Phishing Training Is Pretty Pointless, Researchers Find (scworld.com) 151
"Phishing training for employees as currently practiced is essentially useless," writes SC World, citing the presentation of two researchers at the Black Hat security conference:
In a scientific study involving thousands of test subjects, eight months and four different kinds of phishing training, the average improvement rate of falling for phishing scams was a whopping 1.7%. "Is all of this focus on training worth the outcome?" asked researcher Ariana Mirian, a senior security researcher at Censys and recently a Ph.D. student at U.C. San Diego, where the study was conducted. "Training barely works..."
[Research partner Christian Dameff, co-director of the U.C. San Diego Center for Healthcare Cybersecurity] and Mirian wanted scientifically rigorous, real-world results. (You can read their academic paper here.) They enrolled more than 19,000 employees of the UCSD Health system and randomly split them into five groups, each member of which would see something different when they failed a phishing test randomly sent once a month to their workplace email accounts... Over the eight months of testing, however, there was little difference in improvement among the four groups that received different kinds of training. Those groups did improve a bit over the control group's performance — by the aforementioned 1.7%...
[A]bout 30% of users clicked on a link promising information about a change in the organization's vacation policy. Almost as many fell for one about a change in workplace dress code... Another lesson was that given enough time, almost everyone falls for a phishing email. Over the eight months of the experiment, just over 50% failed at least once.
Thanks to Slashdot reader spatwei for sharing the article.
[Research partner Christian Dameff, co-director of the U.C. San Diego Center for Healthcare Cybersecurity] and Mirian wanted scientifically rigorous, real-world results. (You can read their academic paper here.) They enrolled more than 19,000 employees of the UCSD Health system and randomly split them into five groups, each member of which would see something different when they failed a phishing test randomly sent once a month to their workplace email accounts... Over the eight months of testing, however, there was little difference in improvement among the four groups that received different kinds of training. Those groups did improve a bit over the control group's performance — by the aforementioned 1.7%...
[A]bout 30% of users clicked on a link promising information about a change in the organization's vacation policy. Almost as many fell for one about a change in workplace dress code... Another lesson was that given enough time, almost everyone falls for a phishing email. Over the eight months of the experiment, just over 50% failed at least once.
Thanks to Slashdot reader spatwei for sharing the article.
Oh of course (Score:5, Informative)
Re: (Score:3)
If true SSO, that wouldn't be so bad, you don't have to enter login credentials. That's almost a unicorn in my experience, like 3 or 4 sites 'get it' and the rest ask for your password.
If it's just same user/password, that's actually a bit worse, since phishing is likely to be successful then.
But yeah, when normal operating procedures resemble phishing often, then it's hard to blame the users.
Reverse Training (Score:5, Interesting)
It wasn't until a colleague from the purchasing dept. *actually* emailed me personally that I realized they weren't.
Re: (Score:3)
Work rolled out a new SAP invoice system. I'd been ignoring notifications for weeks because they looked like phishing emails. It wasn't until a colleague from the purchasing dept. *actually* emailed me personally that I realized they weren't.
Priceless!
On the flip side, I ruined all our testing by alerting our whole group to every single test phish ("hey guys, look at this, obviously you shouldn't click anything here"). Since I was usually the first one in every day, that pretty much removed any measurement or training value. But hey, nobody had told me they were going to send tests, so ...
Re: (Score:2)
Many of the test emails include a specific header value, so you can set up an Outlook rule to delete any emails containing, for example, header value X-PHISHTEST.
Re: (Score:3)
It would be better to use a context highlighting or category flagging rule to bring the message to your attention so that you can 1) always pass the test and 2) educate yourself on current phishing trends.
The tests are not meant to "get you", they are meant to help you.
If you just delete it, you are choosing to close your eyes and stick your fingers in your ears while murmuring to yourself.
Re: (Score:2)
HR sends us our payslips as a PDF attached to an email from an nondescript source with just the body text saying "payment notice attached". It looks like proper full on malware, I even reported it one day as a phishing attempt.
Re: (Score:2)
I had an instance of a work e-mail years ago, that was sent from a third-party contractor, that had so many red flags for very obvious phishing (including coming from outside the organization, wtf).
