My workplace does simulated phishing emails every Friday. If you click on them, they make you do training. Last month, someone’s email was breached and they started sending out tons of phishing emails, the users reported it en masse and we had dozens of reports within minutes - and these emails went out at 10PM on a weekend! Seems like our training works.
Last month all employees were invited to a mandatory security trainings via email that looked so incredibly suspicious, that hardly anyone showed up and Corporate had to send out a clarification plus new invites.
So, we were trained that even the most obvious phishing attempts might actually just be a crappy IT sec shop (and the “training” was about as good, as you’d expect).
The only time I clicked on one of those I was on a meeting with a client and my boss was also in the meeting (the client was sharing his screen). Suddenly I get an email from my boss telling me to review the attached pdf with a teams link and the title of the pdf was similar to the project we were working on
As soon as I clicked I got an “invitation” for additional training
Seems like our training works.
Too bad your IT department doesn’t.
Believe it or not, the IRS doesn’t accept Best Buy gift cards as payment. Crazy. Right?
deleted by creator
They just got pissed when I told them I only had 20% off Sizzler buffet coupons.
I know it’s different as this is about business security, but my favorite is when people think the Sheriff or the IRS is demanding payment in eBay gift cards.
My favorite is an email attachment called Totally Important Document.zip and the antivirus wont let them open it, so they open a ticket requesting to turn off the antivirus because its impeding their work.
But the IRS wants the new britney spears album
I know some place where the phishing emails were immediately spotted by the employees because the ceo has awful punctuation and grammar, the phishing email looked too clean to be real lmao.
open this excel fast!
Don’t show them the email in the first place, seems like an IT problem to me 🤷
New threats slip through, it will always happen. It’s why user training is an important part of security for a company.
It’s not a case of if there will be a security incident but when, you can only limit the likelihood and damage.
Yeah, what world is this person living in where email security is 100% effective!? I bet they also have zero false-positives in that fantasy land.
And the users will always click
Modern day reliability and security best practices are based on planning for failures assuming they are all inevitable.
Back in the old days we would just assume everything is going to work out but that just isn’t sustainable now with how complex and expansive systems have become. Basically, there are too many moving parts to account for every single possibility so people should expect systems to fail and know how to react when it happens.
Then IT should expect users to fail, it’s the thing they’re best at
