You must log in or register to comment.
My company like to do this with us by rage baiting us.
“New storage policy is 10 days. click link to save all your stuff before deletion.”
Like you POS! How are we not going to immediately panic when the company actually pulls this crap normally!!!
Me, the idiot who clicked the link: “I’m sorry, I’m sorry, I’m sorry. I get four hundred of these a day and I hit the wrong button. I’m sorry.”
You, the cybersecurity officer who just gives the Everyone group full administrative access to the entire network: “Fucking asshole, I hope you’ve learned your lesson”
Our Boss, who just asked his shareholders to pay him a $1T bonus: “That’s it, I’ve had enough of all this human idiocy, I’m replacing everyone at this company with AI”
The Board: “The company is run by geniuses. We’re all bidding up the price of the stock by another $100B in market cap.”
Can I just sign a waiver making me financially liable if I fall for a phishing email? Seems easier.
I wouldn’t sign that. I work in government, and with new generative AI tools some of the emails are getting very good.
We had one sent to an applicant pretending to be me thay appeared to have scraped data from staff reports and minutes for public meetings for vatiances and SUPs. It was very detailed.
It had also scraped our fee schedule, so it had convincing fee amounts with links to the relevant codes and everything. It’s just that the payment site was not actually us, but a site made to look just like us with a 1-letter change.
It might be a very big bill if they hack entire company for some time.
we do monthly phishing tests and some of our people are so bad that we put in the test email “this is a phishing email, do not click sign in” above and below the sign in box and they still give creds
Sometimes just clicking is counted as a fail.
I click on phishing links just to see how bad the websites are
Yes yes I know about 0days but they’re rare
It is considered a fail, and then inputting passwords in the form is a super fail.
yea but I find that annoying
“Blah blah blah… ‘click sign in’… Okay, gotcha!”
Some hackers exploited two factor authentication recently by playing on this exact impulse.
Sent a message that looked identical to the two-factor notice and got people to reflexively turn over their private keys.
seccomp sent pre-notice emails out about the phishing tests that were coming.
75% of the company reported the pre-notice email as phishing (even the CEO).
we did it mostly because the seccomp team was a huge thorn and caused so many unnecessary delays due to them injecting themselves into every single process.
the CSO quit soon after and some of their lackeys with them. we then hired a competent leader that worked with the org to meet compliance and regulatory requirements instead of being a blocker.
People see the word “phishing” and automatically remember that phishing mails exist, so their first reaction is to report them, not read them.
Had to setup a fake phishing system as well.
Before the training was setup, people rarely reported mails. But the moment we send out mails about the phishing training, a ton of those got reported.
If phishing mails actually told you they were phishing, we wouldn’t need training.
I read an interesting report about how most of these courses are rather ineffective because it adds knowledge but doesn’t change behaviors.
https://www.cybersecuritydive.com/news/cybersecurity-awareness-training-research-flaws/803201/
For us they just make the people that click them do some online training. I don’t think anyone learns anything during that but I suspect not having to do the training serves as a great incentive to be careful.
It doesn’t help though that we’ve had multiple cases of obvious phishing mails everyone just deleted that were followed up by a “no those mails were legit please click the link” by HR…
That is what really irks me. People who write mails exactly like phishing mails.
Just some bland text asking for urgent action, with one link in the middle that is obscured. No signature, no company images, just a name at the bottom.
Better to delete those than to click on actual phishing mails though.
This is every single email that our IT department sends out. Fake Phishing, or extremely important.
“Please upgrade to windows 11 now! If you need assistance. Click here to login to request help”
Nope! You can’t trick me
And the link goes to one of the Office 365 things that asks you to sign in every single time for some fucking stupid reason.
Microsoft and session management somehow always have been enemies.
It’s not THAT hard, relatively, to do that well, but Microsoft really has been scraping the bottom of the barrel on that one since forever.
I mean, Microsoft sucks and everything, but session handling somehow is extra dumb. Up until about a year ago it was damn neigh impossible to have tso teams tabs open without shit stirring like crazy
A previous (huge) company of mine sent out a lot of phishing test emails, some of which were pretty convincing.
As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red “Phishing test!” label.
Assuming that’s disabled -
experienced folks can get caught (e.g. maybe waking up before dawn or something)
Can be a good reminder, a little humbling!