Where I work, we have a place to forward phishing emails so that IT can review it. I forwarded it there, and apparently so many other people did that a follow-up email had to be sent out that said, "we thank everyone for pointing out this e-mail as phishing, but we can confirm it's actually legit."
I think they le
Re: (Score:2)
And then, phishing e-mails, from IT, that aren't legit. :O
Re: Reverse Training (Score:2)
My company hired a third party to do anti phishing training. They sent the initial invitation in the phisiest way possible (from done random domain, with a link to click in the middle, and big red text saying "mandatory "). Of course, 75% or more ignored it, those that even saw it, because most of them ended up in the spam folder. So then our executives had to start begging us to go dig in the spam and go click on it to register for the mandatory class.
In which they told us not to do exactly what we'd had t
Fight the problem at the source (Score:3)
At one of the previous jobs, I immediately approached the HR department and made it clear that, unlike everyone else, I did not allow them to mention me on the "About Us" page. Result: zero scams received other than the simulated ones from internal pentests.
Re: (Score:2)
That works well if you have a job that has no external connections with the rest of industry, or go for bid work in external affairs like marketing or something.
Re: Fight the problem at the source (Score:3)
E-mail security is a clusterfuck (Score:3)
It was never originally designed with security in mind.
There are various protocols that can be layered on top to improve security. None have been universally adopted.
Having email content signed, and being able to verify the signature locally, would go a long way.
S/MIME did this 3 decades ago ! Thunderbird and Outlook still support it. Sadly, consumer gmail does not.
For anything corporate related, such as HR vacation policies, using digital signatures would go a very long way to prevent fishing scams, as the company can do things like preload and pretrust the corporate CA very onto mail clients. Any emails not signed by the correct CA would be flagged. Hell, they can even be filtered on the server side.
The problem is with global, cross organization deployments. Unless every org else agrees to sign email, and there is a reliable way for CAs to track senders, it will not help with that sort of phishing. I tried to push the concept of using S/MIME for the above mentioned purpose while working for a major internet company, that had tens of millions of email accounts at the time. I believe it would have made a major difference. I could not get buy in.
Re: (Score:3)
Eh. I can generate S/MIME signed emails, but the cert is only signed by a CA within my employer -- there's no chain of trust that third parties, or even our corporate parent, can use (well) to verify that my cert means anything. And some or all employees at the corporate parent use an email client that shows signed emails as attachments, so there's a burden for them to see what I wrote.
So email infrastructure needs to meet a higher bar than just allowing signatures. It needs to make the signatures meanin
Re: (Score:3)
Yes, that's what I meant by cross-organization problems with trusted CAs. But at least for employees within your own org, it should still help.
The fact that some e-mail clients can't handle S/MIME is a big issue, which probably would not exist today if the internet giants of yesteryear had embraced S/MIME. If they had, clients without S/MIME support would have been at a significant disadvantage, and there might not be as many in use as there are today.
The major webmail providers are in large part to blame.
Re: (Score:2)
Note that there are ways to deal with cross-org problems. Cross-certification / bridge CAs are meant to help with that. It is complex to deploy, and not something end users would want to deal with. But it can be done at the org level, between two or more orgs. I wrote code that made all this work. I'm not sure anyone deployed it outside of the federal government. Even then, I'm not sure, as I never had to fix a related bug.
Re:E-mail security is a clusterfuck (Score:5, Informative)
I disagree. Email security is actually very easy to do right. The mistake was making the emails HTML for a minor gain in "prettiness" and a massive security nightmare and processing "documents" in insecure crap like MS office and doing all that on the always fundamentally insecure clusterfuck "Windows".
If you build houses-of-cards on sand, you really have no business of complaining about them falling down.
I don't think it was just prettiness (Score:2)
Re: (Score:2)
You are confusing a text-channel with a DTP tool. Yes, I get you are stupid and contrarian, but this statement is really, really, really dumb.
Re: (Score:3)
I meant e-mail security in the real-world, not in an the one we might wish we live in.
I agree HTML e-mail is a problem, but it's hardly the only one. E-mail protocols were originally never designed with security in mind. Anonymity was a feature. Same for many other early internet protocols. These things have not aged well, and should have been replaced, rather than extended, if industry players and standards committees could have agreed. Instead, we have the mess we are in today.
