They do this at my work. I simply report every external email I get as a phishing attempt.
As a result, I’ve caught all the fake phishing emails sent by our IT department, at the minor cost of them having to clear 50+ legit emails per day. My coworkers have been quite appreciative of my tactics against phishing, and have started to adopt my methods.
Strangely enough, the number of phishing tests IT has sent out has dramatically decreased since I was initially hired.
Sounds about right.
Pro tip, set up a rule in your email client to send any email that contains the following phrases, phishme.com or knowb4, in the header to junk.
Note that I said header, not From field.
It is so stupid that orgs spend thousands of dollars on these products and you can be seen as not being a phishing risk because of their shitty systems.I’m a software developer. A few years ago, we were all sent mail by a sketchy looking company that had our company’s logo slapped onto the header in the sloppiest way possible and wanted us to click on a link to a “mandatory Cybersecurity training”.
Obviously everyone ignored it. Which is exactly what you’d want people to do. Turns out, it was real and not a scam, just incompetence.
i think you all completed the training before it started
Someone once said that people don’t hate computers, they hate the idiots who program computers.
A company I used to work for used paycom(dot)com for their HR software. So we would frequently get notifications from there for work stuff. One day I got an external work email telling me to click a link to a paycom(dot)net site to sign up for a raffle to win a free ipad. I thought that looked sketchy as fuck so I did a quick whois on the .net and .com sites. They were completely different and the .net site was basically entirely anonymised. So obviously at that point I was like “damn this phisher managed to get the .net domain for paycom. That’s kind of impressive. I should let our IS guy know so he knows we’re being targeted.” So I shot off an email to our basically only IS guy and he responded by telling me that the email was legit and everyone in the company got it because the company was giving away an extra ipad they had. But he also said now that I pointed it out it was the sketchiest looking email he had seen in a while.
I honestly should have known better considering this is the same company where at one point a different IS person had sent me an email basically just saying “Your computer has a virus. Open this attachment to remove it.” Turns out that was also legit and the guy who used my desk on first shift managed to get a virus somewhere but rather than comming down to fix it themselves IS just sent me an email with a script to run.
Got a mail a few weeks ago:
Hello <name>,
thanks for signing up to <training I didn’t sign up for>.Turns out someone from management assigned us to that training and that’s just the standard mail it sends…
My favorite was, though, when my company started using yet another awful Microsoft service and we got a mail that we could log into our account on
microsoftonline.com. Turns out that obvious phishing domain is actually operated by Microsoft.
Where I worked it wasn’t enough to ignore those emails, we were supposed to hit a button flagging them as a phishing attempt.
Here’s the thing…
If you are savvy enough to know how to (or look up how to) find the header of your phishing test email service, and then create a rule to filter on that, then you aren’t the target for those emails anyway.
I would argue that logic gives you a false sense of security. All employees are targets no matter the pecking order.
A product that you are paying thousands of euros for and is required for business certifications like SOC2/ISO27001 or cyber insurance can be so easily nullified is a joke.
This is not reliable.
Phish training companies are using a huge variety of domains, including look-alikes relevant to the test - including valid spf/dkim/dmarc configurations. Exactly as real phishers do - and there’s no effective way to automate their filtering.
Are you sure? Have you ever looked at the header of an email from knowb4 or phishme? The emails come from their own mail servers.
Yes, absolutely. We used to use knowbe4. I’m not saying they didn’t do this in the past, but I know for certain they didn’t when I checked.
There were obviously hints - the campagns are designed to be detectable - but easy filtering was not one of them, that would be stupid.
You can tell it’s fake because it suggests that corporate would just hand you a new benefit out of the blue.
Companies will do that and then send links with url shorteners for totally legit things and wonder why everyone ignores then.
My company has to send out emails like: “The mandatory training email is not phishing, even though it is flagged [EXTERNAL] by the system.”
Me: “That’s what a fishing email would say.”
We must be coworkers. They literally did this to our group yesterday for an external survey. And I refuse to fill it out.
This is every company at this point lol
Lol whenever I have to deal with DHL to pay for some import fee or whatever I feel like I’m being scammed. Website like like it’s from 1998, wants my credit card details, certificate errors etc.
No, no, the point of the URL shortener IS so that everyone ignores them; they’ve been trained to. “No one RSVP’d to the pizza party so we canceled it. Also we are a great employer who lists things like Pizza Parties as job perks! They’re totally real!”
At my work, we got a phishing email a few weeks before Christmas.
It was for a gift card for a Honey Baked ham.
I was pretty sure it was a phishing test but apparently a lot of people fell for it. Enough so, that a fairly senior colleague blasted an email saying it was in poor taste since it was Christmas and a lot of people could really use it.
I thought that made it more effective training because a scammer would use that, but I also understand that it has the potential to fuck with people’s emotions.
Anyway, that started a trend within the company’s Teams and social platform, making jokes and sharing memes.
The CEO even emailed, agreeing with the original email blast and then had a real giveaway of honey baked gift cards.
Sounds like a decent CEO.
You guys read your emails?
Corporate does this all the time to at my work.
The GM of my office came talk to me because I had actually won like employee of the quarter or something, but when I got the email with the “redeem here for your $50 gift card” I reported it as phishing. I asked him why they couldn’t just go to the grocery store and hand me a physical gift card, he blinked for a moment like that hadn’t occurred to him. I showed him the quarantined emails I get on Outlook every day from dozens of phishing attempts made to my work email everyday.