Did it also label real phishing mails?
Because those tests are send out for a reason. And in my experience, developers are some of the worst at cybersecurity.
Honestly, I don’t click on anything in Emails. If it is important, somebody will write me in Teams/Slack, and otherwise I just acknowledge and ignore.
Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.
And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.
… You must be one of my co-workers. Except that we just delete ours rather than labeling them.
We needed to label them because the requirement was not only that we don’t click them, but that we use the “report phishing” function on them.
Also some of them were pretty funny.
Was it hoxhunt? It’s a bit spammy but they seem to push for a more gamefied approach over collective punishment.
Not in my case, no. The content was completely custom to the organisation. I assume they were big enough that they felt like a lot of the risk would come from coordinated spearphishing carefully crafted to look like genuine corp email.
I fucking hate hoxhunt. Just let me send shit to the junk folder and ignore it.
Aren’t you supposed to report them though
In my case, the phishing tests originated with the organization that owns my employer, rather than within my employer itself. Our email states are entirely distinct so, while we can report the emails, no one would ever care.
I have the same thing. All the emails come from nova.phishme.com so I have outlook set to mark them as junk so I can “report” the phishing attempt.
X-Phish
My favorite band from 1999
Where I work they use the microsoft phishing simulation, for which they publish a list of domains they send from.
Thanks for the tip!
Shit… I’m doing that course in normal business hours. Get fucked brenda!
For real! A course is work. If I’m working I get paid for my time. End of story.
Don’t let them rob you! (any more than they already are)
The head of IT at one of my old jobs won 3 or 4 iPhones circa 2007
If a coworker leaves their pc unlocked near me I like to click the phishing emails so they have to do the course. Tee hee!
It is a good practice to start what we call “Hasslehoffing”
It is where you change the background to a picture of David Hasslehoff every time someone leaves their PC unlocked for a long enough time to change the background. The more it happens, the sexier he gets.
I urge other colleagues to do the same. The only defense there is against that is to lock your PC every time you leave your desk. It really works.
You need to level up the game and buy a rubber ducky. Go to grab a snack? Hasslehoff’d! Turn to a colleague to look at their screen for a second? Hasslehoff’d!
I worked at a company where everyone would try and send an email to themselves from an unlocked PC. That mail contained a heads up that the victim willl bring cake into the office e.g. next tuesday. They then were typically forwarded to the whole team while thanking them for their generosity.
It really hammered that lesson home and the victims did honor the cake-mails. Only downside was, that this led to people to tryimg to bait each other into leaving their PCs unlocked and creative countermeasures, such as delaying mails containing the word ‘cake’.
Exactly, it’s my own version of teaching cyber security!
I recently set somebody’s homepage to meatspin.com and they snitched on me to the boss because they were worried they’d get pulled up for visiting NSFW websites. The boss just said “Why was your PC unlocked?”
Maybe your work atmosphere is different, but if I showed meatspin to a coworker, it would be considered pretty fucking weird and inapproproate.
Oh yeah I definitely wouldn’t recommend doing this unless you’re comfortable with all your colleagues!
Ah, I might try this 😂 my current strategy is to install and run xneko on coworkers’ computers when they forget to lock their screen, so they will have a cat running after their mouse pointer.
We used beer, but same idea.
I created a little script that ran on startup that would wait a random amount of time between 5 and 15 mins and would just hit the left key once. I dropped it on a dev’s computer when he left it unlocked and forgot about it. After weeks of torment, it activated while he had a YouTube video so he figured out it wasn’t his fault. He was convinced it was the keyboard and started harassing IT so I had to come clean.
Jokes on me though, every time there was any quirk on his computer, server, or with his code he blamed me and didn’t believe me.
Or have some fun with https://whitescreen.tv/fake-blue-screen/
Send invite to everyone for after work beer.
We all have to do the course. And honestly I’m not even mad.
In my line of work, most people are not computer savvy. We’re running Windows 11 and no one has admin privileges, even the highest ranking people. They’re all limited. That’s fine. We can’t install anything. I’m pretty sure I could hit up PortableApps and get some portable software working, but I’m not trying to push my luck. I’m pretty sure I know what I can and can’t get away with, but it’s a good job and I don’t want to mess it up. Besides, a lot of people are illegally streaming sports or movies and getting away with that, so IT security is pretty lax. That’s probably true at a lot of places.