For the record, while non-HT
Not even trying to solve the right problem... (Score:5, Insightful)
Even fairly middling mail filters get a lot of the really lazy stuff; and if you don't want people clicking on Important.doc.exe you just tell the mailserver not to give it to them; not try to train them out of double extensions. If they keep falling for fake login pages; well, that's what the FIDO2 requirement is for.
It's when an account gets compromised at a supplier and a nice looking email, legitimately coming from their infrastructure, body including knowledge of past interactions with them, asking accounts payable to please make a few updates that you have a problem you hope you actually spent time drilling people on proper procedure. Those ones are, at a technical level, impeccably legitimate; and a great way to send tends of thousands of dollars into the ether really fast.
Re: (Score:2)
Don't forget the false positives. When I e-mail authorities I regularly get the response "I don't open attachment or click links" despite the attachment being sound recordings from their own switchboard (I want to complain about some bureaucrat's behaviour on the phone or so) or the links going to major newspapers. And then you are stuck because the content of the attachment/link is my whole errand!
Re: (Score:2)
That filter doesn't work because many phishing scams use encrypted files, often with the premise of "protecting your information".
Of course, the password to use is given in the email. so highe
Re: (Score:3)
I'll amend that to say the typical IT managed OS is too easy to compromise. If an incompetent IT insists on management and observability of an endpoint, they frequently screw up whatever security the platform might actually have, because it somehow inconvenienced them and it's easier to turn the safeguards off.
Seen It (Score:2)
The phishing test emails at work are blatantly obvious, and yet people somehow fall for them repeatedly. One person even replied directly to a fake government department email with their full personal and financial details. WTF. How? Why?!
Re: (Score:2, Interesting)
Lack of critical and independent thinking. Many people are willing to trust easily, with no verification. Hence Crapcoins, AI, anti-vaxxers, stupid politics, etc., ad nauseum. Seems to not be connected to education or IQ. Most people just cannot fact-check, and not recognizing phishing is the small version of that.
Re: (Score:2)
Lack of critical and independent thinking. Many people are willing to trust easily, with no verification. Hence Crapcoins, AI, anti-vaxxers, stupid politics, etc., ad nauseum. Seems to not be connected to education or IQ. Most people just cannot fact-check, and not recognizing phishing is the small version of that.
You are right. But what is the solution? And any of us can have a weak moment. It helps to realize that even you or I can. I assume that every email I get has ill intent, but would never claim to be impossible to phish.
Re: (Score:2)
Re: (Score:3)
People do get better, but the manner in which they do so - on their own time, at their own pace and not absolutely - makes that information mostly useless.
Re: (Score:2)
Better software. I have accidentally opened malicious attachments myself or rather tried to. Know what happened? Absolutely nothing because my email setup does not call external applications.
Re: (Score:2)
Better software. I have accidentally opened malicious attachments myself or rather tried to. Know what happened? Absolutely nothing because my email setup does not call external applications.
Nor mine, but yes, email should never open external programs, and html email should not be allowed.
Re: (Score:3)
> Many people are willing to trust easily, with no verification.
Because they know their bosses are vindicative assholes. "Hey boss, you really shouldn't issue financial instructions over an insecure channel..." - yeah, that will go down well.
Phishing emails work because bosses would do stupid stuff like that, and would punish people for erring on the side of safety.
So yes, stupid is the problem, but it is not necessarily the underlings.
Re:Seen It (Score:5, Insightful)
I did once get called by my bank and naturally they then demanded me to prove who I was by giving them information over the phone. I requested they prove that they were the bank and that I wasn't going to give them any information. The poor sap on the other ended sounded rather affronted and told me that he was with the bank and they needed to know if I was who they thought for security reasons. Something seemed off about it to me: usually phishers are obvious, but there's a certain flavour to the crapness. This felt in some indefinable way to have the flavour of crapness of the actual bank.
So, I called them and sure enough it turns out the bank actually did call me in an act which was almost indistinguishable from a phishing attempt.
It was a while ago, but not that long, definitely well into the internet era and the era of phone scams etc.
