Google: Stop Trying To Trick Employees With Fake Phishing Emails (pcmag.com) 100
An anonymous reader shares a report: Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. "PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.
Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."
Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."
Of course you should stop this point practice! (Score:5, Interesting)
Re: Of course you should stop this point practice! (Score:3)
Bingo. Take yhe guesswork out of the equation. Quit testing us and then wagging your finger when 5% of employees click the phishing link.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That way if you get an email from someone in the company, you can verify it's legit, problem solved.
Often, these fake phishing emails appear to originate from senders outside the company, so that doesn't help.
Re: (Score:2)
Re: (Score:2)
Most phishing attacks do not look like they originate from within the company. They claim to be from Microsoft, Google, DHL, SAP, Citibank, etc. Corporate partners for whom you most definitely will not be able to force any PGP practice (it's hard enough to do that internally).
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Microsoft is one of the worst offenders. Just look at the domains they have and some of them look dubious.
https://github.com/v2ray/domai... [github.com]
https://learn.microsoft.com/en... [microsoft.com]
https://learn.microsoft.com/en... [microsoft.com]
etc etc
Re: (Score:2)
Solution (Score:2)
Re: (Score:2)
I've found that companies can't use PGP/GPG. It's just too complicated for the staff, and they won't do any training.
It's particularly annoying with GDPR requests because they often want to use some dodgy looking "secure" file transfer website that requires you to agree to all sorts of terms and conditions. When you ask them to use just GPG, decades old tech that should be trivial to integrate into whatever app they use, they just can't. They don't know how, the IT department has never heard of it or thinks
Re: (Score:2)
Re: (Score:2)
I think the problem is that GPG/PGP don't integrate well with email clients, or make the process of sending someone an encrypted email simple. Maybe it could be better integrated and easier to use, maybe we just need a better system.
Re: (Score:2)
Speaking from a company prospective, just use Thunderbird or Outlook (de
Re: (Score:2)
I wouldn't call gpg4win "easy", even if you understand the principles behind public key crypto.
Re: (Score:2)
Evidence (Score:5, Insightful)
> There is no evidence that the tests result in fewer incidences of successful phishing campaigns
Did you test?
Did you measure?
Did your failure rates go up or down?
Does your training suck?
Do different organizations have different results?
Do different job types have different results?
Is a guy in sales given the same training as a gal in applied mathematics?
"There is no evidence" is a reason-halting phrase used more often than not to mislead.
Of course there's no evidence of deception here.
RTFA (Score:1)
A lot has been published about the effectiveness of anti phishing testing and cheesy training videos.
He offers this study: https://arxiv.org/pdf/2112.074... [arxiv.org] as evidence that these things don't work.
Re:Evidence (Score:5, Interesting)
Many years ago, in a small family run business of about 120 employees and an internal IT department of about 8 of us, we (meaning a couple of us independent devs) decided to do this test (this was like 2003), so we put together a very obvious .exe in vb6 which when run just flashed a screen up and immediately closed. But behind the scenes, it transmitted a bunch of data back to our endpoint, including Windows username, IP address etc. Enough to say "it could have taken anything".
And we sent it to several people in the office as a generic "you have been chosen as a winner, open the attachment to claim your prize" email, just a small selection of people. Including the IT director.
The IT director was the only person to open it, and when we approached him about it we got severely reprimanded and told never to do it again. Basically he was embarrassed.
About a month later, the IT director brought the latest virus into the office on his laptop - yes, he had been opening random attachments on it again and it had got around the company virus scanner.
But sure, we were the problem...
After that we made sure the network had him on his own vnet that was firewalled off from everything else.
Re: (Score:3)
Does your training suck?
Yes. Almost always. After some of those videos I feel dumber after than I did before I started.
Re: (Score:3, Insightful)
I tend to delete them, before realizing they were probably a test (ie, the phake phishing was a bit too bizarre for a real phishing campaign). That's ok though, I passed even though I didn't report the email. But anyone who opened the email and then clicked on the link absolutely needs to take training!! So what if it annoys some snowflake over in Google? In the real world it does catch out the gullible employees who probably shouldn't be using something as advanced as email...
