Phishing Tests, the Bane of Work Life, Are Getting Meaner (msn.com) 62
U.S. employers are deploying increasingly aggressive phishing tests to combat cyber threats, sparking backlash from workers who say the simulated scams create unnecessary panic and distrust in the workplace. At the University of California, Santa Cruz, a test email about a fake Ebola outbreak sent staff scrambling before learning it was a security drill. At Lehigh Valley Health Network, employees who fall for phishing tests lose external email access, with termination possible after three failures.
Despite widespread use, recent studies question these tests' effectiveness. Research from ETH Zurich found that phishing tests combined with voluntary training actually made employees more vulnerable, while a University of California, San Diego study showed only a 2% reduction [PDF] in phishing success rates. "These are just an ineffective and inefficient way to educate users," said Grant Ho, who co-authored the UCSD study.
Despite widespread use, recent studies question these tests' effectiveness. Research from ETH Zurich found that phishing tests combined with voluntary training actually made employees more vulnerable, while a University of California, San Diego study showed only a 2% reduction [PDF] in phishing success rates. "These are just an ineffective and inefficient way to educate users," said Grant Ho, who co-authored the UCSD study.
And they should be mean (Score:5, Informative)
All it takes is one idiot in your organization and 'poof' there goes millions of dollars.
Re:And they should be mean (Score:5, Insightful)
But it's pointless if it does nothing to address the problem, or actually make it worse.
At that point, it's just revenge fantasy.
Re: (Score:2)
Re: (Score:2, Interesting)
Interesting FP branch, but the "meanness" becomes an impediment to getting things done. In my "career segment" at a famous three-letter company the constant validations an cross-checks became obstacles, especially in the email systems. I certainly hope the main beast has been buried by now...
Always feels pointless to ask or think about solutions in Slashdot, but I think the key has to involve creating a cost for creating identities. In the extreme case a human being might have to present unfakable and physi
Re: (Score:3)
Interesting FP branch, but the "meanness" becomes an impediment to getting things done. In my "career segment" at a famous three-letter company the constant validations an cross-checks became obstacles.
Just follow up ever attempt with a personal phone call, to verify who it is, or ask for a face to face meeting, as AI can do pretty good imitations of people's voices. Maybe call security as well.
I think that's called malicious compliance. I call it making your problem someone else's problem, and you aer just hailed as the ultimate security minded employee, always checking, always vigilant, and really annoying.
Re: (Score:2)
Why is it that techno-bro's "solutions" to the problems they created in the first place is always to construct some insane techno-dystopia where the entire life of every citizen is necessarily monitored, analyzed, brokered, and micromanaged?
Are you just incapable of seeing how such a system could be gamed by dedicated actors working for months or years to establish accounts with high trust? How completely useless it would be as soon as one of those "legitimate identities" with "the most weight" is compromis
Re: (Score:1)
Re: (Score:2)
If it's a way to get "revenge" on useless users who refuse to get with normal security practices, I'm fine with that.
You're fine with spending time, money and effort on something that does not address the problem, or actually makes it worse?
Really?
Re: And they should be mean (Score:2)
Use Zero Trust Network Access instead of perimeter-based security.
..up to a point (Score:5, Insightful)
Re: (Score:3)
I got a phishing email right before Christmas, it seemed to come from my boss and was telling me I had gotten a Christmas bonus. Of course I didn't, that cheapskate asshole has never given me a Christmas bonus in the 7 years I've been working for him. I haven't even had a raise in 4 years.
I quit. That was the last straw.
Fight Fire With Fire (Score:1)
Troll those trolls!
I wanted to click the links in TFS (Score:1)
They're getting stricter because it doesn't work (Score:5, Insightful)
An attorney I know got training from their IT department that included (among other things) a plain English, simple checklist of things to look out for, and how to report suspicious emails.
Then he received a legitimate email from IT about some training, that a) came from a previously unknown email address, b) linked to a previously unknown web site, c) threatened dire consequences if the training wasn't completed within a few days (which required entering a lot of personal and professional information), and literally checked every box on that checklist except bad grammar. It was announced in advance through regular IT email channels, but that as several weeks in advance.
In a firm with several hundred attorneys, he was the only one to report it to IT.
No amount of training will ever fix stupid.
Re: (Score:2)
An attorney I know got training from their IT department that included (among other things) a plain English, simple checklist of things to look out for, and how to report suspicious emails.
Then he received a legitimate email from IT about some training, that a) came from a previously unknown email address, b) linked to a previously unknown web site, c) threatened dire consequences if the training wasn't completed within a few days (which required entering a lot of personal and professional information), and literally checked every box on that checklist except bad grammar. It was announced in advance through regular IT email channels, but that as several weeks in advance.
In a firm with several hundred attorneys, he was the only one to report it to IT.
No amount of training will ever fix stupid.
