You must log in or register to comment.
In the last two months I have gotten about a dozen emails on my work account that tripped enough red flags for me to think they were phishing attempts. It turns out that they were all legit and failure to respond could be determental to still working there. Good thing our boss was looking out for us.
What I have learned is that I should respond to any half-assed email and ignore the years of annual training I’ve recieved to the contrary.
I just mark any slughtly fishy mail as phising and send it to the helpdesk. Either I get s thank you back, or a „its legit“. either way, I dont need to worry about it anymore
I got a pretty suspicious email a few weeks ago and flagged it. Later day that our sysadmin was like “oh hey that was legit, <vendor> has started using a new marketing firm so they look like that.” I just said “Sounds like spam to me I’m going to keep on flagging it.” and he just responded with a frown emoji. Full disclosure we’re decent work buddies and I haven’t actually gotten any more emails from that company so he may have actually filtered it lol.
I’ve definitely gotten good at identifying phishing attempts from our Cybersecurity team.
Lol that person is stupid. these test phishing mails are super easy to spot. I hope they don’t work in tech
Corporate does this all the time to at my work.
The GM of my office came talk to me because I had actually won like employee of the quarter or something, but when I got the email with the “redeem here for your $50 gift card” I reported it as phishing. I asked him why they couldn’t just go to the grocery store and hand me a physical gift card, he blinked for a moment like that hadn’t occurred to him. I showed him the quarantined emails I get on Outlook every day from dozens of phishing attempts made to my work email everyday.
If the email did indeed originate from the company you work for, they owe you a gas card. Employers can’t offer you money or benefits as a practical joke and then just say “April Fools!” There are laws regarding offers from your employer for compensation and benefits.
You guys read your emails?
I got a message saying I needed to sign up and completed a course I’d never heard of so I marked it as spam and deleted it.
Turned out it was genuine…
Last week I came in to work with an email that I received a $100 gift card. I immediately reported it as phishing and went about my day. A few hours later my manager asked if I received an email about said gift card and I told him I reported it. Turns out it was legit and was for good performance. Whoops
I always double check the email address that is sending removing whatever filter my email client is using to replace the address with a name “for convenience sake”. That will usually tell me if it’s a legit email or some kind of spam/phishing. And if it is a legit addy and it still seems too suspicious I will generally contact the person who sent it to top them off that their address may have been compromised. Generally speaking this tends to cover all of my bases.
“Here’s an offer for something we know you want and that a respectful employer would provide. Oh, you actually thought your employer respected you? You must be an idiot who needs special training.”
The thing is, there were some hints in the email it wasn’t legit, like bad sender or weird links. That was the test. That the employer is bad too, doesn’t change the fact the employee fell for the bait.
Fair enough. It would be nice to actually see the email.
Some people, when they can, automatically filter the phphishing emails out based on mail server IIRC :)
I feel that if your job requires you to drive, the company would provide the means of transportation. Heck, I work from home and I get to choose between either a company car with a card to fill it up whenever or a pretty roomy budget with a train card.
Having a client in my car would be weird, especially when it smelled like last night’s takeout
This goes especially true for me. “Don’t mind the baby seats, you can squeeze in right between them.”
That’s why you take all the baby clients
It really depends on the company, job, and where you live. I worked as a contractor for a delivery company for a while, putting about 20,000 miles a year on my own car transporting stuff. In the US, if you drive your own car for work, you get a tax deduction for the mileage you put on your car while working. The pay was pretty good and the hours were short, but I was effectively converting the value of my car into cash during that time.
Which is why it’s a probable attack vector. You think a malicious actor wouldn’t do this?
I’m on our cybersecurity team and our last phishing sim was so real looking and legit sounding I thought it was real, and I knew the phish was coming. The only indicator was the sender email was a slight misspelling of Microsoft. I pointed out that that phish is not a fair phish, our users are not going to meticulously examine every email for microscopic indicators. Half if them are barely tech literate, but they’re doctors or nurses and only know what they need to know to do their job. Our cybersecurity lead was completely in “wtf are you talking about? From Micrasoft.com is totally illegitimate” mode, I had to point out that our users flag 70% of the emails as phish, and phishing tests that look like completely legitimate emails aside from a single character out of place in an obscure location most of our users aren’t even thinking if looking at undermine legitimate emails and increase our workload b/c we’ve trained our users to think every email is a phish test from cybersecuriry.
I don’t see the problem, is that not the point of phishing tests? Users need to ensure the sender is legitimate before taking action such as clicking links.
good way to get me to ignore all emails
Yet another good idea in theory ruined by the human condition. Train people to think emails may be dangerous? Instead of critically examining each one they just ignore them to minimize risk by default. No amount of training will beat the cognative skills required for competent spam identification into most heads. Even if it could, some phising is so sophisticated in the social engineering it even tricks up cybersecurity types who should know better. Damned if you do, damned if you don’t from a company perspective.