Re: (Score:2)
Exactly.
In my org, we don't enforce training for clickers/openers. No shame, anyone can fall for a phishing e-mail. Even I, who came up with the training and mock-phishing campaigns and can usually spot a phishing e-mail at a glance, have fallen for some well-timed, well executed phishing messages. As in, I clicked, but, of course, once I got to the next stage of redirect or credential spoof, it was obvious.
Phishing tests are just a way to get people "inoculated" so they are less likely to fall for 99% of p
Re:Evidence (Score:5, Interesting)
At my last company, I had to run a similar compliance program. The main metrics I had were the employee “click” rate, which would vary depending on the complexity of the phishing campaigns we ran (we purposely increased the deceptiveness of the phishing emails over time), and user feedback.
The overall click rate over time decreased approximately 15% across the board from pre-program levels, but the main satisfaction I took away from it was the employee feedback. An user being rather proud of the fact that they would submit a suspect email to me, and I would inform them that it is indeed phishing, is kinda cool.
Because I tried to treat the entire program as a considerable educational benefit both professionally and personally, employees I think appreciated it. Programs like this can work. Like many things, it can depend on how it is managed.
Re:Evidence (Score:4, Interesting)
Re: (Score:2)
"There is no evidence" is a reason-halting phrase used more often than not to mislead.
I am not aware of any evidence. Therefore, no one is aware is any evidence, and furthermore, such evidence does not exist. ... Oh and trust me, I am aware of all possible locations of any possible evidence.
This is just another manifestation of the blind wise men and the elephant.
not trying hard enough (Score:5, Interesting)
A more accurate test would mimic the scenario that an employee's email or laptop becomes compromised and the attackers can review all the emails that are sent out to the general distribution lists within an organization. Then the phishing attack would mimic those companywide emails like "Please participate in this greatest-place-to-work survey" or "Be sure to fill out this smart sheet if you're attending the company picnic." The body and subject are copied from those original emails and the links take the victim to a zero-day exploit download. Obviously, a test wouldn't follow through to the download step.
Re: (Score:2)
A more accurate test would mimic the scenario that an employee's email or laptop becomes compromised and the attackers can review all the emails that are sent out to the general distribution lists within an organization. Then the phishing attack would mimic those companywide emails like "Please participate in this greatest-place-to-work survey" ...
That is how our company's phishing tests are done. Most of them look very similar to our internal Workday site or some other employee engagement app. It's pretty obvious our security team is contracting with someone who is catering these emails specifically for our company.
Re: (Score:2)
Re: (Score:3)
My employer doesn't need to make the fake phishing messages look like real company messages because they make the real company messages look like fake phishing messages.
Whenever I get "An Urgent message from " I still flag it as a phishing attempt even though it's just a "sender is an idiot" problem, in the vain hope they'll learn to tighten up their internal messaging style.
Re: (Score:1)
A more accurate test would mimic the scenario that an employee's email or laptop becomes compromised and the attackers can review all the emails that are sent out to the general distribution lists within an organization.
This topic comes up many times on Slashdot, like a broken record, I will say what I always say...
If your security depends on regular employees being able to spot fraud, you have no real security. Even professionals who study fraud all the time can make mistakes. Mistakes caused by being tired, lazy, distracted, etc... If professionals can't be 100%, ordinary employees can't be anywhere near that.
These tests are 100% pointless busy work and employees should be irritated by having to do them.
Stop that... (Score:2, Funny)
X-PHISHTEST (Score:5, Interesting)
Thankfully, my company's phishing tests include an X-PHISHTEST header. Anyone with the least bit of knowledge can trivially write a mail client rule that bins them unread.
What would help way more than phishing tests is if companies trained their employees not to send email that LOOKS LIKE phishing. I see email all the time that looks like a phishing scam, only to find out it's an actual HR or IT email. "Click here to login to your new employee benefits account! Use your domain userid/password." with a link to some third-party provider I've never heard of. Or, "IT needs proof that your hard drive is encrypted. Respond to this email with a screenshot of your FileVault recovery key." Swear to the BOFH, they actually sent me that email.
