you know the computer thing is it plugged in?
In the last two months I have gotten about a dozen emails on my work account that tripped enough red flags for me to think they were phishing attempts. It turns out that they were all legit and failure to respond could be determental to still working there. Good thing our boss was looking out for us.
What I have learned is that I should respond to any half-assed email and ignore the years of annual training I've recieved to the contrary.
I just mark any slughtly fishy mail as phising and send it to the helpdesk. Either I get s thank you back, or a „its legit“. either way, I dont need to worry about it anymore
I got a pretty suspicious email a few weeks ago and flagged it. Later day that our sysadmin was like "oh hey that was legit, has started using a new marketing firm so they look like that." I just said "Sounds like spam to me I'm going to keep on flagging it." and he just responded with a frown emoji. Full disclosure we're decent work buddies and I haven't actually gotten any more emails from that company so he may have actually filtered it lol.
I've definitely gotten good at identifying phishing attempts from our Cybersecurity team.
I got a message saying I needed to sign up and completed a course I'd never heard of so I marked it as spam and deleted it.
Turned out it was genuine...
Last week I came in to work with an email that I received a $100 gift card. I immediately reported it as phishing and went about my day. A few hours later my manager asked if I received an email about said gift card and I told him I reported it. Turns out it was legit and was for good performance. Whoops
I always double check the email address that is sending removing whatever filter my email client is using to replace the address with a name "for convenience sake". That will usually tell me if it's a legit email or some kind of spam/phishing. And if it is a legit addy and it still seems too suspicious I will generally contact the person who sent it to top them off that their address may have been compromised. Generally speaking this tends to cover all of my bases.
Corporate does this all the time to at my work.
The GM of my office came talk to me because I had actually won like employee of the quarter or something, but when I got the email with the "redeem here for your $50 gift card" I reported it as phishing. I asked him why they couldn't just go to the grocery store and hand me a physical gift card, he blinked for a moment like that hadn't occurred to him. I showed him the quarantined emails I get on Outlook every day from dozens of phishing attempts made to my work email everyday.
I'm on our cybersecurity team and our last phishing sim was so real looking and legit sounding I thought it was real, and I knew the phish was coming. The only indicator was the sender email was a slight misspelling of Microsoft. I pointed out that that phish is not a fair phish, our users are not going to meticulously examine every email for microscopic indicators. Half if them are barely tech literate, but they're doctors or nurses and only know what they need to know to do their job. Our cybersecurity lead was completely in "wtf are you talking about? From Micrasoft.com is totally illegitimate" mode, I had to point out that our users flag 70% of the emails as phish, and phishing tests that look like completely legitimate emails aside from a single character out of place in an obscure location most of our users aren't even thinking if looking at undermine legitimate emails and increase our workload b/c we've trained our users to think every email is a phish test from cybersecuriry.
I don’t see the problem, is that not the point of phishing tests? Users need to ensure the sender is legitimate before taking action such as clicking links.
good way to get me to ignore all emails
Yet another good idea in theory ruined by the human condition. Train people to think emails may be dangerous? Instead of critically examining each one they just ignore them to minimize risk by default. No amount of training will beat the cognative skills required for competent spam identification into most heads. Even if it could, some phising is so sophisticated in the social engineering it even tricks up cybersecurity types who should know better. Damned if you do, damned if you don't from a company perspective.
But the truth is emails may be dangerous, and the trainings exist to show people how to tell the difference. What reasonable alternative is there? Your argument is effectively “People will never learn how to use a fire extinguisher so why bother doing fire safety training. Some fires are so bad that a fire extinguisher will do nothing.” We don’t control the danger, but we can manage and minimize the risk through training.
What reasonable alternative is there?
Plain-text emails. No clickables, no tracker images.
--
Honestly, while I agree that good training is a way forward, I gotta say the training at my workplace does NOT let you know how to check anything. It's more of a "don't open emails you don't trust", here are some nightmare scenarios. While, at the same time, we get actual mandatory training emails, that are flagged by both our internal mail system, and the pre-installed mail client as "DO NOT TRUST" that we are required to click through. My complaints to IT to at least fix the internal mail system flagging have been replied to with "User's should expect these emails, so they should know to ignore all the warnings and click anyway."
We are training people to ignore their training, so of course it's not helping.
Also, even with SPF and DMARC and whatever other TXT records in place, it's still possible to get a "spoofed" From address into a user's inbox, so I find teaching people to use that header as an indicator of anything personally offensive to my technical knowledge.
Idk man, I feel like you’re striving for perfection in an imperfect world. I agree it would be nice for all email to be plain-text and with no clickables, but that’s not the world we live in, and getting companies to remove them from mandatory emails is an uphill battle.
While it’s true that there’s no way to completely eliminate spoofed “From” addresses, I think it’s fair to say it’s rare, and that checking the “From” address will conquer a significant chunk of phishing attempts. The training isn’t meant to 100% eliminate the effects of phishing attacks, it’s meant to reduce the number.
The cyber security emails in my company are so fucked up that everyone is paranoid to open up any email. Maybe it was fear. Or maybe it was collective malicious compliance. Or maybe we're all just sick of it.
A manager last week said nobody filled out a company intake form because they used a new survey software, so the url didn't look familiar.
The CFO emailed a PDF of a presentation and people were afraid to view it during meetings.
In the chat software, we are constantly going, "Is this real?"
Congrats security nerds.
Next up: All internal emails and files must be signed by the certificate that was issued to the employee sending it, if an email is send without a valid signature the E-Mail server self destructs to prevent infection.
Not to mention the fact that the majority of email clients these days don't even actually show you the full URL of the mail server that the mail is coming from. It gets obfuscated away over the display name and you have to explicitly go out of your way to actually see the full URL
This is so crazy to me. Why the hell did they start hiding the address? The one thing that can't be faked? Couldn't believe how hard it was the first time I needed to check.
Lol that person is stupid. these test phishing mails are super easy to spot. I hope they don't work in tech
You guys read your emails?
Sounds like phishing tests are just the company outsourcing spam filtering to their own employees instead of paying for a spam filtering service of their own.
You must be having issues with your hearing.
You don't have a voice in your mind where you "hear" words as you read then?
Actually, apparently, some people don't have that inner voice. It's a legitimate thing. https://youtu.be/7EIpwVHa_P8
If the email did indeed originate from the company you work for, they owe you a gas card. Employers can't offer you money or benefits as a practical joke and then just say "April Fools!" There are laws regarding offers from your employer for compensation and benefits.
It most likely didn't though, most phishing campaigns are offered by postmaster services. Not to mention, the email domain was probably not an official company one (this first sign of a phishing email).
You can tell it's fake because it suggests that corporate would just hand you a new benefit out of the blue.
phish tests are redundant after a point. I flagged the first few but they upped the frequency so much it got ridiculous. Turns out the header for the phishing tests all contains the name of the testing company. New phish tests are re directed to my brownie points folder, so I just have to worry about the real thing now
I've worked more than one place that did constant phishing testing, and also corporate creatures would send out links to websites we've never used before that everyone was required to click, so the only way to tell whether this was in the "get fired for clicking" or the "get fired for not clicking" bucket was that phishing test header. They never understood why this was a problematic combination, and never stopped doing both.
All emails get automatically forwarded to the IT department, for "suspected phishing". If it is from a known internal source, especially so.