we do monthly phishing tests and some of our people are so bad that we put in the test email “this is a phishing email, do not click sign in” above and below the sign in box and they still give creds
seccomp sent pre-notice emails out about the phishing tests that were coming.
75% of the company reported the pre-notice email as phishing (even the CEO).
we did it mostly because the seccomp team was a huge thorn and caused so many unnecessary delays due to them injecting themselves into every single process.
the CSO quit soon after and some of their lackeys with them. we then hired a competent leader that worked with the org to meet compliance and regulatory requirements instead of being a blocker.
People see the word “phishing” and automatically remember that phishing mails exist, so their first reaction is to report them, not read them.
Had to setup a fake phishing system as well.
Before the training was setup, people rarely reported mails. But the moment we send out mails about the phishing training, a ton of those got reported.
If phishing mails actually told you they were phishing, we wouldn’t need training.
we do monthly phishing tests and some of our people are so bad that we put in the test email “this is a phishing email, do not click sign in” above and below the sign in box and they still give creds
Sometimes just clicking is counted as a fail.
I click on phishing links just to see how bad the websites are
Yes yes I know about 0days but they’re rare
It is considered a fail, and then inputting passwords in the form is a super fail.
yea but I find that annoying
“Blah blah blah… ‘click sign in’… Okay, gotcha!”
Some hackers exploited two factor authentication recently by playing on this exact impulse.
Sent a message that looked identical to the two-factor notice and got people to reflexively turn over their private keys.
seccomp sent pre-notice emails out about the phishing tests that were coming.
75% of the company reported the pre-notice email as phishing (even the CEO).
we did it mostly because the seccomp team was a huge thorn and caused so many unnecessary delays due to them injecting themselves into every single process.
the CSO quit soon after and some of their lackeys with them. we then hired a competent leader that worked with the org to meet compliance and regulatory requirements instead of being a blocker.
People see the word “phishing” and automatically remember that phishing mails exist, so their first reaction is to report them, not read them.
Had to setup a fake phishing system as well.
Before the training was setup, people rarely reported mails. But the moment we send out mails about the phishing training, a ton of those got reported.
If phishing mails actually told you they were phishing, we wouldn’t need training.