Re: (Score:2)
What would help way more than phishing tests is if companies trained their employees not to send email that LOOKS LIKE phishing. I see email all the time that looks like a phishing scam, only to find out it's an actual HR or IT email. "Click here to login to your new employee benefits account! Use your domain userid/password." with a link to some third-party provider I've never heard of. Or, "IT needs proof that your hard drive is encrypted. Respond to this email with a screenshot of your FileVault recovery key." Swear to the BOFH, they actually sent me that email.
This. 100%. For me it was some kind of company survey... it arrived from an unknown address, we weren't told about it ahead of time either via an announcement or working its way down the management chain... so I kept reporting it as a phishing attempt. Sorry, but if you're going to use an external site for something like this or for any new benefit/service, you need to let us know in advance of these things showing up... or have them direct us to an internal, protected site with further information to re
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Thankfully, my company's phishing tests include an X-PHISHTEST header. Anyone with the least bit of knowledge can trivially write a mail client rule that bins them unread.
This would probably elicit a training requirement at my company, as they expect us to forward the "phishing email" to an abuse mailbox, which is, of course, a questionable way of handling actual phishing emails.
What would help way more than phishing tests is if companies trained their employees not to send email that LOOKS LIKE phishing. I see email all the time that looks like a phishing scam, only to find out it's an actual HR or IT email. "Click here to login to your new employee benefits account! Use your domain userid/password." with a link to some third-party provider I've never heard of. Or, "IT needs proof that your hard drive is encrypted. Respond to this email with a screenshot of your FileVault recovery key." Swear to the BOFH, they actually sent me that email.
Automated SSO redirects would resolve the first problem, but again, seems pretty questionable to me, (do you *really* want to let a third party get access to internal logins?) The second is just... looney.
Re: (Score:2)
I had email awhile back, from a third party to engage in third party training authorized by my company. This was legit, it was set up by HR. The snag was, my training username and password were my own corporate username and password (password from about 6 months prior). Right there in plain text in a thid party email. I was blown away that anyone could get my password without me knowing without a keylogger.
This was Windows, so now I assume that it stores the actual password, not a hash like Unix does, an
Re: (Score:3)
Re: (Score:2)
Windows does not store passwords in plain text.
Re: (Score:1)
No, that's not what I meant. It is storing presumably an encrypted password. In Unix systems the password is never stored, encrypted or not, instead a hash over the password is stored. The difference is subtle, but it means Unix has security on the password, even crypto level if it uses a SHA, but there's no recovery mechanism to get the password, even superuser or kernel can't do this. If Windows encrypts the password then there's a key available to reverse this (especially if no HSM was available in th
Re: (Score:2)
It's stored as a hash of course, like any other modern system. If your password was known to IT, they either save the password when you change it, or they use something like a key logger. Either case, that's their prerogative as administrators, though it's a sign of incompetence.
Re: (Score:2)
I should note, at my last job, they assigned passwords, sent them to us in email, and did not ever allow password changes. This from a huge mortgage servicing company. Incompetence in the extreme.
They also forced us to install spyware on our home (host) computers, and recorded our screens and activity all day, every day, earning everyone constant bullying from management about taking too long bathroom breaks. When I left, they stole my last paycheck, and lied so I couldn't even get unemployment payments.
Re: (Score:2)
Re: (Score:2)
Hmm... Possibly I reused a password, and used it on an enterprise site w/o good security.
Re: (Score:2)
Change the context. (Score:2)
Smulation requires actual security hole (Score:2)
Re: (Score:2)
If admins are using the header as a "bypass the filters" token then they are doing it wrong.
The header should just be a cheap way of classifying the message for reporting purposes not as a filter bypass.
Got caught off guard (Score:3, Insightful)
Yeah, I get them. Did a personal post mortem when I failed:
- The mail client hides the From address, showing only the prettified variant, explicitly hiding domain names.
- The mail client replaces all links by outlook safelink, so every link looks the same, no matter where it points to.
- No way to display the links (even the nam0.safelink variant) before clicking.
- The email was exactly one sentence, verbatim as would come from our Workday system, at a time I was expecting a notification from the system.