But the truth is emails may be dangerous, and the trainings exist to show people how to tell the difference. What reasonable alternative is there? Your argument is effectively “People will never learn how to use a fire extinguisher so why bother doing fire safety training. Some fires are so bad that a fire extinguisher will do nothing.” We don’t control the danger, but we can manage and minimize the risk through training.
What reasonable alternative is there?
Plain-text emails. No clickables, no tracker images.
–
Honestly, while I agree that good training is a way forward, I gotta say the training at my workplace does NOT let you know how to check anything. It’s more of a “don’t open emails you don’t trust”, here are some nightmare scenarios. While, at the same time, we get actual mandatory training emails, that are flagged by both our internal mail system, and the pre-installed mail client as “DO NOT TRUST” that we are required to click through. My complaints to IT to at least fix the internal mail system flagging have been replied to with “User’s should expect these emails, so they should know to ignore all the warnings and click anyway.”
We are training people to ignore their training, so of course it’s not helping.
Also, even with SPF and DMARC and whatever other TXT records in place, it’s still possible to get a “spoofed” From address into a user’s inbox, so I find teaching people to use that header as an indicator of anything personally offensive to my technical knowledge.
Idk man, I feel like you’re striving for perfection in an imperfect world. I agree it would be nice for all email to be plain-text and with no clickables, but that’s not the world we live in, and getting companies to remove them from mandatory emails is an uphill battle.
While it’s true that there’s no way to completely eliminate spoofed “From” addresses, I think it’s fair to say it’s rare, and that checking the “From” address will conquer a significant chunk of phishing attempts. The training isn’t meant to 100% eliminate the effects of phishing attacks, it’s meant to reduce the number.
The cyber security emails in my company are so fucked up that everyone is paranoid to open up any email. Maybe it was fear. Or maybe it was collective malicious compliance. Or maybe we’re all just sick of it.
A manager last week said nobody filled out a company intake form because they used a new survey software, so the url didn’t look familiar.
The CFO emailed a PDF of a presentation and people were afraid to view it during meetings.
In the chat software, we are constantly going, “Is this real?”
Congrats security nerds.
Next up: All internal emails and files must be signed by the certificate that was issued to the employee sending it, if an email is send without a valid signature the E-Mail server self destructs to prevent infection.
Not to mention the fact that the majority of email clients these days don’t even actually show you the full URL of the mail server that the mail is coming from. It gets obfuscated away over the display name and you have to explicitly go out of your way to actually see the full URL
This is so crazy to me. Why the hell did they start hiding the address? The one thing that can’t be faked? Couldn’t believe how hard it was the first time I needed to check.
The only phishing e-mails I receive are from my employer. As a matter of process I report these e-mails like a diligent lackey, then upon receiving an e-mail congratulating me on passing their test, I report that one too. I think the non-test phishing reports undergo manual review so I hope I’m wasting someone’s time somewhere in payback.
Still haven’t forgiven them for a tone-deaf ‘we care about you during COVID’ phishing e-mail they sent when everyone was genuinely struggling.
Neat thing I learned at a past company. The phishing emails had links (the ones you aren’t supposed to click on) that either contained the email address of the person getting tested, or it pulled it somehow. It was really easy to figure out where that information needed to go in the URL. This is how tracking “failures” was tested and reported. I would just put in the email address of people from the opsec team into that url, copy it, and paste it into one of those global website testers that checked if a site was available from different countries around the world (I’m assuming using some kind of VPN).
Theoretically it should have given these people failures in their own tests, and also come from all sorts of weird locations globally.
Not sure if it actually did, but I like to think I wasted at least some of their time.
Never got in trouble for it so who knows.
This is ingeniously spiteful and I love it.
Same here, and I got annoyed at these emails filtering through the different rules that I have set up. I realized that the test emails all had some values in the headers to indicate them as such, so I set up a rule to filter them out to a separate folder. It obviously defeats the point, but it’s much less annoying.
Need to take it a step further. IIRC, they usually use a tracking link with your address encoded into it, so they know who clicked the link. Need to crack whatever encoding they use, and start “clicking” links for senior leadership.
I report any and all emails from anyone on the CSIRT team as suspicious.
They did a phising test targeting every employee without informing me (internal ITSM lead) first. So they deserve the extra work, and my entire team does the same.
Do you feel like you should be excluded? Did you get the results afterwards?
I often conduct phishing tests for customers where only 1 or 2 people are in the loop to cover as many peepz as possible.
If it was conducted properly, it would have been fine to not inform me.