Exactly this. Most internal corporate communication that asks employees to do something somewhere online is done so poorly as to be indistinguishable from phishing.
Re: (Score:3)
And that's the test. Anyone who doesn't report that as an obvious bad phishing attempt should be lectured at this point.
Re: They're getting stricter because it doesn't wo (Score:1)
It's not that the employees are particularly stupid, it's more like the challenges of modern IT have raised the IQ bar rather high. The rise of LLMs will raise it even higher.
Re: (Score:2)
If your training gives you a simple, objective list of criteria on what makes an email suspicious, like "did it come form an email address you haven't gotten email before, while claiming to be from someone you have" or "does it include a link to a web site you don't recognize", and you - despite your training - do not report it as suspicious when you get an email that checks every box on the list, the problem isn't the rise of modern IT raising the bar, the problem is you are stupid. Literally so stupid you
Re: (Score:2)
And at some places of employment, where you move to is the unemployment office for violating security policy.
Re: (Score:2)
True, and that's where a baseball bat can come in handy.
Re: (Score:2)
The proper term is "clue bat," and yes.
Re: (Score:2)
A large law firm in a major city does, yes.
Re: (Score:2)
Zuck owns it?
Re:They're getting stricter because it doesn't wor (Score:5, Insightful)
So far from training us to spot phishing attempts it feels more like they are training us to ignore them!
Re: (Score:3, Interesting)
Amusing (Score:2)
I find the phishing tests at my company to be amusing. They are something like this one (which I'm making up):
"Your organization has instituted random drug testing. Please enter your organization name and your username and password into the form below to confirm that you have received this message."
Re: (Score:2)
Log in to this website with your company email to enroll in DEI training.
Re: (Score:2)
Or opt out of it. Pretty sure that'd catch a lot of flies.
Re: (Score:3)
The last one that caught a number of people:
"An IT audit shows that you've spent 10 hours this week on personal web browsing. Click here to see screenshots of your activity."
Phishing tests more trustworthy than real thing (Score:4, Insightful)
I've seen phishing tests that come from an internal corporate email address, that should not be spoofable (within the corporate email system).
Meanwhile, employees are regularly flooded with unexpected emails that come from outside the corporate domain, include links asking us to log in with corporate credentials, and that turn out to actually be official corporate communication.
The first thing that companies need to do to protect against phishing is to make sure all official communications come from the corporate email domain, instead of whatever third party domain a contractor or service provider happens to be using this week.
Re: (Score:1)
I've seen phishing tests that come from an internal corporate email address, that should not be spoofable (within the corporate email system). Meanwhile, employees are regularly flooded with unexpected emails that come from outside the corporate domain, include links asking us to log in with corporate credentials, and that turn out to actually be official corporate communication. The first thing that companies need to do to protect against phishing is to make sure all official communications come from the corporate email domain, instead of whatever third party domain a contractor or service provider happens to be using this week.
Same problem here. It is very hard to tell if a third-party website is a legit SSO or not. Seems like a very bad idea. Official emails also use a third-party click counter. WTF? Teach me to check the links, then hide them? Then there is "Safe Links" where official links go through a third-party link checker. So they hide the target of links sometimes multiple layers deep, but keep training me to "check" where they go.
Re: (Score:1)
we got an email stating the email address and phone number associated with "HSA Bank" account has been changed - did my due diligence and confirmed the email had a different phone number than the one listed on their website (email looked sketchy too)
plus our HSA was through another company... so I reported it... was told it was legitimate..
1 week later i got a piece of paper mail with my new HSA Bank card in it
3 weeks later we get the official email from our company telling us that we were changing HSA prov
Add technical incompetence to the list of issues. (Score:1)
Our company added phishing tests to our outbreak 365 suite. M$'s pre-fetching of links in the emails triggered the phishing detection so we all got remedial training assignments. Assignments that appeared as a suspicious looking email from our admin.
Re: (Score:2)
This got me. We have an add-in that comes from the phishing test provider that we're supposed to click to "Report Phishing", that's part of what we're graded on. Instead of clicking their add-on "Report Phishing" button, I clicked on the "Report Phishing" button that is part of Outlook. This triggered the email to be opened and links fetched, flagging me as failing the test so I had to sit in training for a few hours.
I repeatedly told the security team what happened, and was ignored. So now I just completel
And Don't Ignore (Score:4, Informative)
I tend to ignore much of my email. Deleting it if it's not relevant to my job or what I'm doing. Doesn't matter if it comes from a vendor I recognize (like Red Hat).
But. I have to pay attention to emails now because if I don't catch a phishing email and report it, my "Security Alertness" ratio drops and I get a talking to.
It's almost like InfoSec is sending out ads to make money on the side.
[John]
Re: (Score:3)
This exactly. I don't even open them, because God only knows what scripts Outlook will still run. But now I have to click them and open them.