Re: (Score:3, Insightful)
There are still many organisations who do not understand this basic fact: if you call someone's private number, chances are good that you get the person you're after on the phone. But i
Re: (Score:2)
Similar, but slightly different: I was buying a house and needed the details to wire the money I was paying. The title company sent me a link to a company that would provide the details, but which made me prove my identity.
They have this process entirely backwards. The entire email could have been fake (this has happened) and the wire instructions could also have been fake.
In this case, everything was good. The wire instructions matched instructions I had been given earlier and that I had verified by callin
Re: (Score:2)
When I get phone calls out of the blue from tax authorities (1) my financial advice company (2) or others (many) and they start by asking for a security check, I always ask them to prove that they are who they say they are before I will divulge any information at all. So far, the only organisation to be sensible about it was the company that gives me financial advice.
The number of organisation that appear to be training their customers/clients to respond to phishing phone calls with real data is frightenin
Re: (Score:2)
> So, I called them and sure enough it turns out the bank actually did call me in an act which was almost indistinguishable from a phishing attempt.
This is the real problem. We fail to authentical important messages, and that is the root of the opportunity for fishing.
Re: (Score:2)
The poor sap on the other ended sounded rather affronted and told me that he was with the bank and they needed to know if I was who they thought for security reasons.
That is a terrible system, I'm surprised they do it that way. Banks are usually better about that. The only times I got a call from my bank that required me to prove who I was, it was either a returned call, and they mentioned the subject and that I had called, before they started verifying my identity, so I knew it was legit. Or the fraud alert people, and they could easily verify that they were who they said they were, because they asked about specific purchase attempts with the amount and location before
Re: (Score:2)
Never provide personal or especially financial information to any communication (phone call, text or email) that you did not originate. The increasing sophistication of scammers requires making this a hard rule.
I have seen some clever scams recently -- a call from my "bank" that actually showed up as my bank's number, that then had me call them back on a number that showed up as belonging to the bank on Google, and they recited to me some correct information about myself. It failed when they could not provi
Re: (Score:2)
Re: (Score:2)
The app of my bank has a button that you can click to check if the bank is currently calling you. You can put in your phone number, so that you can do this check on a different phone than the one you are using for the call.
And the bank constantly reminds me of the existence of this function.
Re: (Score:2)
The phishing test emails at work are blatantly obvious, and yet people somehow fall for them repeatedly. One person even replied directly to a fake government department email with their full personal and financial details. WTF. How? Why?!
It is because anyone can have a weak moment. And even if you have half a percent (made up number) having that weak moment at some point, in a big organization, you will get some people rising to the bait.
That's because the workplace counter-trains people (Score:5, Informative)
The abysmal results are because every workplace trains people to fall for phishing scams. That change in vacation policy? The real, legitimate notification of it will be in an email from an external bulk-mailing service telling employees to click on the link included. There's nothing in it to distinguish it from a phishing attempt, and employees are supposed to trust it.
Progress is going to require workplaces, schools etc. to:
Re:That's because the workplace counter-trains peo (Score:4, Interesting)
That change in vacation policy? The real, legitimate notification of it will be in an email from an external bulk-mailing service telling employees to click on the link included. There's nothing in it to distinguish it from a phishing attempt, and employees are supposed to trust it.
That's really up to the (in)competence of organization. At least where I have worked, yes, there are sometimes such mails, but they are very rare. Most often, if an external service is being used (e.g. for employee surveys), you first get a mail from internal address (that is also signed with corporate cert) that says something to the effect of "You'll be getting a mail over the next few days from SurveyPartner. The e-mail originates from @domain.com and it has a link to https://surveybox.something/ou... [surveybox.something] something".
In my current workplace, I have gotten *one* legit-but-appearing-fake mail and within two days gotten it again but with a preamble from another source telling me to expect such mail.
Just tell the IT department to get their act together.
Re: (Score:2)
> that says something to the effect of "You'll be getting a mail over the next few days from SurveyPartner. The e-mail originates from @domain.com and it has a link to https://surveybox.something/ou [surveybox.something]... [surveybox.something] something".
Inevitably followed by "please check your spam filter".
How about tell IT to get the spam filter properly set up? Whitelists exist for a reason, and they are much less work than 3000 employees checking the spam folder.
