My company started with mandatory cybersecurity trainings for all employees. The training tool sends out automated emails to remind you when you have to do a new part of the training.
These emails, from a cybersecurity course, followed all the rules of being a phishing email:
- Sent from a non-company server
- Had a big red button to click here
- Urged you to take action (“You have 5 days to complete your training”)
IT decided to fix that, by adding a line to the emails that this email is really from our company. Like a phisher wouldn’t think of saying “nah, trust me bro, I’m totally legit”
I blocked these emails for years for this reason. We actually do get real phishing attempts about once every other month when a client gets compromised. Makes everyone at our company very vigilant.
Management got pissed when I hadn’t done any of them. Apparently, the emails in english/spanish/french with “click me” links were legit, lol. I set up extensive rules and blocklists for a reason. Pretty sure it’s for SOC2 compliance or something.
That’s what always kills me… the line of “this is not a phishing email” as if just anyone can’t add that. If anything that line makes me more suspicious.
They could send an email from a legit company email stating “mail XXX will send you some legit emails in a week or so, do them.”
That’s what my company finally did, it works out a LOT better for everyone.
My company sends out these kids of phishing scam test emails too. They were actually pretty decently faked. But, they use the same identifying string in the header of each and every one, so I made an outlook rule to quarantine them In a particular folder so that I could correctly report all of them. Occasionally I report the weird legitimate email surveys we get from HR too and mass emails from IT with bad spelling, just so they don’t get suspicious of my perfect record.
Then both the csec course failed to educate the employees, because a responsible trained employee would report or ignore those mails lol
The emails were mass reported, up to the point there was an internal message sent around to stop reporting them because they are legitimate. Of course, no action was taken to make them look less suspicious.
If I’d ever want to phish someone at my company, I’d know exactly what to do. Make the email look exactly like the training ones.
Yeah okay but our company IT dept sent out a security training link in an email titled “Win a free cruise!!!” None of us clicked on it it’s like you tell us not to open emails like this, but you send an email like this in order to train us not to open emails like this.
It’s targeted to those who need the training.
But it was a mandatory training!
Says a lot about how highly your IT department thought of the employees if they communicated mandatory training that way. They expected a 100% of staff “gets fooled by obvious-sounding phishing spam”.
I work in corporate IT and I can guarantee that no one in the IT department gives a rats arse if you do the training or not. It’s management that care.