- I was in a hurry, and wanted to see those docs.
When I opened the raw email, all the red flags were plainly visible. My message is: stop prettifying by hiding information...
The fun part is that the AV caught it, and I didn't get a fail. So much for those statistics...
Re: (Score:1)
When I received one of these, I (carefully) clicked it on purpose because it looked like an email trying to pretend it was phishing and not a genuine phishing email. I wanted to investigate it and see what it really was. I've seen tons of phishing emails, but nothing that looked quite like this. When I was told I failed a test, I explained my case and cried to my boss and got out of training lol.
Re: (Score:2)
safelink url can be decoded by splitting args field=value pairs and using base64 and/or url safe hex (%3A = : ) conversion maybe even more than once, showing you the actual url safelink checks against it's list. Just look for https%3A%2F%2F%2F and search for the domain on a search page. Complaints of victims or valid activity should be in the search results if used much.
Re: (Score:2)
Informative, thanks.
But unless adding it as a plugin to Outlook, I'm not doing that for every email...
Re: (Score:2)
A funny thing happened... (Score:5, Funny)
A few months back, we received an email telling us we had been "assigned" a security training course to complete. It looked fake; so fake that half the company ignored it and the other half forwarded it to the IT department saying it was another scam email.
Funny thing was, at an all-hands a week later the CEO explained that it was legitimate and we did need to do the course - although, given the response she did concede that the company had passes the anti-phishing test rater well!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I hope I annoy the IT department as much as those stupid training courses have annoyed me.
Waaaaaahhhh. I failed the test. Stop testing me. (Score:2)
Jebus Cristo we live in a weird world these days.
Re: (Score:1)
I failed the test. Stop testing me.
Well... A previous president did suggest that the CDC stop/slow testing for the CORONA virus to avoid bad statistics, as if less testing would mean fewer sick people, so there's some president. :-)
Trump suggests US slow virus testing to avoid bad statistics [apnews.com]
Trump on coronavirus: ‘If we stop testing right now, we’d have very few cases, if any’ [thehill.com]
Trump now says he wasn’t kidding when he told officials to slow down coronavirus testing [cnn.com]
Google: CORONAvirus trump suggest not testing [google.com]
Re: (Score:1)
Just like how a "bloodbath in the automotive industry if I'm not elected" became a threatened "bloodbath if I'm not elected," right? This is more of the extremist, activist press intentionally misquoting Trump thousands of times.
Trump suggests US slow virus testing to avoid bad statistics [apnews.com]
Trump said “When you do testing to that extent, you’re going to find more people, you’re going to find more cases,” Trump said. “So I said to my people, ‘Slow the testing down, please.’ They test and they test.”
A pretty good joke, but
Re: (Score:2)
Whoops, didn't close that bold tag, sorry about that.
Re: (Score:2)
Way too many people dismiss things Trump says are jokes, when it's more likely that he's (a) actually an idiot, (b) actually really informed, or (c) testing things out / running them up the flag pole / throwing spaghetti against the wall, etc... to see what he can get away with. Ignore his "jokes" at your own peril.
Re: (Score:2)
No, they're jokes.
Re: (Score:2)
"President Donald Trump now says that he was not kidding when he told rallygoers over the weekend that he asked staff to slow down coronavirus testing, undercutting senior members of his own administration who said the comment was made in jest. “I don’t kid, let me just tell you, let me make it clear,” Trump told a reporter on Monday, when asked again if he was kidding when he said Saturday he instruc
Re: (Score:2)
Read what you just wrote. He did NOT undercut or contradict what he said.
Re: (Score:2)
Re: (Score:2)
That and that he did in fact tell his staff to slow down on coronavirus testing
And that was in jest. From the article (which apparently YOU didn't read):
"But Trump had a different story, telling a reporter that though he an order to slow down testing, he really did tell his people that the United States would look better if fewer coronavirus tests were performed."
Re: (Score:2)
Well, that got screwed up in editing. here's the correction:
he never gave an order to slow down testing
Re: (Score:2)
Jebus Cristo we live in a weird world these days.