No, I will stick with "incompetence is rife on all levels
Small wonder (Score:2)
Half the population has an IQ of under 100.
Re: (Score:3)
Interestingly, effects like this seem to be only weakly correlated with IQ.
Re: (Score:2)
effects like this seem to be only weakly correlated with IQ.
Very little is very strongly correlated to IQ. Its not that there aren't any, its that they are mostly not all that important.
Click-through is the wrong thing to measure (Score:2)
The experiment, and typical phishing training in general, measure click-through on email links. They use that measure because it is technically easy - you just need to create a fake email, not an entire fake website, and all phishing scenarios can be handled in the same way. The problem is that people frequently get emails with links they do have to click on, and this makes reliably distinguishing between legitimate emails and (well-crafted) phishing emails before clicking genuinely hard.
It is not clicking
Re: (Score:3)
And every time you hover over a link to figure out where it really goes to as IT wants you to, there's a nonzero chance that you will accidentally click it. So if you make it through life without ever clicking one of those phishing test links, it's a minor miracle.
ID (Score:2)
Re: (Score:2)
Noob here... wouldn't this be a legit reason to make a part of the web ID only? No anonymity, log in with government ID. Laws apply, credentials can be revoked by court? Like a driving license. Country borders would be an issue I guess.
It would help. I've long agitated for transparency.
Re: ID (Score:2)
In the US it would generally be unconstitutional to revoke your right to use the Internet unless you've been convicted of some kind of computer crime.
Re: (Score:2)
For formal stuff, we have ways of identifying ourselves here in Belgium. For banking apps, communication with the government, the same system is used. It lacks (to my knowledge) a messaging service though. Well, you can send registered emails if you pay, but to my knowledge, this isn't used that much. If someone's name is formally tied to a message, I bet phishing messages would diminish. Of course, if you get hacked the
Mitigate the problem (Score:2)
Absolutely no surprise to me (Score:2)
Those that can detect phishing and are not at risk of falling for it (often people in lower roles) could do so before training. The others still cannot do so after it. I have seen that time and again.
Face it: This is not a problem that can be solved on the people-side. This is a tech problem. And if MS would be held to their abysmally bad decisions, like allowing opening and execution of attachments with just a few click, this problem would have been solved a long time ago. We really need software liability
Re: (Score:2)
The others still cannot do so after it. I have seen that time and again.
I mean if the email from Bola Johnson on behalf of a Nigerian prince who needs the release fee for a lot of money doesn't set off alarm bells, literally nothing will.
Er (Score:5, Insightful)
Another lesson was that given enough time, almost everyone falls for a phishing email. Over the eight months of the experiment, just over 50% failed at least once.
I would call "just over 50%" disappointingly too many, but certainly not "almost everyone".
I mean with no guile at all, you could rephrase that as "over the eight months of the experiment, almost 50% never clicked a link in a phishing email."
Re: Er (Score:4, Informative)
Looking at the paper, I think the authors theorize that if they ran the test longer, the percent would keep rising. It was not the same people failing repeatedly. It was different people in each month, with some but not all overlap. It appears that maintaining vigilance is hard enough, if attacks just keep coming, most humans will eventually let one through. The summary appears to be correct, it just did not cite enough of the paper to explain the claim.
Researchers thought wrong (Score:5, Insightful)
They thought the purpose of these trainings are to reduce the chance of getting phished? A big NO.
These trainings are there to cover the asses of management, so that when someone in the company got phished, management can point to these trainings and say "We have done all we can, we are not responsible!".
Hence, to find out if these trainings are effective, researchers should have compared how badly management was held responsible after getting phished.
Re: (Score:2)
Heres why it isnt pointless (Score:3)
It isnt pointless because somebody somewhere is making money selling old rope.
well (Score:2)
... My company has an elaborate phishing training regime, but at the same time:
- sends out corporate news and hr internal things with "click this" shortened links
- connects essential/critical functions through outsourced partners (like fucking SharePoint) that demands you use your CORPORATE UBER SECRET ID AND PASSWORD on some password popup to a completely different domain
Even if you're conscientious and cautious, these corporate practices train you to obediently do things that are objectively unsafe.
