In the last two months I have gotten about a dozen emails on my work account that tripped enough red flags for me to think they were phishing attempts. It turns out that they were all legit and failure to respond could be determental to still working there. Good thing our boss was looking out for us.
What I have learned is that I should respond to any half-assed email and ignore the years of annual training I've recieved to the contrary.
I just mark any slughtly fishy mail as phising and send it to the helpdesk. Either I get s thank you back, or a „its legit“. either way, I dont need to worry about it anymore
I got a pretty suspicious email a few weeks ago and flagged it. Later day that our sysadmin was like "oh hey that was legit, <vendor> has started using a new marketing firm so they look like that." I just said "Sounds like spam to me I'm going to keep on flagging it." and he just responded with a frown emoji. Full disclosure we're decent work buddies and I haven't actually gotten any more emails from that company so he may have actually filtered it lol.
I've definitely gotten good at identifying phishing attempts from our Cybersecurity team.
I'm on our cybersecurity team and our last phishing sim was so real looking and legit sounding I thought it was real, and I knew the phish was coming. The only indicator was the sender email was a slight misspelling of Microsoft. I pointed out that that phish is not a fair phish, our users are not going to meticulously examine every email for microscopic indicators. Half if them are barely tech literate, but they're doctors or nurses and only know what they need to know to do their job. Our cybersecurity lead was completely in "wtf are you talking about? From Micrasoft.com is totally illegitimate" mode, I had to point out that our users flag 70% of the emails as phish, and phishing tests that look like completely legitimate emails aside from a single character out of place in an obscure location most of our users aren't even thinking if looking at undermine legitimate emails and increase our workload b/c we've trained our users to think every email is a phish test from cybersecuriry.
I don’t see the problem, is that not the point of phishing tests? Users need to ensure the sender is legitimate before taking action such as clicking links.
good way to get me to ignore all emails
Not to mention the fact that the majority of email clients these days don't even actually show you the full URL of the mail server that the mail is coming from. It gets obfuscated away over the display name and you have to explicitly go out of your way to actually see the full URL
This is so crazy to me. Why the hell did they start hiding the address? The one thing that can't be faked? Couldn't believe how hard it was the first time I needed to check.
Corporate does this all the time to at my work.
The GM of my office came talk to me because I had actually won like employee of the quarter or something, but when I got the email with the "redeem here for your $50 gift card" I reported it as phishing. I asked him why they couldn't just go to the grocery store and hand me a physical gift card, he blinked for a moment like that hadn't occurred to him. I showed him the quarantined emails I get on Outlook every day from dozens of phishing attempts made to my work email everyday.
If the email did indeed originate from the company you work for, they owe you a gas card. Employers can't offer you money or benefits as a practical joke and then just say "April Fools!" There are laws regarding offers from your employer for compensation and benefits.
It most likely didn't though, most phishing campaigns are offered by postmaster services. Not to mention, the email domain was probably not an official company one (this first sign of a phishing email).
Lol that person is stupid. these test phishing mails are super easy to spot. I hope they don't work in tech
You guys read your emails?
You can tell it's fake because it suggests that corporate would just hand you a new benefit out of the blue.
phish tests are redundant after a point. I flagged the first few but they upped the frequency so much it got ridiculous. Turns out the header for the phishing tests all contains the name of the testing company. New phish tests are re directed to my brownie points folder, so I just have to worry about the real thing now
I've worked more than one place that did constant phishing testing, and also corporate creatures would send out links to websites we've never used before that everyone was required to click, so the only way to tell whether this was in the "get fired for clicking" or the "get fired for not clicking" bucket was that phishing test header. They never understood why this was a problematic combination, and never stopped doing both.
All emails get automatically forwarded to the IT department, for "suspected phishing". If it is from a known internal source, especially so.
Reach out to them on signal. This is obviously a mistake.
“Here’s an offer for something we know you want and that a respectful employer would provide. Oh, you actually thought your employer respected you? You must be an idiot who needs special training.”
I feel that if your job requires you to drive, the company would provide the means of transportation. Heck, I work from home and I get to choose between either a company car with a card to fill it up whenever or a pretty roomy budget with a train card.
It really depends on the company, job, and where you live. I worked as a contractor for a delivery company for a while, putting about 20,000 miles a year on my own car transporting stuff. In the US, if you drive your own car for work, you get a tax deduction for the mileage you put on your car while working. The pay was pretty good and the hours were short, but I was effectively converting the value of my car into cash during that time.
Which is why it's a probable attack vector. You think a malicious actor wouldn't do this?