It should just be, if you fall for it, you're fired.
Bonus that HR keeps sending out legitimate emails with links to external domains. I've clicked the phishing button on those before, and bosses were unhappy with that.
Simple (Score:2)
Re: (Score:2)
there are smart ways and then there is this (Score:3)
There are smart ways and then there is this... you can't get good results by doing stupid things.
I've been on the side where these are created, and used... can say 100% that training works at preventing phishing attacks. IF THE PEOPLE RUNNING THEM ARE SMART and use them correctly.
Any tool in the hands of a dumbass will results in disaster.
For those that get crappy campaigns are likely the recipients of cyber insurance/risk asking for user awareness training and the person responsible for it simply trying to check a box and do the bare minimum.
Can count the number of user account compromises/infections on one hand for the clients that had awareness training run correctly... vs the dozens from those that didn't.
On the side of the companies suffering compromises even with training were due to partner organizations suffering a breach and being used to pivot into them and use established, trusted communications channels (sent email... looks suspicious, but from regular contact... user msgs other person on teams to confirm if it's legit... 2nd user (compromised)... "yeah, it's a report i needed you to take a look as soon as possible"....
let's just say phone calls became the standard for confirming validity of suspicious links/emails after that one... (mind you, they were already told to do so, but ignored the recommendation)
training helps... it's not a cure all... and when done correctly, it does work.
Don't blame the tool for shit results... blame the person using it.
No jokes? (Score:1)
Come on, Slashdot. This story has YUGE potential for stupid jokes.
Works if consistent (Score:3)
My best mate told me a while ago about IT sending out emails about warning against checking link names to sites and later sending out test emails with a trap link to test employees.
And then HR sent out surveys via email with links to an unanounced third party site.
Of course, the flak was not directed to HR but the people who didn't take the survey because they adhered to IT security advice.
One more example why I was glad they kicked me out of the company IT years ago. I have no more tolerance of stupidity.
Phising tests are NOT effective, because of EMAIL. (Score:2)
Companies should use allowlists for their servers. (Score:1)
If you send a company an email and your email isn't recognized, then you should get an email back saying you need to request the ability to send them email. The default model of accepting any message from anyone doesn't work in a modern world.
And eventually, you'd probably get some companies that maintained built huge allowlists/inclusionlists that your company could subscribe to just as there are companies that build and maintain databases of every tax for every city, county, state, and federal transactio
Re: (Score:2)
For example ... (Score:2)
Subject: A fork in the road
(Here sucker - I mean - fishy ...)
Only works on the scam illiterate (Score:2)
The training is ineffective on those who could spot a phishing message, and not those who keep falling for scams. Likewise, the ones vulnerable to phishing would still be vulnerable to other forms of scams, such as being asked by a customer to change the shipping address of something already in transit (then doing a chargeback).
What the training does - require skilled users to constantly monitor e-mail for things that they wouldn't normally receive. If the training is poorly designed, then it trips various
Re: (Score:3)
Of course they are a threat. They have never had any security clearance done on them (thus the one who resigned when the media reported on his eugenics postings) and who knows what they're screwing up to justify their existence.
For all the talk of "exposing" things, it sure is interesting how much effort President Musk is putting into hiding what his people are doing.
"Termination possible after three failures" (Score:2)
The longer you are employed at a company, the odds of opening an email and accidentally clicking the link approaches 1. So this appears to be a creative way to force people to retire!
It really ought to be a moving window, like 3 failures within 1 year, or per 1,000 e-mails.
Like real Ebola (Score:2)
" a test email about a fake Ebola outbreak sent staff scrambling before learning it was a security drill."
Like real Ebola, people felt a strange desire to go to an airport and book a middle seat. :-)
A philosopher would call this a "category error" (Score:3)
The company is testing humans for their ability to do something they are inherently bad at.
Filtering programs, such as the one at spamcop.net, do it well:
- I haven't had a false positive for about three years.
- I get a false negative about once a month.
Whenever I get an email at a customer's, I run it through the spamcop filter. That reliably identifies the phishing-test emails,
I prefer to report those on the equivalent of the IT slack channel, so others aren't caught out by them (;-))
Why not phishing resistant MFA? (Score:1)
We've had security keys for over a decade. I'm sure there are other phishing resistant MFA solutions as well. Why 100% rely on humans to detect phishing instead of implementing technical safeguards?
Fixing the wrong thing (Score:1)
What emails? (Score:2)
The first time I got one I checked the source and found a header indicating it was simulated phishing. A quick rule later and now they all end up in junk automatically.
otoh maybe people like us aren't the target for these things :D
Re: (Score:2)
What bothers me more is every email that's not from our domain has a big banner at the top warning us of this. It renders summaries in the email list useless. This is especially annoying given our teams runs our own GitHub Enterprise instance on a different domain so all the notifications email are borked.