They made it way too hard to spot that anything was off until after you’d clicked something in the email, combined with blasting 2000+ people with the email at the same time.
Our employees are trained to call helpdesk ASAP at any sign of potential issues where your credentials have gotten stolen, hundreds of people called in the first 10 minutes of the email being sent out because they had opened the email and got scared and thus called, I got called in from my vacation by one of the people on my team, and I called everyone else in from vacation.
I should’ve absolutely been informed about this. But considering how fucking dumb whoever did the test was, I’m not surprised I wasn’t. The KPMG consultant who was clearly not an infosec person at all got fired after this.
You might have a lot of phishing emails that the company filters out without you ever seeing them. For these tests, they do things to make sure this email will get through, even if the automated filters would have otherwise blocked it.
That’s a good point; my company actually does implement something like this, though it invites intervention from the recipient for confirmation. I have previously received e-mail notifications stating that an e-mail has been ‘held’ as being suspicious and provided me an option to ‘release’ the e-mail (in these cases the e-mails were genuine and known in advance to me).
Of course, I have no simple way to determine if there is also an additional hard filter that blocks out obvious phishing with no notification to the end user.
There are likely two things going on.
One is a hard block for phishing, ones you will never see, never be alerted of, and never be told about unless you go digging for a missing email you know should have come through.
The other is a soft block for spam. You will likely get an email about the spam being quarantined with the option to release the spam into your inbox.
If the phishing emails were shown as quarantined, you’d end up with hundreds of quarantined emails a day for anyone with a public facing name. Our CFO for instance gets the most out of anyone in the company, numbering in the thousands.
This is a good explanation. I can see how a multi-tiered approach like this makes sense, particularly for those most public-facing. Thanks.
I got a list of domains used by the phish testing company, and passed them around my department.
I just ignore all emails. I have found too many phishing emails and have decided that our systems appear to be compromised. It hasn’t improved since I reported them, so I am playing it safe. PM me when you need to communicate, and keep meetings on the calendar, I’ll show.
Except for the tiny fact that a phishing email wouldn’t give a fuck about being “tone deaf” and would bank on the “nobody bad would ever send an email like this!”.
Sure, a genuine phishing e-mail wouldn’t give a fuck. But fake phishing e-mails sent from an employer should give a fuck about retention and employee engagement. Drawing attention to how much you don’t care about your employees while exploiting their emotions isn’t all that conducive to maintaining a healthy workforce/morale.
There are ways to demonstrate the lengths bad actors are willing to go without being a douche.
As an example, find out something the employer actually will be doing (or already does) and pre-empt it with a related, but not identical, phishing test. After the test has elapsed, send a follow up explanatory e-mail, with genuine content e.g. “We won’t pay you $10,000,000 to have a baby, but did you know about our generous maternity leave package?”
That implies they care about our feelings. When actually they want us to remember we only get paid if we’re of pecuniary value to them. Even at a good company like mine.
You can tell it’s fake because it suggests that corporate would just hand you a new benefit out of the blue.
Companies will do that and then send links with url shorteners for totally legit things and wonder why everyone ignores then.
My company has to send out emails like: “The mandatory training email is not phishing, even though it is flagged [EXTERNAL] by the system.”
Me: “That’s what a fishing email would say.”
We must be coworkers. They literally did this to our group yesterday for an external survey. And I refuse to fill it out.
This is every company at this point lol
No, no, the point of the URL shortener IS so that everyone ignores them; they’ve been trained to. “No one RSVP’d to the pizza party so we canceled it. Also we are a great employer who lists things like Pizza Parties as job perks! They’re totally real!”
Lol whenever I have to deal with DHL to pay for some import fee or whatever I feel like I’m being scammed. Website like like it’s from 1998, wants my credit card details, certificate errors etc.
phish tests are redundant after a point. I flagged the first few but they upped the frequency so much it got ridiculous. Turns out the header for the phishing tests all contains the name of the testing company. New phish tests are re directed to my brownie points folder, so I just have to worry about the real thing now
I’ve worked more than one place that did constant phishing testing, and also corporate creatures would send out links to websites we’ve never used before that everyone was required to click, so the only way to tell whether this was in the “get fired for clicking” or the “get fired for not clicking” bucket was that phishing test header. They never understood why this was a problematic combination, and never stopped doing both.
Sounds like phishing tests are just the company outsourcing spam filtering to their own employees instead of paying for a spam filtering service of their own.
You must be having issues with your hearing.
You don’t have a voice in your mind where you “hear” words as you read then?
Actually, apparently, some people don’t have that inner voice. It’s a legitimate thing. https://youtu.be/7EIpwVHa_P8
I just don’t open emails from my company unless the subject has the words Urgent or Action Required and even those I forward to the IT anti phishing email to annoy them, even when I know it’s legit.