The only phishing e-mails I receive are from my employer. As a matter of process I report these e-mails like a diligent lackey, then upon receiving an e-mail congratulating me on passing their test, I report that one too. I think the non-test phishing reports undergo manual review so I hope I'm wasting someone's time somewhere in payback.
Still haven't forgiven them for a tone-deaf 'we care about you during COVID' phishing e-mail they sent when everyone was genuinely struggling.
You might have a lot of phishing emails that the company filters out without you ever seeing them. For these tests, they do things to make sure this email will get through, even if the automated filters would have otherwise blocked it.
That's a good point; my company actually does implement something like this, though it invites intervention from the recipient for confirmation. I have previously received e-mail notifications stating that an e-mail has been 'held' as being suspicious and provided me an option to 'release' the e-mail (in these cases the e-mails were genuine and known in advance to me).
Of course, I have no simple way to determine if there is also an additional hard filter that blocks out obvious phishing with no notification to the end user.
Neat thing I learned at a past company. The phishing emails had links (the ones you aren't supposed to click on) that either contained the email address of the person getting tested, or it pulled it somehow. It was really easy to figure out where that information needed to go in the URL. This is how tracking "failures" was tested and reported. I would just put in the email address of people from the opsec team into that url, copy it, and paste it into one of those global website testers that checked if a site was available from different countries around the world (I'm assuming using some kind of VPN).
Theoretically it should have given these people failures in their own tests, and also come from all sorts of weird locations globally.
Not sure if it actually did, but I like to think I wasted at least some of their time.
Never got in trouble for it so who knows.
This is ingeniously spiteful and I love it.
I report any and all emails from anyone on the CSIRT team as suspicious.
They did a phising test targeting every employee without informing me (internal ITSM lead) first. So they deserve the extra work, and my entire team does the same.
Same here, and I got annoyed at these emails filtering through the different rules that I have set up. I realized that the test emails all had some values in the headers to indicate them as such, so I set up a rule to filter them out to a separate folder. It obviously defeats the point, but it's much less annoying.
I just ignore all emails. I have found too many phishing emails and have decided that our systems appear to be compromised. It hasn't improved since I reported them, so I am playing it safe. PM me when you need to communicate, and keep meetings on the calendar, I'll show.
Companies will do that and then send links with url shorteners for totally legit things and wonder why everyone ignores then.
My company has to send out emails like: "The mandatory training email is not phishing, even though it is flagged [EXTERNAL] by the system."
Me: "That's what a fishing email would say."
No, no, the point of the URL shortener IS so that everyone ignores them; they've been trained to. "No one RSVP'd to the pizza party so we canceled it. Also we are a great employer who lists things like Pizza Parties as job perks! They're totally real!"
Lol whenever I have to deal with DHL to pay for some import fee or whatever I feel like I'm being scammed. Website like like it's from 1998, wants my credit card details, certificate errors etc.
Sounds about right.
Pro tip, set up a rule in your email client to send any email that contains the following phrases, phishme.com or knowb4, in the header to junk.
Note that I said header, not From field.
It is so stupid that orgs spend thousands of dollars on these products and you can be seen as not being a phishing risk because of their shitty systems.Here's the thing...
If you are savvy enough to know how to (or look up how to) find the header of your phishing test email service, and then create a rule to filter on that, then you aren't the target for those emails anyway.
I would argue that logic gives you a false sense of security. All employees are targets no matter the pecking order.
A product that you are paying thousands of euros for and is required for business certifications like SOC2/ISO27001 or cyber insurance can be so easily nullified is a joke.
This is not reliable.
Phish training companies are using a huge variety of domains, including look-alikes relevant to the test - including valid spf/dkim/dmarc configurations. Exactly as real phishers do - and there's no effective way to automate their filtering.
At my work, we got a phishing email a few weeks before Christmas.
It was for a gift card for a Honey Baked ham.
I was pretty sure it was a phishing test but apparently a lot of people fell for it. Enough so, that a fairly senior colleague blasted an email saying it was in poor taste since it was Christmas and a lot of people could really use it.
I thought that made it more effective training because a scammer would use that, but I also understand that it has the potential to fuck with people's emotions.
Anyway, that started a trend within the company's Teams and social platform, making jokes and sharing memes.
The CEO even emailed, agreeing with the original email blast and then had a real giveaway of honey baked gift cards.
Sounds like a decent CEO.
I got a message saying I needed to sign up and completed a course I'd never heard of so I marked it as spam and deleted it.
Turned out it was genuine...
