We found out that 10% of our users entered their password.

  • Track_Shovel@slrpnk.net
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    1
    ·
    3 months ago

    I’m not in cyber security. My role requires me to interact with a lot of people, work on a bunch of different SharePoint links, and on top of that corporate sends a shit pile of email links to training, peakon surveys, and stuff like that. When I started my new job (3 years ago now), I had a pile of training to do as well as my usual work.

    I would be fully focused, keyboard clacking loudly and ding! Email. grumble who the fuck is this now? Oh some stupid training link… wham. Phishing training. Fell for it 3 times.

    • cronOP
      link
      fedilink
      arrow-up
      23
      ·
      3 months ago

      The whole Microsoft 365 system seems to be quite vulnerable to phishing. Sometimes SSO works, sometimes you need a password, maybe 2FA, maybe not. Many microsoft notification emails come from external sources (with a big banner “this email comes from an external sender, be cautious”).

      This makes it hard for our brains to spot the small differences that make a phishing campaign successful.

      • KevonLooney@lemm.ee
        link
        fedilink
        arrow-up
        23
        ·
        3 months ago

        The solution is to suspect every external message and send them all to the phishing mailbox. Tell your boss that you are following the phishing training that you did first.

        They will have to get their shit together and send important messages from internal mail addresses. That’s just laziness.

    • gibmiser@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      3 months ago

      If employers don’t want employees to get phished, a good first step is to not overwork them…

    • lolrightythen@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      3 months ago

      At my work, the bogus phishing attacks are overly believable. They’ll even come from a known in-house email account.

      I’ve been dinged twice while otherwise occupied. I’ve stopped checking my email altogether. Play stupid games, win stupid prizes. I am being paid to do a job.

      • Malfeasant@lemm.ee
        link
        fedilink
        arrow-up
        4
        ·
        3 months ago

        Same. IT has inside info no real phishers will have. So far only got dinged once, but that’s enough. I was already terrible about answering emails, now I’ll be worse.

  • sheogorath@lemmy.world
    link
    fedilink
    arrow-up
    17
    ·
    3 months ago

    I never got phished by the simulations because I never open my emails. If there’s something that needs my attention either someone will Slack me or a ticket on Jira made.

  • Neuromancer49@midwest.social
    link
    fedilink
    English
    arrow-up
    12
    ·
    3 months ago

    I’m 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone’s supervisor and made it look like an urgent Teams message was pending.

    Usually, if you get phished you lose your bonus. They made an exception that one time.

    • ted@sh.itjust.works
      link
      fedilink
      arrow-up
      22
      ·
      3 months ago

      You lose your bonus? What basement-dwelling neanderthal executive came up with that hogwash?

      • Neuromancer49@midwest.social
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        To be fair, my job involves very sensitive medical data. We’ve seen entire businesses shut down because of data breaches.

        • Aganim@lemmy.world
          link
          fedilink
          arrow-up
          12
          ·
          3 months ago

          Phishing simulations should be about educating employees, not punishing them. Train them on what they missed and if training material is available check where it might be lacking. Nobody learns from having their bonus taken away. It also only serves to stimulate a culture were people prefer not reporting possible security issues they might have caused, in order to avoid further pay cuts.

          • JoeyJoeJoeJr@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            3 months ago

            If someone is consistently falling for phishing emails (real, or from the IT department), shouldn’t that person eventually be fired? Isn’t that a punishment?

            If there is neither a punishment nor a reward, what is the incentive to learn? Some people may not need one. Many others do.

            I agree that a single failure resulting in the loss of significant income might be harsh, but I think there needs to be a way to convince people to take the issue seriously, and a punishment of some kind is therefore always warranted (e.g. eventual firing).

            You can balance out the issue by creating a reward system as well, e.g. if you report all of the test emails sent to you in a year (i.e. not just ignore them), your bonus is increased by X% or something. Similarly, if you report an actual phishing email, your bonus is increased by some percent, even if you initially fell for it. I think it is possible to foster a consciousness and honest culture, with a system that includes punishments.

