Pro tip, set up a rule in your email client to send any email that contains the following phrases, phishme.com or knowb4, in the header to junk.
Note that I said header, not From field.
It is so stupid that orgs spend thousands of dollars on these products and you can be seen as not being a phishing risk because of their shitty systems.
I’m a software developer. A few years ago, we were all sent mail by a sketchy looking company that had our company’s logo slapped onto the header in the sloppiest way possible and wanted us to click on a link to a “mandatory Cybersecurity training”.
Obviously everyone ignored it. Which is exactly what you’d want people to do. Turns out, it was real and not a scam, just incompetence.
A company I used to work for used paycom(dot)com for their HR software. So we would frequently get notifications from there for work stuff. One day I got an external work email telling me to click a link to a paycom(dot)net site to sign up for a raffle to win a free ipad. I thought that looked sketchy as fuck so I did a quick whois on the .net and .com sites. They were completely different and the .net site was basically entirely anonymised. So obviously at that point I was like “damn this phisher managed to get the .net domain for paycom. That’s kind of impressive. I should let our IS guy know so he knows we’re being targeted.” So I shot off an email to our basically only IS guy and he responded by telling me that the email was legit and everyone in the company got it because the company was giving away an extra ipad they had. But he also said now that I pointed it out it was the sketchiest looking email he had seen in a while.
I honestly should have known better considering this is the same company where at one point a different IS person had sent me an email basically just saying “Your computer has a virus. Open this attachment to remove it.” Turns out that was also legit and the guy who used my desk on first shift managed to get a virus somewhere but rather than comming down to fix it themselves IS just sent me an email with a script to run.
Hello <name>,
thanks for signing up to <training I didn’t sign up for>.
Turns out someone from management assigned us to that training and that’s just the standard mail it sends…
My favorite was, though, when my company started using yet another awful Microsoft service and we got a mail that we could log into our account on microsoftonline.com. Turns out that obvious phishing domain is actually operated by Microsoft.
If you are savvy enough to know how to (or look up how to) find the header of your phishing test email service, and then create a rule to filter on that, then you aren’t the target for those emails anyway.
I would argue that logic gives you a false sense of security. All employees are targets no matter the pecking order.
A product that you are paying thousands of euros for and is required for business certifications like SOC2/ISO27001 or cyber insurance can be so easily nullified is a joke.
Phish training companies are using a huge variety of domains, including look-alikes relevant to the test - including valid spf/dkim/dmarc configurations. Exactly as real phishers do - and there’s no effective way to automate their filtering.
Sounds about right.
Pro tip, set up a rule in your email client to send any email that contains the following phrases, phishme.com or knowb4, in the header to junk.
Note that I said header, not From field.
It is so stupid that orgs spend thousands of dollars on these products and you can be seen as not being a phishing risk because of their shitty systems.
I’m a software developer. A few years ago, we were all sent mail by a sketchy looking company that had our company’s logo slapped onto the header in the sloppiest way possible and wanted us to click on a link to a “mandatory Cybersecurity training”.
Obviously everyone ignored it. Which is exactly what you’d want people to do. Turns out, it was real and not a scam, just incompetence.
Someone once said that people don’t hate computers, they hate the idiots who program computers.
i think you all completed the training before it started
A company I used to work for used paycom(dot)com for their HR software. So we would frequently get notifications from there for work stuff. One day I got an external work email telling me to click a link to a paycom(dot)net site to sign up for a raffle to win a free ipad. I thought that looked sketchy as fuck so I did a quick whois on the .net and .com sites. They were completely different and the .net site was basically entirely anonymised. So obviously at that point I was like “damn this phisher managed to get the .net domain for paycom. That’s kind of impressive. I should let our IS guy know so he knows we’re being targeted.” So I shot off an email to our basically only IS guy and he responded by telling me that the email was legit and everyone in the company got it because the company was giving away an extra ipad they had. But he also said now that I pointed it out it was the sketchiest looking email he had seen in a while.
I honestly should have known better considering this is the same company where at one point a different IS person had sent me an email basically just saying “Your computer has a virus. Open this attachment to remove it.” Turns out that was also legit and the guy who used my desk on first shift managed to get a virus somewhere but rather than comming down to fix it themselves IS just sent me an email with a script to run.
Got a mail a few weeks ago:
Turns out someone from management assigned us to that training and that’s just the standard mail it sends…
My favorite was, though, when my company started using yet another awful Microsoft service and we got a mail that we could log into our account on
microsoftonline.com. Turns out that obvious phishing domain is actually operated by Microsoft.Where I worked it wasn’t enough to ignore those emails, we were supposed to hit a button flagging them as a phishing attempt.
Here’s the thing…
If you are savvy enough to know how to (or look up how to) find the header of your phishing test email service, and then create a rule to filter on that, then you aren’t the target for those emails anyway.
I would argue that logic gives you a false sense of security. All employees are targets no matter the pecking order.
A product that you are paying thousands of euros for and is required for business certifications like SOC2/ISO27001 or cyber insurance can be so easily nullified is a joke.
This is not reliable.
Phish training companies are using a huge variety of domains, including look-alikes relevant to the test - including valid spf/dkim/dmarc configurations. Exactly as real phishers do - and there’s no effective way to automate their filtering.
Are you sure? Have you ever looked at the header of an email from knowb4 or phishme? The emails come from their own mail servers.
Yes, absolutely. We used to use knowbe4. I’m not saying they didn’t do this in the past, but I know for certain they didn’t when I checked.
There were obviously hints - the campagns are designed to be detectable - but easy filtering was not one of them, that would be stupid.