Last week I came in to work with an email that I received a $100 gift card. I immediately reported it as phishing and went about my day. A few hours later my manager asked if I received an email about said gift card and I told him I reported it. Turns out it was legit and was for good performance. Whoops
I always double check the email address that is sending removing whatever filter my email client is using to replace the address with a name "for convenience sake". That will usually tell me if it's a legit email or some kind of spam/phishing. And if it is a legit addy and it still seems too suspicious I will generally contact the person who sent it to top them off that their address may have been compromised. Generally speaking this tends to cover all of my bases.
I just don't open emails from my company unless the subject has the words Urgent or Action Required and even those I forward to the IT anti phishing email to annoy them, even when I know it's legit.
Simple always ask! Whether is the IT or your supervisor etc.
They do this at my work. I simply report every external email I get as a phishing attempt.
As a result, I've caught all the fake phishing emails sent by our IT department, at the minor cost of them having to clear 50+ legit emails per day. My coworkers have been quite appreciative of my tactics against phishing, and have started to adopt my methods.
Strangely enough, the number of phishing tests IT has sent out has dramatically decreased since I was initially hired.
Acting in bad faith and objectively generate an avoidable workload for colleagues would be a legit reason to get fired where I live
Eh, the system that gives you the sticker is automated, and the system that tracks flagged emails is mostly ignored. If reporting everything makes you feel better, please continue to do so.
My company sent one of these out made to look like a survey on employee thoughts and opinions on their compensation - a very real issue in our company that I suspect they just wanted to try and condition people not to talk about.
Replied back to let them know as such and to inform them it was an asshole move and I would not be completing their training. Was worth the HR write-up - fuck those suits, too.
Companies are damned if they do and damned if they don't. All the best security on the world will never prevent an attack from the universally weakest link - humans.
Best you can do is identify the humans that are likely to fall for it and remind them to be extra careful when clicking links in emails.
Better is to design your security so that if a human does click a dodgy link the compromise is limited as much as absolutely possible
We also have anti fishing campaigns in our company and usually I do pretty well with those, but last year because of a running event they sent a mail out in regards to free T-shirts for the event. Most of the company including me failed gloriously.
This likely had several warning signs that can be used for even personal emails. 1) is it too good to be true? Definitely in this example. Give me a gas card physically and I might believe it. 2) look at the actual link before you click. If it's not part of the main domain for the company you're expecting, or not within the intranet at work, it's an automatic nope. 3) any oddities in the message or images that seem wrong. Misspellings, pixelated logos, etc. This is the smallest red flag, as often times getting a perfect email without any grammar or spelling issues means it didn't come from a manager, that seems to be a requirement.
I think this story may be told by an unreliable narrator.
We have no evidence that the email actually came from their job - that misidentification by Ki might be the problem that IT hopes training will solve.
When a company sends fake phishing attempts, the links report back if they've been clicked. For them to get that report, their job would had to have sent it.
How else would they know she fell for the bait unless she actually did get phished months ago and their IT traced a recent attack back to her, in which they gave her training instead of firing her?
The immediacy of the follow up email indicates she was caught my a fake phishing attempt meant to catch employees before real attackers do.
I don't consider those valid and I started refusing to complete their trainings. It's underhanded but more importantly I don't think it teaches anyone anything. I knew well not to trust emails like that, but my employer duped me with a somewhat convincing one a couple times. Fuck them. They eventually stopped emailing me about the last training.
Huh? If you’re opening the tests then you would benefit from training. Why be so defensive about it?
you would benefit from training.
The trainings are so dumb and condescending. They treat you like you would routinely click obvious scam links. They are a total waste of time. I knew far more than the trainings 10 years before I ever heard the word phishing. And this is not a flex, anyone using the internet will learn. They are just useless in my experience.
Why be so defensive about it?
Well because anyone can make a mistake occasionally. No need to waste time I could be doing something useful with instead watching useless trash videos. I resent that my company tricked me artificially into making a mistake.
If you're trying to act like you've never done anything you shouldn't have, we've got nothing else to talk about. See my response to the other Mr. Perfect.
If you've been duped, then you are the target for the training, especially if it's happened multiple times. The best locks in the world don't stop you from unwittingly giving away the keys.
Nope. The people that are tricked by obvious ones, yes perhaps. It's still underhanded but maybe you can argue for it. This was over a span of more than 5 years and the first one was the first time I'd seen anything like it and was convincing af. They mentioned an internal event going on and used a domain name very similar to the one for the event...
I knew some smartass would come along and be like this about it though.