I don’t mind the cybersecurity courses because I mute them and make them run at double speed and I ignore them, clicking through, then I ace the test. It’s not that I don’t care. I just know the material already. I’ve also helped coworkers who earnestly sat through the whole thing and are genuinely struggling. I know they hate how casually I get all the questions right, but they hate having to go through it a second time even more.
Plus, there’s one vendor of training videos that is kind of like an office comedy, and one of the workers has a bunch of anime fan art in their cubicle. So it amuses me to no end that all of my coworkers are seeing these characters. It’s nothing recent and I haven’t seen it in a while. I know Killua from Hunter x Hunter is there. 12 year old boy, has super powers, something with lightning? (been ages since I watched HxH, and Meruem best boy) and he can rip your heart out of your chest (he’s done it before). I feel like they need to add Anya Forger (from SPYxFAMILY) to the wall. That would be funny. (Telepathic toddler, dumb as a box of rocks, and just as adorable.)
I wish I could get my flock of idiots in for a course. I’m sick of uninstalling swift browser
Why would they have to come in at 7am?
Its some kind of American exceptionalism thing we’re too normal to understand.
Training courses are during business hours or nobody would show up to them in Australia (and I’m guessing its the same in the UK from your username).
So shafted by their work culture they don’t even question the meme…
It is sad but true. I am USAian, and it is a constant battle with co-workers to get them to stand up even a little against dumb mandates. It’s especially frustrating because EVERY DAMN TIME we do push back, management backs down. You’d think they would see the pattern…
Yeah, there’s billions, maybe trillions or beyond, of dollars’ worth of investment put into making sure everyone "Really needs this job." which can be ripped away from them in an instant, so they won’t be inclined to risk any “insubordination.”
A few years ago we were discussing how some companies were trying 4-day weeks and someone said that they’d like to try four 10-hour days instead of five 8-hour.
They could not imagine that it meant working fewer hours.
You think American work culture is bad (which it is)? You should see Japanese work culture… the sheer amount of unpaid work they do over there, along with mandatory unpaid socialising, even holding a collection for their bosses and bringing back souvenirs for their colleagues and bosses when they go on holiday somewhere :/
bringing back souvenirs for their colleagues and bosses when they go on holiday somewhere :/
Damn, I used to do that for some coworkers because we were actually friends. I cannot imagine how shitty it would feel to be forced to do that.
Yeah, it’s a whole thing, it’s called omiyage and it’s seen as an apology for your absence and thanking your boss and colleagues for allowing you time off.
…y’know, your entitlement to paid leave.
I wonder how far you could stretch it. Get them all (if you’re coming to america, for instance) those little plastic acorns with a little item in it from those coin machines that used to be by every convenience store’s doors. Though I haven’t seen any of those in ages, so maybe not.
I haven’t seen them outside of nerd spaces in years, but the hypothetical coworkers might be entertained by American Gashapon. I think the Japanese ones are always higher quality stuff than ours but there were some entertaining toy lines in those.
Because fuck you.
- middle management.
Upper management - make sure everyone is in for 9 for training
middle management - fuck better make sure everyone is there, everyone in at 8 for training,
lowest manger - shit there is no way user will be in at 8, shit bag user be in at 7 for mandatory training!
You want me in your office at 7, Brenda? Sure, I’ll come in for 7. But I’m sure as hell going via the timeclock first.
is anyone actually awake at 7?
It’s not until nine or even ten, and several pots of coffee that my mind is ready to absorb training information. Anything before 9, and I’m not awake enough to filter the rank sarcasm concerning the terrible AI training slides.
If you ever have kids 7 is considered a sleep in
I’m an early bird, I’m more productive at 7am than I am at 7pm. Everyone’s different. :)
I consider myself mostly useless at work from 9h to 9h30, and most effective from 17h to 19h
But no way I’m staying up to 19h anymore
Normal people aren’t but I am. Perfect time to work undisturbed!
you should got to sleep sooner!
I am getting 7h of sleep
The twist? The cat was Toonces and he never did make it into work that day!
Look out Toonces!!!
Well, did he win?