Reach out to them on signal. This is obviously a mistake.
My company sent one of these out made to look like a survey on employee thoughts and opinions on their compensation - a very real issue in our company that I suspect they just wanted to try and condition people not to talk about.
Replied back to let them know as such and to inform them it was an asshole move and I would not be completing their training. Was worth the HR write-up - fuck those suits, too.
If the email did indeed originate from the company you work for, they owe you a gas card. Employers can’t offer you money or benefits as a practical joke and then just say “April Fools!” There are laws regarding offers from your employer for compensation and benefits.
I just don’t open emails from my company unless the subject has the words Urgent or Action Required and even those I forward to the IT anti phishing email to annoy them, even when I know it’s legit.
Now all you get is emails which say urgent, so you don’t know which are actually urgent.
So far I’ve always installed a filter (at work, school, and privately) that removes the “high priority” flag from any mail.
If it can’t wait, call me.
Yes, but also, don’t call me.
Yeah fuck that… My voicemail says to email me. I will ignore your call, and then reply within 30 seconds after you email me just to demonstrate without question how you need to contact me moving forward.
In fact, don’t contact me at all.
phish tests are redundant after a point. I flagged the first few but they upped the frequency so much it got ridiculous. Turns out the header for the phishing tests all contains the name of the testing company. New phish tests are re directed to my brownie points folder, so I just have to worry about the real thing now
I’ve worked more than one place that did constant phishing testing, and also corporate creatures would send out links to websites we’ve never used before that everyone was required to click, so the only way to tell whether this was in the “get fired for clicking” or the “get fired for not clicking” bucket was that phishing test header. They never understood why this was a problematic combination, and never stopped doing both.
Lol that person is stupid. these test phishing mails are super easy to spot. I hope they don’t work in tech
I don’t consider those valid and I started refusing to complete their trainings. It’s underhanded but more importantly I don’t think it teaches anyone anything. I knew well not to trust emails like that, but my employer duped me with a somewhat convincing one a couple times. Fuck them. They eventually stopped emailing me about the last training.
If you’ve been duped, then you are the target for the training, especially if it’s happened multiple times. The best locks in the world don’t stop you from unwittingly giving away the keys.
Nope. The people that are tricked by obvious ones, yes perhaps. It’s still underhanded but maybe you can argue for it. This was over a span of more than 5 years and the first one was the first time I’d seen anything like it and was convincing af. They mentioned an internal event going on and used a domain name very similar to the one for the event…
I knew some smartass would come along and be like this about it though.
You need/ed the anti-phishing training. If you failed from the company-initiated phishing, you’re primetime material for the real no-good-doers in the world. Stay safe out there, and if offered anti-social engineering training, go for that, too. Click, click, boom.
Heh, now I remember. You defended the world’s biggest piece of shit Kyle Rittenhouse
I can’t remember… Are you the one who was mad that a court of law didn’t use your own made up definition of murder and convict using that definition, or are you the obvious sock puppet that chimed in about how you liked to read comment threads backwards and reply without knowing the full context?
Also, there are waaaaaay bigger pieces of shit than Kyle Rittenhouse.
I have a feeling you said everyone rightfully calling out that filth made things up to demonize him
I have a feeling that if you spent more time looking for scam emails, and less time worrying about what may or may not have been said on some fediverse thread at least a year ago, then you wouldn’t need multiple re-trainings on how to spot the most obvious phishing emails ever.
Sure Rittenhouse simp
The star witness for the prosecution in that case said they’d have shot the guy attacking Rittenhouse as well. Three different people went out of their way to fuck with him, two happened while he was running away.
Shocker.
I’m devastated, I’ll never emotionally recover from this.
Who was Universalmonk again?
One of the likely many Russian trolls you followed around defending and definitely remember
By Russian troll, you mean someone who disagreed with you?
Huh? If you’re opening the tests then you would benefit from training. Why be so defensive about it?
you would benefit from training.
The trainings are so dumb and condescending. They treat you like you would routinely click obvious scam links. They are a total waste of time. I knew far more than the trainings 10 years before I ever heard the word phishing. And this is not a flex, anyone using the internet will learn. They are just useless in my experience.
Why be so defensive about it?
Well because anyone can make a mistake occasionally. No need to waste time I could be doing something useful with instead watching useless trash videos. I resent that my company tricked me artificially into making a mistake.
If you’re trying to act like you’ve never done anything you shouldn’t have, we’ve got nothing else to talk about. See my response to the other Mr. Perfect.
Imagine being this dense, and not knowing it.
I resent that my company tricked me artificially into making a mistake.
You cannot be serious.
I got a message saying I needed to sign up and completed a course I’d never heard of so I marked it as spam and deleted it.
Turned out it was genuine…
Last week I came in to work with an email that I received a $100 gift card. I immediately reported it as phishing and went about my day. A few hours later my manager asked if I received an email about said gift card and I told him I reported it. Turns out it was legit and was for good performance. Whoops
I always double check the email address that is sending removing whatever filter my email client is using to replace the address with a name “for convenience sake”. That will usually tell me if it’s a legit email or some kind of spam/phishing. And if it is a legit addy and it still seems too suspicious I will generally contact the person who sent it to top them off that their address may have been compromised. Generally speaking this tends to cover all of my bases.
