Alt text: Michael Scott Handshake meme. Managers text: “My company Congratulating me on avoiding a phishing test email”. Michael Scott text: “Me, terminally behind on answering email.”
You must log in or register to comment.
I created an inbox rule for these. The 3rd party phishing shame-and-train company my employer uses always has a certain domain in the email header (even though they always change the ‘from’ address). Has worked perfectly for over 6 months. I’m generally not dumb enough to click on them anyway. But anyone can have a bad day and/or get into a rush and make a mistake. And my boss is a sadistic prick who delights in making workers feel dumb. Yet I’m 100% sure he exempts himself from the phishing shit tests.
Knowbe4? That’s who we use and their stuff is pedestrian
I always right-clicked for the “more info” (or whatever it was) with any suspicious email. It would look like a bunch of html code that I didn’t really understand, but buried in there would be a company name that was usually obvious, like “phishtesting.com” or some bullshit.
I always had a 100% report rate, and always joked that I was waiting to get a prize for my accuracy. And obviously, also a joke to ever think I would get anything for it
Where I work you only pass the test if you report it to IT, otherwise it’s 3 hours of training with the rest of the idiots.
Does IT want useless reports? Because that’s how you get useless reports?
The IT people send out the phishing mail themselves as part of a test. It isn’t an actual phishing mail, just something made to look and act like one. In the end they have a report which people fell for it, which ignored it (or were ooo) and which reported it.
Reporting is done via the report phishing feature in Outlook. For consumers it’s sent to Microsoft, but for businesses you can configure those reports to do what you want. It’s actually a really good feature and people should always use it.
Does your IT team tell you that they’re performing the test and to report, or is reporting phishing always constantly recommended. I’ve managed a small org ( <100 ) email server and we tried to have people report suspicious emails and it was so much noise and wasted so much time. Of course the CEO isn’t requesting you buy gift cards, what am I going to do about it. I’d say the money would be better spent on a better system rather than hope one human forwards it to another human.
No, it’s better to get some useless reports than to get no reports at all because “somebody will surely report this”.
Also people stay alert when punishment is an option.
It’s actually a big problem: https://en.wikipedia.org/wiki/Alarm_fatigue more alerts is not always better.
“Let’s also make our users follow really complex password requirements but have our password creation/change page be different from the actual login screen so they have a really hard time using a password manager”-dumbass IT department
The best way to avoid scam emails is just to change your email account’s password to a random string, not save it, then log out. I’ve also shredded my SIM card so I can’t receive scam texts.
I eventually clicked the link in the test email out of curiosity, I got a nice popup telling me I fucked up
Have fun watching training videos for an hour and a half. It’s just free money
