We get fake phishing emails that are actually from IT and if we don’t recognize and report them, we get a talking-to. It’s a good way of keeping employees vigilant.
My last company did this. They’d also send out surveys and training from addresses I didn’t recognize, so I’d report those, too, only to be told they were legit 😂
A friend (who actually works in IT) apparently has a good system at his company. It actually automates turning real phishing attempts into internal tests. It effectively replaces links etc and sends it onwards. If the user actually clicks through, their account is immediately locked. It requires them to contact IT to unlock it again, often accompanied by additional training.
Wait. So your friend’s company has the ability to reliably detect phishing attacks, but instead of just blocking them outright, it replaces the malicious phishing links with their own phishing links, sends those on to employees, and prevents them from doing their jobs of they fall for it?
Sounds like your friend’s company’s IT people are kind of dickheads
I work at a company that does something similar; it can be annoying to deal with these fake phishing emails from our own IT, but a 10-15 minute training session if you fail is a lot less disruptive than what can happen if you clicked the real link instead.
I consider myself a bit more tech-savvy than average, but I’ve almost fallen for a couple of these fake phishing emails. It helps me to keep up with what the latest versions of these attacks look like (and keeps me on my toes too…)
Consider third-party vendor employees who have accounts at your workplace. They don’t know what the norms are, or the safe URLs. Half your employees in non-coding roles don’t know what the safe URLs are either. There’s so much internal SSO mess that just about anything could be a real redirect. Overengineered internal messy networks keep any of this from actually accomplishing its intended purpose of “teaching employees a lesson”.
I’m not sure what’s worse: that you’re teaching them to click on whatever they want because it’s impossible to tell the difference, or that you’re teaching them to click on nothing, which probably keeps them from doing their jobs.
Stop using email entirely and half of this goes away. Just tell them not to plug in USB drives.
I always just ignore anything that looks dodgy, I can’t be bothered to spend the time reporting emails when I get so damn many that are either spam or phishing
We get fake phishing emails that are actually from IT and if we don’t recognize and report them, we get a talking-to. It’s a good way of keeping employees vigilant.
My last company did this. They’d also send out surveys and training from addresses I didn’t recognize, so I’d report those, too, only to be told they were legit 😂
Yeah this is a running joke at our workplace too. Only to be asked by some manager to do those week or few later
A friend (who actually works in IT) apparently has a good system at his company. It actually automates turning real phishing attempts into internal tests. It effectively replaces links etc and sends it onwards. If the user actually clicks through, their account is immediately locked. It requires them to contact IT to unlock it again, often accompanied by additional training.
Wait. So your friend’s company has the ability to reliably detect phishing attacks, but instead of just blocking them outright, it replaces the malicious phishing links with their own phishing links, sends those on to employees, and prevents them from doing their jobs of they fall for it?
Sounds like your friend’s company’s IT people are kind of dickheads
I work at a company that does something similar; it can be annoying to deal with these fake phishing emails from our own IT, but a 10-15 minute training session if you fail is a lot less disruptive than what can happen if you clicked the real link instead.
I consider myself a bit more tech-savvy than average, but I’ve almost fallen for a couple of these fake phishing emails. It helps me to keep up with what the latest versions of these attacks look like (and keeps me on my toes too…)
Well the company probably can’t detect them reliably, so wih the ones it does detect it trains them to avoid the ones that they can’t detect.
deleted by creator
I send supervisor emails about stuff I’m not gonna do to my spam folder as well…
“Did you get the email?”
“Nope, sorry, it looked a little suspicious so I didn’t open and sent it to spam…”
Basically you created a echo chamber at work where you can only hear what you want to hear
Lol I don’t click shit.
No it isn’t.
Consider third-party vendor employees who have accounts at your workplace. They don’t know what the norms are, or the safe URLs. Half your employees in non-coding roles don’t know what the safe URLs are either. There’s so much internal SSO mess that just about anything could be a real redirect. Overengineered internal messy networks keep any of this from actually accomplishing its intended purpose of “teaching employees a lesson”.
I’m not sure what’s worse: that you’re teaching them to click on whatever they want because it’s impossible to tell the difference, or that you’re teaching them to click on nothing, which probably keeps them from doing their jobs.
Stop using email entirely and half of this goes away. Just tell them not to plug in USB drives.
I always just ignore anything that looks dodgy, I can’t be bothered to spend the time reporting emails when I get so damn many that are either spam or phishing
That’s neat, will steal this.
But if they’re recognized it means they aren’t doing a good enough job faking them
Oh well, time to get better IT guys