘cake’.
Exactly, it’s my own version of teaching cyber security!
I recently set somebody’s homepage to meatspin.com and they snitched on me to the boss because they were worried they’d get pulled up for visiting NSFW websites. The boss just said “Why was your PC unlocked?”
Maybe your work atmosphere is different, but if I showed meatspin to a coworker, it would be considered pretty fucking weird and inapproproate.
Oh yeah I definitely wouldn’t recommend doing this unless you’re comfortable with all your colleagues!
Ah, I might try this 😂 my current strategy is to install and run xneko on coworkers’ computers when they forget to lock their screen, so they will have a cat running after their mouse pointer.
We used beer, but same idea.
I created a little script that ran on startup that would wait a random amount of time between 5 and 15 mins and would just hit the left key once. I dropped it on a dev’s computer when he left it unlocked and forgot about it. After weeks of torment, it activated while he had a YouTube video so he figured out it wasn’t his fault. He was convinced it was the keyboard and started harassing IT so I had to come clean.
Jokes on me though, every time there was any quirk on his computer, server, or with his code he blamed me and didn’t believe me.
Or have some fun with https://whitescreen.tv/fake-blue-screen/
Send invite to everyone for after work beer.
We all have to do the course. And honestly I’m not even mad.
In my line of work, most people are not computer savvy. We’re running Windows 11 and no one has admin privileges, even the highest ranking people. They’re all limited. That’s fine. We can’t install anything. I’m pretty sure I could hit up PortableApps and get some portable software working, but I’m not trying to push my luck. I’m pretty sure I know what I can and can’t get away with, but it’s a good job and I don’t want to mess it up. Besides, a lot of people are illegally streaming sports or movies and getting away with that, so IT security is pretty lax. That’s probably true at a lot of places.
I don’t mind the cybersecurity courses because I mute them and make them run at double speed and I ignore them, clicking through, then I ace the test. It’s not that I don’t care. I just know the material already. I’ve also helped coworkers who earnestly sat through the whole thing and are genuinely struggling. I know they hate how casually I get all the questions right, but they hate having to go through it a second time even more.
Plus, there’s one vendor of training videos that is kind of like an office comedy, and one of the workers has a bunch of anime fan art in their cubicle. So it amuses me to no end that all of my coworkers are seeing these characters. It’s nothing recent and I haven’t seen it in a while. I know Killua from Hunter x Hunter is there. 12 year old boy, has super powers, something with lightning? (been ages since I watched HxH, and Meruem best boy) and he can rip your heart out of your chest (he’s done it before). I feel like they need to add Anya Forger (from SPYxFAMILY) to the wall. That would be funny. (Telepathic toddler, dumb as a box of rocks, and just as adorable.)
The twist? The cat was Toonces and he never did make it into work that day!
Look out Toonces!!!
Why would they have to come in at 7am?
Its some kind of American exceptionalism thing we’re too normal to understand.
Training courses are during business hours or nobody would show up to them in Australia (and I’m guessing its the same in the UK from your username).
So shafted by their work culture they don’t even question the meme…
It is sad but true. I am USAian, and it is a constant battle with co-workers to get them to stand up even a little against dumb mandates. It’s especially frustrating because EVERY DAMN TIME we do push back, management backs down. You’d think they would see the pattern…
Yeah, there’s billions, maybe trillions or beyond, of dollars’ worth of investment put into making sure everyone "Really needs this job." which can be ripped away from them in an instant, so they won’t be inclined to risk any “insubordination.”
A few years ago we were discussing how some companies were trying 4-day weeks and someone said that they’d like to try four 10-hour days instead of five 8-hour.
They could not imagine that it meant working fewer hours.
You think American work culture is bad (which it is)? You should see Japanese work culture… the sheer amount of unpaid work they do over there, along with mandatory unpaid socialising, even holding a collection for their bosses and bringing back souvenirs for their colleagues and bosses when they go on holiday somewhere :/
bringing back souvenirs for their colleagues and bosses when they go on holiday somewhere :/
Damn, I used to do that for some coworkers because we were actually friends. I cannot imagine how shitty it would feel to be forced to do that.
Yeah, it’s a whole thing, it’s called omiyage and it’s seen as an apology for your absence and thanking your boss and colleagues for allowing you time off.
…y’know, your entitlement to paid leave.
I wonder how far you could stretch it. Get them all (if you’re coming to america, for instance) those little plastic acorns with a little item in it from those coin machines that used to be by every convenience store’s doors. Though I haven’t seen any of those in ages, so maybe not.
I haven’t seen them outside of nerd spaces in years, but the hypothetical coworkers might be entertained by American Gashapon. I think the Japanese ones are always higher quality stuff than ours but there were some entertaining toy lines in those.
Because fuck you.
- middle management.
Upper management - make sure everyone is in for 9 for training
middle management - fuck better make sure everyone is there, everyone in at 8 for training,
lowest manger - shit there is no way user will be in at 8, shit bag user be in at 7 for mandatory training!
You want me in your office at 7, Brenda? Sure, I’ll come in for 7. But I’m sure as hell going via the timeclock first.
is anyone actually awake at 7?
It’s not until nine or even ten, and several pots of coffee that my mind is ready to absorb training information. Anything before 9, and I’m not awake enough to filter the rank sarcasm concerning the terrible AI training slides.
I’m an early bird, I’m more productive at 7am than I am at 7pm. Everyone’s different. :)
I consider myself mostly useless at work from 9h to 9h30, and most effective from 17h to 19h
But no way I’m staying up to 19h anymore
Normal people aren’t but I am. Perfect time to work undisturbed!
you should got to sleep sooner!
I am getting 7h of sleep
If you ever have kids 7 is considered a sleep in
Well, did he win?