I just go by Chris. These days.
Insurance requirements. (Score:2)
A lot of insurers are requiring these now.
I've found that, among my circle of nerd friends, the companies where they do a proactive training with interactive exercises prior to sending the phising emails, nobody seems to mind them so much. If they're just sent out of the blue with a gotchya message for failure? Yeah, you pissed off your users. It's much like every other aspect of business. Treat the employees like human beings you sorta have a modicum of respect for? No issues. Treat them like cattle or chi
Cut that out! (Score:2)
You are training your people to recognize all the scams GMail sends their way. You're undermining our business model!
and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.
Too late. We already hate Google.
Laws of Computer Stupidity (Score:2)
Apparently, I need to change my my Sig back to In Soviet Russia, Trojan Exploits YOU! [slashdot.org]
1) 99% of computer users do not know what they are doing.
How do I open my email again?
2) Computer users do not read.
This Microsoft prompt I got from clicking this Onedrive link on this encrypted email with bad grammer looks weird and didn't take my username and password the first time. I better enter it again just to be sure...
3) If a computer user can click on it, they will.
Sure! I'm gonna open this PDF file attachment fro
Did your company recently send you a phishing emai (Score:2)
Extra counter productive (Score:1)
A former employer of mine used to send tranches of these out regularly. Being slightly paranoid, I kept a VM snapshot available, would instantiate it, check all the links, terminate the VM, and file a security notification form (it was good enough to not be super obviously our internal phish, and I thought it would be helpful to identify the miscreants and notify security about what might well have been an actual phishing attack).
Instead of “thanks, well spotted” that resulted in mandatory
Re: (Score:2)
They may tell you that, but it's not true.
I got a test phishing email, and reported it as phishing, but somehow that got me enrolled in training. I was fucking furious because I did the right thing. They told me there was nothing they could do, I had to take the training. I complained some more and insisted that I had marked it a
Making the phish test unrealistically realistic (Score:2)
My company recently conducted one of these phish tests. Normally, email from outside the organization is marked with "This message originated from outside your organization." But the security team decided it would be a good idea to explicitly remove this label from their phish test, even though it did come from outside the organization.
If you're trying to train people to look for this label, then why on earth would a phish test suppress it? What exactly are they trying to train people to look for?
resilient vs resistant (Score:2)
Meanwhile... (Score:2)
Test or Attack (Score:1)
When not part of the security org it was always difficult to know if there was a coordinated attack against the company or a test.
The best you could do is forward the "attack" email of to the phishing alert mailbox, tell your co-workers to be careful and hope for the best.
They don't appreciate it ... (Score:1)
... when you point out the flaws in their emails to them, either.
It's been a while since I had to deal with a server I didn't control (university-required Microsoft account), but they stopped sending me "test" emails after I took one of their supposedly-legitimate messages and reported it to them as an attack message. In detail, with almost a dozen phishing attack items listed.
After that, I guess they figured I wouldn't succumb to an attack, since I showed them how they couldn't compose a real email without
Obvious answer (Score:2)
Re: (Score:2)
People are setting up man-in-the-middle (MITM) attacks for services such as Microsoft 365 and then targeting company employees. These attacks forward all M365 login screens, thus they even include your company's personalized corporate branding. Since everything you see is forwarded, that also includes the MFA screens. Your login details are forwarded to M365 and you're successfully logged in, but the attacker has stolen your au
I find it hilarious (Score:2)
that the PRIMARY source of phishing mails is Google-splaining to us that we shouldn't be trying to train folks to stop engaging with phishing mails
Maybe the self-reflection mirror is on the blink
experience says otherwise (Score:1)
used to do security at an MSP... and the clients that used phishing email training and testing were significantly less likely to have employees fall for actual attacks.
We've seen some stunningly well researched and crafted emails, using ever more elaborate methods to bypass filtering, spf, dkim, link checks, attachment scans... It's not perfect, but when deployed correctly and actually managed correctly- the staff had no issues with it and we actually saw higher engagement between them and the security team
Joke's on them (Score:2)
Well shit (Score:1)
I browse the links sometimes just to see how creative the attackers are