Is that really falling for it? (Score:2)
It's not _good_ that the employee is getting that far along in the process, but it's hard to say that just clicking the link is falling victim to a phising
Punishment is key (Score:5, Interesting)
The company I work for has had good results with our anti-phishing efforts. Our IT folks now have about 10 yrs of data showing that the fail rate dropped dramatically once they started sending fake phishing emails that forced you to take a 10-minute waste of time training course every time you fell for them. When they let up on the frequency of the emails the fail rate went up. When they increased the frequency of them, the fail rate went down. They even stopped the program for a couple of years and then started it back up, and the initial fail rate was high, then dropped precipitously when the "punishment" for failure started to be enforced.
For our company at least, knowing that any suspicious email we get could have been sent from our own IT folks, and that if we click on it could result in a 10-minute waste of time, appears to be a deterrent.
Re: (Score:2)
Same experience at my company. About 10% of employees initially failed the phishing test. Even with training though, the failure rate is high enough that, should a real phisher attack, they would find a way in through *somebody's* inbox. It only takes one.
Stick or Carrot (Score:2)
That is one way to go about it.
I have some experience in a slightly different solution that makes spotting scam emails fun by gamifying it. Spot a phishing email and score points. Spot it faster than anyone else and score even more points. There is a company-wide scoreboard, and the monthly best performers can be rewarded but IME that is not even necessary. The competition in itself is reward enough when there are many who want to be the top dog on the scoreboard.
The best part? Practically all who take part
old saw (Score:2)
You can't fix stupid.
50% is not 'almost everyone' (Score:2)
And I bet the 50% that did not fall for it in 8 months would never fall for it. They have learned the lessons. The 1.7% improvement is what confuses me. I am shocked that the susceptible can learn at all.
Phishing works on human psychology. Almost the exact same way the clickbait works. Some people quickly learn the techniques used to fool the majority and become immune. Others keep on falling for it forever. Probably the same mechanism that keeps conspiracy nuts in the conspiracy.
The deceitful never u
Maybe if the training ones actually looked real (Score:2)
The types of training emails I got at my last job were embarrassingly obvious, the sort of obvious that wouldn't get past the most rudimentary spam filter. If they want these to work (big if) maybe use some real, in the wild, recent successful ones as a template rather than just mimic the easy to explain examples in their dumbed down training videos.
the company I work for does it (Score:2)
It is to the point where I will refuse to open any external emails or click on any links in any emails, even when from Microsoft teams. The company will punish those that fails their tests. Then they get mad at me for not reading some of their emails or attachments. In the end, it is a no-win situation for both the company and their employees
Safelinks in Outlook (Score:2)
Then we have Safelinks in Outlook which totally obfuscates the original link and so completely negates the "hover over the link to check that it's genuine" advice.
I suppose _technically_ the IT dept are taking responsibility at that point if I do click but I know it won't actually help me to claim that.
I got into a spat with IT once about the phishing training emails where they told us _NOT_ to tell our colleagues about these emails. I got them to the point where they told me that if I wasn't certain that i
Corporate training isn't meant to stop breeches (Score:2)
Easily subverted. (Score:2)
The various ones I've seen all identify themself in the headers. I just made an Outlook rule to auto-forward them to IT without ever bothering me about it.
Users often know more about phishing than trainers (Score:2)
I've worked at a number of companies. They all had phishing training that was at best useless, and often completely counter productive.
One company sent an invite to a mandatory off-site (only a city block away, but still) security training seminar to everyone in the company. The invite was sent from the training vendor, with no advance notice, and demanded employees register for the event using their company ID and password. Employees received an unexpected email from an unknown third party, demanding their
Training or No Real Defense (Score:2)
Re: (Score:2)
No so much corporate, but lots of stuff with various levels of government can simply be solved by policy - simply require anything/everything related to government services to be served up from a .gov or .state.abbr.us domain name.
Why? Well, lets look at your free annual credit report that you can get. Go google/ddg/bing/whatever for "free annual credit report" like most common folk would do, and tell me which of them is the one run by the FTC and therefore sure to be legit? If you search the FTC website,
Microsoft's Outlook doesn't help (Score:2)
They're training us to fall for it (Score:2)
HR departments in the last six years were outsourcing their communications to third parties. We're being trained to accept messages from strangers.
