You must log in or # to comment.
A previous (huge) company of mine sent out a lot of phishing test emails, some of which were pretty convincing.
As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red “Phishing test!” label.
Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.
And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.
Where I work they use the microsoft phishing simulation, for which they publish a list of domains they send from.
X-Phish
My favorite band from 1999
Thanks for the tip!
Assuming that’s disabled -
experienced folks can get caught (e.g. maybe waking up before dawn or something)
Can be a good reminder, a little humbling!
Did it also label real phishing mails?
Because those tests are send out for a reason. And in my experience, developers are some of the worst at cybersecurity.
Honestly, I don’t click on anything in Emails. If it is important, somebody will write me in Teams/Slack, and otherwise I just acknowledge and ignore.
If a coworker leaves their pc unlocked near me I like to click the phishing emails so they have to do the course. Tee hee!
I worked at a company where everyone would try and send an email to themselves from an unlocked PC. That mail contained a heads up that the victim willl bring cake into the office e.g. next tuesday. They then were typically forwarded to the whole team while thanking them for their generosity.
It really hammered that lesson home and the victims did honor the cake-mails. Only downside was, that this led to people to tryimg to bait each other into leaving their PCs unlocked and creative countermeasures, such as delaying mails containing the word ‘cake’.
Exactly, it’s my own version of teaching cyber security!
I recently set somebody’s homepage to meatspin.com and they snitched on me to the boss because they were worried they’d get pulled up for visiting NSFW websites. The boss just said “Why was your PC unlocked?”
Maybe your work atmosphere is different, but if I showed meatspin to a coworker, it would be considered pretty fucking weird and inapproproate.
Oh yeah I definitely wouldn’t recommend doing this unless you’re comfortable with all your colleagues!
We used beer, but same idea.
Or have some fun with https://whitescreen.tv/fake-blue-screen/
It is a good practice to start what we call “Hasslehoffing”
It is where you change the background to a picture of David Hasslehoff every time someone leaves their PC unlocked for a long enough time to change the background. The more it happens, the sexier he gets.
I urge other colleagues to do the same. The only defense there is against that is to lock your PC every time you leave your desk. It really works.
You need to level up the game and buy a rubber ducky. Go to grab a snack? Hasslehoff’d! Turn to a colleague to look at their screen for a second? Hasslehoff’d!
open their Teams and send “I’m bringing cake next week” in the group chat on their behalf.
We all have to do the course. And honestly I’m not even mad.
In my line of work, most people are not computer savvy. We’re running Windows 11 and no one has admin privileges, even the highest ranking people. They’re all limited. That’s fine. We can’t install anything. I’m pretty sure I could hit up PortableApps and get some portable software working, but I’m not trying to push my luck. I’m pretty sure I know what I can and can’t get away with, but it’s a good job and I don’t want to mess it up. Besides, a lot of people are illegally streaming sports or movies and getting away with that, so IT security is pretty lax. That’s probably true at a lot of places.
I don’t mind the cybersecurity courses because I mute them and make them run at double speed and I ignore them, clicking through, then I ace the test. It’s not that I don’t care. I just know the material already. I’ve also helped coworkers who earnestly sat through the whole thing and are genuinely struggling. I know they hate how casually I get all the questions right, but they hate having to go through it a second time even more.
Plus, there’s one vendor of training videos that is kind of like an office comedy, and one of the workers has a bunch of anime fan art in their cubicle. So it amuses me to no end that all of my coworkers are seeing these characters. It’s nothing recent and I haven’t seen it in a while. I know Killua from Hunter x Hunter is there. 12 year old boy, has super powers, something with lightning? (been ages since I watched HxH, and Meruem best boy) and he can rip your heart out of your chest (he’s done it before). I feel like they need to add Anya Forger (from SPYxFAMILY) to the wall. That would be funny. (Telepathic toddler, dumb as a box of rocks, and just as adorable.)
The head of IT at one of my old jobs won 3 or 4 iPhones circa 2007
Why would they have to come in at 7am?
Because fuck you.
- middle management.
I wish I could get my flock of idiots in for a course. I’m sick of uninstalling swift browser
I read an interesting report about how most of these courses are rather ineffective because it adds knowledge but doesn’t change behaviors.
https://www.cybersecuritydive.com/news/cybersecurity-awareness-training-research-flaws/803201/
The twist? The cat was Toonces and he never did make it into work that day!
My company like to do this with us by rage baiting us.
“New storage policy is 10 days. click link to save all your stuff before deletion.”
Like you POS! How are we not going to immediately panic when the company actually pulls this crap normally!!!
