A previous (huge) company of mine sent out a lot of phishing test emails, some of which were pretty convincing.
As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red “Phishing test!” label.
Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.
And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.
A previous (huge) company of mine sent out a lot of phishing test emails, some of which were pretty convincing.
As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red “Phishing test!” label.
Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.
And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.
Where I work they use the microsoft phishing simulation, for which they publish a list of domains they send from.
X-Phish
My favorite band from 1999
Thanks for the tip!
Assuming that’s disabled -
experienced folks can get caught (e.g. maybe waking up before dawn or something)
Can be a good reminder, a little humbling!
Did it also label real phishing mails?
Because those tests are send out for a reason. And in my experience, developers are some of the worst at cybersecurity.
Honestly, I don’t click on anything in Emails. If it is important, somebody will write me in Teams/Slack, and otherwise I just acknowledge and ignore.