Does your company do phishing simulations?

I'm not in cyber security. My role requires me to interact with a lot of people, work on a bunch of different SharePoint links, and on top of that corporate sends a shit pile of email links to training, peakon surveys, and stuff like that. When I started my new job (3 years ago now), I had a pile of training to do as well as my usual work.

I would be fully focused, keyboard clacking loudly and ding! Email. grumble who the fuck is this now? Oh some stupid training link... wham. Phishing training. Fell for it 3 times.

The whole Microsoft 365 system seems to be quite vulnerable to phishing. Sometimes SSO works, sometimes you need a password, maybe 2FA, maybe not. Many microsoft notification emails come from external sources (with a big banner "this email comes from an external sender, be cautious").

This makes it hard for our brains to spot the small differences that make a phishing campaign successful.
- The solution is to suspect every external message and send them all to the phishing mailbox. Tell your boss that you are following the phishing training that you did first.
  
  They will have to get their shit together and send important messages from internal mail addresses. That's just laziness.
If employers don't want employees to get phished, a good first step is to not overwork them...
- Especially with the HR/Corp BS
At my work, the bogus phishing attacks are overly believable. They'll even come from a known in-house email account.

I've been dinged twice while otherwise occupied. I've stopped checking my email altogether. Play stupid games, win stupid prizes. I am being paid to do a job.
- Same. IT has inside info no real phishers will have. So far only got dinged once, but that's enough. I was already terrible about answering emails, now I'll be worse.

password123

Oh wait, that wasn't the question?

Put an ! at the end and it will be more secure.

I never got phished by the simulations because I never open my emails. If there’s something that needs my attention either someone will Slack me or a ticket on Jira made.

I'm 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone's supervisor and made it look like an urgent Teams message was pending.

Usually, if you get phished you lose your bonus. They made an exception that one time.

You lose your bonus? What basement-dwelling neanderthal executive came up with that hogwash?
- To be fair, my job involves very sensitive medical data. We've seen entire businesses shut down because of data breaches.
I can only imagine how frustrating it would be to get a financial punishment for clicking on links.
They tried a similar one on me once. Sent a email saying my boss (by name) sent me a virtual gift card. I immediately knew it was one of their "phishing tests" as my boss is a giant douche who would rather take the time to throw me under a bus than do anything that nice.

They haven't fooled me yet. They're actually fairly easy to spot.

The last round my company did was pretty damn good. The email itself was well done and professional looking. They even registered a domain that was one letter different than the company name for the source email domain and the phishing form.

It was still one of those things that makes you hesitate like "your password has expired, click here to reset it" and the email client blatantly flagged it as being from outside our true domain. The client warning was the easy thing to spot, the rest was really well done.
- That's the odd thing with where I work, until recently all the phishing simulations were from within the company domain and so lacked the [External...]
  
  It's not impossible for an already infiltrated network, but I still expect to see that it came from outside. Maybe that's me, tho.
  
  Wdits: spullings <- like those

In my company about half the services in use, that require SSO login, are flagged as "external" when receiving emails. Along with the fact that quite a few of the services don't use https, so all downloads from them (doc services) are flagged as untrusted in modern browsers.

Users are just used to ignoring the warnings designed to stop the majority of easily identified flags, because the actual work requires it.

I got phished circa 2001. Got about three thousand drained from my bank account which I shockingly got back. (Though Elon's PayPal threatened to sue me over it but never did when I told them to come and get me over the failure of their own security)

I've never responded to any email requesting login since no matter how legitimate it may be.

My company ones are always super obvious. One of the best ones though was on valentines day spoofing a valentines ecard from a coworker in your organization

They blast us with the dumbest most obvious phishing simulations. Then send out legitimate "register for this new app" email, which large numbers of people report and the director gets pissed, despite the fact it meets the bulk of the "signs of a phishing email". Then a month later we get hit by a phishing attack that automated software blocked.

Yes but the only relevant metric is how many reported it. Doesn't matter if they delete, read, click or enter data. We're only interested in the information that a phish got through our security controls (=we failed our users), so we can investigate (and clean up if needed) the impacted mailboxes and accounts.

No, this is about the fake phishing emails that are released inside the network to test user response. If clicked, they report to IT which users need more training.
- Yes I know. We do simulations but we only measure who reports them and provide training how to report them (In the mail itself). No shaming for user who click them and no additional training on how to look at details.
  
  It makes no sense training the user in looking at for example the links if all the big vendors use suspicious links anyway. For example the phishers use OneNote shares to phish, but those are hosted on Microsoft which by itself is legitimate. The only way a user really is able to recognize a phish is if it is unsolicited (report the mail as spam) or if it looks legit but asks for credentials (report it, we use SSO everywhere possible and you should never be asked for credentials for one of our platforms). We cannot do this for all vendors however and the users are encouraged and trained on using Passkeys or Autofill by the company provided password manager so that they get suspicious when no autofill is possible, then they can report the mail.
  
  It's not always possible to recognize phishing from the get go and security is better suited to investigate than rando from the logistics department.

My company is the only one trying to phish me at work

So long as its a 50/50 between your boss being mad or the company losing money employees are going to open the email.