At my last two jobs, the electronic security teams were really pushing Single-Sign-On... which means giving my identity and auth-codes to an outside third party just so I can start the work they're paying me for.
Blame Ponemon Institute (Score:2)
It caused problems (Score:2)
used to do these and when done correctly is useful (Score:2)
used to do these and when done correctly is useful in actually dropping compromise rates and user clicks on malicious links. There were actual, noticeable differences in user behavior.
but only if done intelligently, not as a gotcha ya, not as a punitive thing, and with leadership understanding the purpose- EDUCATION and security
If you're out to trick your users, and then punish them- you're missing the objective. It needs to be done in good faith.
If you don't know how to implement these, or they aren't wo
Re: (Score:2)
Worst thing I've seen was when "wanting back" the reported phishing email that turned out to be legitimate, that it takes weeks and it doesn't return as the actual email in outlook but as a chain of emails going back and forth partly with some company to which this thing was outsourced, and a small one I wouldn't send my slashdot and whatnot emails to check them ...
Re: (Score:2)
The level of internally generated junk (inapplicable, HR fluff, and broadcast) emails at my former (large multinational) company was incredible.
Re: (Score:3)
I fault any company that sends any links in any emails. Every time a customer clicks a legit link from a legit company and nothing bad happens that customer is trained to trust potentially harmful links the future. "It worked just fine last time". Instead of sending their customers a link in an email they should tell them "Go to the official website for Bobs Discount Bank-O-Rama to access your mortgage statement.". Using bookmarks or actually typing www.bobsbank.com is not hard.
My employer filters out a
Re: (Score:2)
the genuine emails they sent out often stunk of phish,
We had one email which looked like a poorly crafted phishing email. Plain text, talking about changing a password for a program which didn't sound real, dashed lines, etc. When people asked me what it was about I had to reach out to others (I had only started a short time before) who told me it was a legitimate email for an account the user has so they could access a particular type of information. It looked like something from the teletype days. Thi
Re: Reverse problem (Score:4, Funny)
Re: (Score:2)
Massive problem. IT should really list all the companies they partner with.
Re: Reverse problem (Score:2)
At my last job, a Microsoft shop, The anti fishing system would always click on links in your emails to see it is harmful. I then got my first notification that I clicked on a fishing email.
It turns out I never even received these fishing test emails. Anyone sending me a one time link to that email address would be futile as the security system would check these links too.
Re: (Score:2)
a Microsoft shop, The anti fishing system would always click on links in your emails to see it is harmful. I then got my first notification that I clicked on a fishing email.
An outright lie. In-cloud detonation does not generate a client-level event. You - yes YOU - clicked on a link you really shouldn't have. Quit blaming the technology. Own it.
Re: (Score:2)
I have so many question about this.
Our gateway filters are standard Microsoft, and they are absolutely terrible. We have two junk mail filters, one in the gateway, one in outlook, and neither seem to catch any significant amount of junk (both are pathetic compared to Gmail, for example)|.
Why are internal emails filtered out? I have never understood this. Internal emails should be secure. If you have an internal account sending phishing emails, you are already breached, and you have bigger problems than to f
Re: (Score:3)
Re: (Score:2)
what is the issue with links? Links should be safe to click.
So... because you are ignorant, you're putting the blame.... where exactly?
Re: (Score:2)
*Anyone* engaging with obvious phishing mails at a minimum 3 times... here's you pink slip you horrible excuse for an adult.
Making IT responsible for your mouth-breathing ignorance and irresponsibility.... hilarious.
If we make you lot unemployed and retain those who don't react to these campaigns we will all be better off with fewer data breaches.
You woke up all your colleges. (Score:2)
That's mean. :)
You woke up all your colleges for a false alarm
Re: (Score:2)
Re: (Score:2)
You wish.
Re: (Score:2)
Speak for yourself. I can spot the shit a mile away.
Sadly, you are not most people.
Speaking as someone whose duties have included helping people who have fallen for various scams, I can tell you there is no big difference between age groups. Or if there is, younger people tend to be more trusting and less cynical than older people, making them actually more gullible for certain types of scams. (Barring of course greedy older people who will grab at anything that promises instant riches.) The average person that has needed my help has been in their thirties,
Re: (Score:2)