      • glimse@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        8
        ·
        3 months ago

        I dunno…If you’re in a position to get a bonus, you should be smart enough to not click on random links and enter your work password.

        I am extremely pro-worker but I would be fuckin pissed if an employee so easily gave a potential hacker access to our systems and that’s what the test is for

        • cronOP
          link
          fedilink
          arrow-up
          4
          ·
          3 months ago

          My understanding is that the phishing awareness mail is part of the training, and NOT a test. But company culture varies of course

    • cronOP
      link
      fedilink
      arrow-up
      4
      ·
      3 months ago

      I can only imagine how frustrating it would be to get a financial punishment for clicking on links.

    • bgb_ca@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      They tried a similar one on me once. Sent a email saying my boss (by name) sent me a virtual gift card. I immediately knew it was one of their “phishing tests” as my boss is a giant douche who would rather take the time to throw me under a bus than do anything that nice.

    • clif@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      The last round my company did was pretty damn good. The email itself was well done and professional looking. They even registered a domain that was one letter different than the company name for the source email domain and the phishing form.

      It was still one of those things that makes you hesitate like “your password has expired, click here to reset it” and the email client blatantly flagged it as being from outside our true domain. The client warning was the easy thing to spot, the rest was really well done.

      • APassenger@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        3 months ago

        That’s the odd thing with where I work, until recently all the phishing simulations were from within the company domain and so lacked the [External…]

        It’s not impossible for an already infiltrated network, but I still expect to see that it came from outside. Maybe that’s me, tho.

        Wdits: spullings <- like those

  • ironhydroxide@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    3 months ago

    In my company about half the services in use, that require SSO login, are flagged as “external” when receiving emails. Along with the fact that quite a few of the services don’t use https, so all downloads from them (doc services) are flagged as untrusted in modern browsers.

    Users are just used to ignoring the warnings designed to stop the majority of easily identified flags, because the actual work requires it.

  • Got_Bent@lemmy.world
    link
    fedilink
    arrow-up
    8
    ·
    3 months ago

    I got phished circa 2001. Got about three thousand drained from my bank account which I shockingly got back. (Though Elon’s PayPal threatened to sue me over it but never did when I told them to come and get me over the failure of their own security)

    I’ve never responded to any email requesting login since no matter how legitimate it may be.

  • Thebeardedsinglemalt@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    3 months ago

    They blast us with the dumbest most obvious phishing simulations. Then send out legitimate “register for this new app” email, which large numbers of people report and the director gets pissed, despite the fact it meets the bulk of the “signs of a phishing email”. Then a month later we get hit by a phishing attack that automated software blocked.

  • faebudo@infosec.pub
    link
    fedilink
    arrow-up
    4
    ·
    3 months ago

    Yes but the only relevant metric is how many reported it. Doesn’t matter if they delete, read, click or enter data. We’re only interested in the information that a phish got through our security controls (=we failed our users), so we can investigate (and clean up if needed) the impacted mailboxes and accounts.

    • brianorca@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      3 months ago

      No, this is about the fake phishing emails that are released inside the network to test user response. If clicked, they report to IT which users need more training.

      • faebudo@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        Yes I know. We do simulations but we only measure who reports them and provide training how to report them (In the mail itself). No shaming for user who click them and no additional training on how to look at details.

        It makes no sense training the user in looking at for example the links if all the big vendors use suspicious links anyway. For example the phishers use OneNote shares to phish, but those are hosted on Microsoft which by itself is legitimate. The only way a user really is able to recognize a phish is if it is unsolicited (report the mail as spam) or if it looks legit but asks for credentials (report it, we use SSO everywhere possible and you should never be asked for credentials for one of our platforms). We cannot do this for all vendors however and the users are encouraged and trained on using Passkeys or Autofill by the company provided password manager so that they get suspicious when no autofill is possible, then they can report the mail.

        It’s not always possible to recognize phishing from the get go and security is better suited to investigate than rando from the logistics department.

  • CheeseNoodle@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    3 months ago

    So long as its a 50/50 between your boss being mad or the company losing money employees are going to open the email.