Alt text: Michael Scott Handshake meme. Managers text: “My company Congratulating me on avoiding a phishing test email”. Michael Scott text: “Me, terminally behind on answering email.”
Alt text: Michael Scott Handshake meme. Managers text: “My company Congratulating me on avoiding a phishing test email”. Michael Scott text: “Me, terminally behind on answering email.”
The IT people send out the phishing mail themselves as part of a test. It isn’t an actual phishing mail, just something made to look and act like one. In the end they have a report which people fell for it, which ignored it (or were ooo) and which reported it.
Reporting is done via the report phishing feature in Outlook. For consumers it’s sent to Microsoft, but for businesses you can configure those reports to do what you want. It’s actually a really good feature and people should always use it.
Does your IT team tell you that they’re performing the test and to report, or is reporting phishing always constantly recommended. I’ve managed a small org ( <100 ) email server and we tried to have people report suspicious emails and it was so much noise and wasted so much time. Of course the CEO isn’t requesting you buy gift cards, what am I going to do about it. I’d say the money would be better spent on a better system rather than hope one human forwards it to another human.