Now all you get is emails which say urgent, so you don’t know which are actually urgent.
So far I’ve always installed a filter (at work, school, and privately) that removes the “high priority” flag from any mail.
If it can’t wait, call me.
Yes, but also, don’t call me.
Yeah fuck that… My voicemail says to email me. I will ignore your call, and then reply within 30 seconds after you email me just to demonstrate without question how you need to contact me moving forward.
In fact, don’t contact me at all.
Thankfully they aren’t that dumb to do that
You’re lucky then.
Simple always ask! Whether is the IT or your supervisor etc.
Sounds about right.
Pro tip, set up a rule in your email client to send any email that contains the following phrases, phishme.com or knowb4, in the header to junk.
Note that I said header, not From field.
It is so stupid that orgs spend thousands of dollars on these products and you can be seen as not being a phishing risk because of their shitty systems.I’m a software developer. A few years ago, we were all sent mail by a sketchy looking company that had our company’s logo slapped onto the header in the sloppiest way possible and wanted us to click on a link to a “mandatory Cybersecurity training”.
Obviously everyone ignored it. Which is exactly what you’d want people to do. Turns out, it was real and not a scam, just incompetence.
i think you all completed the training before it started
Got a mail a few weeks ago:
Hello <name>,
thanks for signing up to <training I didn’t sign up for>.Turns out someone from management assigned us to that training and that’s just the standard mail it sends…
My favorite was, though, when my company started using yet another awful Microsoft service and we got a mail that we could log into our account on
microsoftonline.com. Turns out that obvious phishing domain is actually operated by Microsoft.Turns out someone from management assigned us to that training and that’s just the standard mail it sends…
I always just wait for a follow up email from whomever assigned it or ask someone who would know if that’s legit
we got a mail that we could log into our account on microsoftonline.com.
Oh just wait until you get someone legitimately using a domain.onmicrosoft.com email address. Microsoft uses the onmicrosoft.com domain as a placeholder for unlicensed users and domains which haven’t been fully setup yet. Which is funny since they own the .Microsoft TLD and could move everything to .Microsoft domains to show it off but they choose not to for whatever reason
A company I used to work for used paycom(dot)com for their HR software. So we would frequently get notifications from there for work stuff. One day I got an external work email telling me to click a link to a paycom(dot)net site to sign up for a raffle to win a free ipad. I thought that looked sketchy as fuck so I did a quick whois on the .net and .com sites. They were completely different and the .net site was basically entirely anonymised. So obviously at that point I was like “damn this phisher managed to get the .net domain for paycom. That’s kind of impressive. I should let our IS guy know so he knows we’re being targeted.” So I shot off an email to our basically only IS guy and he responded by telling me that the email was legit and everyone in the company got it because the company was giving away an extra ipad they had. But he also said now that I pointed it out it was the sketchiest looking email he had seen in a while.
I honestly should have known better considering this is the same company where at one point a different IS person had sent me an email basically just saying “Your computer has a virus. Open this attachment to remove it.” Turns out that was also legit and the guy who used my desk on first shift managed to get a virus somewhere but rather than comming down to fix it themselves IS just sent me an email with a script to run.
Someone once said that people don’t hate computers, they hate the idiots who program computers.
Genius. The people who click on the link to the training are exactly the people who need the training.
Here’s the thing…
If you are savvy enough to know how to (or look up how to) find the header of your phishing test email service, and then create a rule to filter on that, then you aren’t the target for those emails anyway.
I would argue that logic gives you a false sense of security. All employees are targets no matter the pecking order.
A product that you are paying thousands of euros for and is required for business certifications like SOC2/ISO27001 or cyber insurance can be so easily nullified is a joke.
This is not reliable.
Phish training companies are using a huge variety of domains, including look-alikes relevant to the test - including valid spf/dkim/dmarc configurations. Exactly as real phishers do - and there’s no effective way to automate their filtering.
Are you sure? Have you ever looked at the header of an email from knowb4 or phishme? The emails come from their own mail servers.
Yes, absolutely. We used to use knowbe4. I’m not saying they didn’t do this in the past, but I know for certain they didn’t when I checked.
There were obviously hints - the campagns are designed to be detectable - but easy filtering was not one of them, that would be stupid.
Where I worked it wasn’t enough to ignore those emails, we were supposed to hit a button flagging them as a phishing attempt.
That is why it goes to junk and not deleted, you can still see them and report them.
So just have them tagged instead of junked and do the needful.
Hmmm, I did a lot of Outlook rules, but I don’t remember an ability to run a script when a rule was met. Maybe I just never needed it though.
I mean just plonk them on a folder or tag them or whatever, and then you can manually perform the operation at your leisure.
