You must log in or # to comment.
A previous (huge) company of mine sent out a lot of phishing test emails, some of which were pretty convincing.
As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red “Phishing test!” label.
X-Phish
Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.
And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.
… You must be one of my co-workers. Except that we just delete ours rather than labeling them.
We needed to label them because the requirement was not only that we don’t click them, but that we use the “report phishing” function on them.
Also some of them were pretty funny.
Was it hoxhunt? It’s a bit spammy but they seem to push for a more gamefied approach over collective punishment.
Not in my case, no. The content was completely custom to the organisation. I assume they were big enough that they felt like a lot of the risk would come from coordinated spearphishing carefully crafted to look like genuine corp email.
Why would they have to come in at 7am?
Upper management - make sure everyone is in for 9 for training
middle management - fuck better make sure everyone is there, everyone in at 8 for training,
lowest manger - shit there is no way user will be in at 8, shit bag user be in at 7 for mandatory training!
Because fuck you.
- middle management.
If a coworker leaves their pc unlocked near me I like to click the phishing emails so they have to do the course. Tee hee!
I worked at a company where everyone would try and send an email to themselves from an unlocked PC. That mail contained a heads up that the victim willl bring cake into the office e.g. next tuesday. They then were typically forwarded to the whole team while thanking them for their generosity.
It really hammered that lesson home and the victims did honor the cake-mails. Only downside was, that this led to people to tryimg to bait each other into leaving their PCs unlocked and creative countermeasures, such as delaying mails containing the word ‘cake’.
Exactly, it’s my own version of teaching cyber security!
I recently set somebody’s homepage to meatspin.com and they snitched on me to the boss because they were worried they’d get pulled up for visiting NSFW websites. The boss just said “Why was your PC unlocked?”
Maybe your work atmosphere is different, but if I showed meatspin to a coworker, it would be considered pretty fucking weird and inapproproate.
Oh yeah I definitely wouldn’t recommend doing this unless you’re comfortable with all your colleagues!
Ah, I might try this 😂 my current strategy is to install and run xneko on coworkers’ computers when they forget to lock their screen, so they will have a cat running after their mouse pointer.
It is a good practice to start what we call “Hasslehoffing”
It is where you change the background to a picture of David Hasslehoff every time someone leaves their PC unlocked for a long enough time to change the background. The more it happens, the sexier he gets.
I urge other colleagues to do the same. The only defense there is against that is to lock your PC every time you leave your desk. It really works.
You need to level up the game and buy a rubber ducky. Go to grab a snack? Hasslehoff’d! Turn to a colleague to look at their screen for a second? Hasslehoff’d!
Or have some fun with https://whitescreen.tv/fake-blue-screen/
Send invite to everyone for after work beer.
I read an interesting report about how most of these courses are rather ineffective because it adds knowledge but doesn’t change behaviors.
https://www.cybersecuritydive.com/news/cybersecurity-awareness-training-research-flaws/803201/
Shit… I’m doing that course in normal business hours. Get fucked brenda!
For real! A course is work. If I’m working I get paid for my time. End of story.
Don’t let them rob you! (any more than they already are)
We all have to do the course. And honestly I’m not even mad.
In my line of work, most people are not computer savvy. We’re running Windows 11 and no one has admin privileges, even the highest ranking people. They’re all limited. That’s fine. We can’t install anything. I’m pretty sure I could hit up PortableApps and get some portable software working, but I’m not trying to push my luck. I’m pretty sure I know what I can and can’t get away with, but it’s a good job and I don’t want to mess it up. Besides, a lot of people are illegally streaming sports or movies and getting away with that, so IT security is pretty lax. That’s probably true at a lot of places.
I don’t mind the cybersecurity courses because I mute them and make them run at double speed and I ignore them, clicking through, then I ace the test. It’s not that I don’t care. I just know the material already. I’ve also helped coworkers who earnestly sat through the whole thing and are genuinely struggling. I know they hate how casually I get all the questions right, but they hate having to go through it a second time even more.
Plus, there’s one vendor of training videos that is kind of like an office comedy, and one of the workers has a bunch of anime fan art in their cubicle. So it amuses me to no end that all of my coworkers are seeing these characters. It’s nothing recent and I haven’t seen it in a while. I know Killua from Hunter x Hunter is there. 12 year old boy, has super powers, something with lightning? (been ages since I watched HxH, and Meruem best boy) and he can rip your heart out of your chest (he’s done it before). I feel like they need to add Anya Forger (from SPYxFAMILY) to the wall. That would be funny. (Telepathic toddler, dumb as a box of rocks, and just as adorable.)
Can I just sign a waiver making me financially liable if I fall for a phishing email? Seems easier.
I wouldn’t sign that. I work in government, and with new generative AI tools some of the emails are getting very good.
We had one sent to an applicant pretending to be me thay appeared to have scraped data from staff reports and minutes for public meetings for vatiances and SUPs. It was very detailed.
It had also scraped our fee schedule, so it had convincing fee amounts with links to the relevant codes and everything. It’s just that the payment site was not actually us, but a site made to look just like us with a 1-letter change.
we do monthly phishing tests and some of our people are so bad that we put in the test email “this is a phishing email, do not click sign in” above and below the sign in box and they still give creds
Sometimes just clicking is counted as a fail.
I click on phishing links just to see how bad the websites are
Yes yes I know about 0days but they’re rare
It is considered a fail, and then inputting passwords in the form is a super fail.
yea but I find that annoying
