We found out that 10% of our users entered their password.
I’m not in cyber security. My role requires me to interact with a lot of people, work on a bunch of different SharePoint links, and on top of that corporate sends a shit pile of email links to training, peakon surveys, and stuff like that. When I started my new job (3 years ago now), I had a pile of training to do as well as my usual work.
I would be fully focused, keyboard clacking loudly and ding! Email. grumble who the fuck is this now? Oh some stupid training link… wham. Phishing training. Fell for it 3 times.
The whole Microsoft 365 system seems to be quite vulnerable to phishing. Sometimes SSO works, sometimes you need a password, maybe 2FA, maybe not. Many microsoft notification emails come from external sources (with a big banner “this email comes from an external sender, be cautious”).
This makes it hard for our brains to spot the small differences that make a phishing campaign successful.
The solution is to suspect every external message and send them all to the phishing mailbox. Tell your boss that you are following the phishing training that you did first.
They will have to get their shit together and send important messages from internal mail addresses. That’s just laziness.
If employers don’t want employees to get phished, a good first step is to not overwork them…
At my work, the bogus phishing attacks are overly believable. They’ll even come from a known in-house email account.
I’ve been dinged twice while otherwise occupied. I’ve stopped checking my email altogether. Play stupid games, win stupid prizes. I am being paid to do a job.
password123
Oh wait, that wasn’t the question?
I never got phished by the simulations because I never open my emails. If there’s something that needs my attention either someone will Slack me or a ticket on Jira made.
I’m 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone’s supervisor and made it look like an urgent Teams message was pending.
Usually, if you get phished you lose your bonus. They made an exception that one time.
You lose your bonus? What basement-dwelling neanderthal executive came up with that hogwash?
To be fair, my job involves very sensitive medical data. We’ve seen entire businesses shut down because of data breaches.
Phishing simulations should be about educating employees, not punishing them. Train them on what they missed and if training material is available check where it might be lacking. Nobody learns from having their bonus taken away. It also only serves to stimulate a culture were people prefer not reporting possible security issues they might have caused, in order to avoid further pay cuts.
I dunno…If you’re in a position to get a bonus, you should be smart enough to not click on random links and enter your work password.
I am extremely pro-worker but I would be fuckin pissed if an employee so easily gave a potential hacker access to our systems and that’s what the test is for
They haven’t fooled me yet. They’re actually fairly easy to spot.
The last round my company did was pretty damn good. The email itself was well done and professional looking. They even registered a domain that was one letter different than the company name for the source email domain and the phishing form.
It was still one of those things that makes you hesitate like “your password has expired, click here to reset it” and the email client blatantly flagged it as being from outside our true domain. The client warning was the easy thing to spot, the rest was really well done.
That’s the odd thing with where I work, until recently all the phishing simulations were from within the company domain and so lacked the [External…]
It’s not impossible for an already infiltrated network, but I still expect to see that it came from outside. Maybe that’s me, tho.
Wdits: spullings <- like those