Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Security IT

Google: Stop Trying To Trick Employees With Fake Phishing Emails (pcmag.com) 100

An anonymous reader shares a report: Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. "PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.

Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."

This discussion has been archived. No new comments can be posted.

Google: Stop Trying To Trick Employees With Fake Phishing Emails

Comments Filter:
  • by Murdoch5 ( 1563847 ) on Thursday May 23, 2024 @03:47PM (#64494293) Homepage
    Force a company-wide PGP practice, and assure the key ring up to date. That way if you get an email from someone in the company, you can verify it's legit, problem solved.
    • Bingo. Take yhe guesswork out of the equation. Quit testing us and then wagging your finger when 5% of employees click the phishing link.

      • Exactly, they clicked it because they assumed IT set up the email system safely, without realizing email unsecured is a dumpster fire rolling into an orphanage. It's even worse if you're using Google or Microsoft, which is why I honestly recommend ProtonMail for everyone, because then you get the PGP for free with the verification.
    • PGP is very underused in email sadly.
    • That way if you get an email from someone in the company, you can verify it's legit, problem solved.

      Often, these fake phishing emails appear to originate from senders outside the company, so that doesn't help.

      • Right, but your entire scope should be secure, so if you're in doubt email IT and tell them to verify.
    • Most phishing attacks do not look like they originate from within the company. They claim to be from Microsoft, Google, DHL, SAP, Citibank, etc. Corporate partners for whom you most definitely will not be able to force any PGP practice (it's hard enough to do that internally).

      • I agree, they usually look terrible, but users are DUMB, I once had a VP of Technology ask me why his emails were bouncing from an email "noreplay@some-microsoft-domain.com".
    • Modern companies subscribe to literally THOUSANDS of different cloud-based services that send email from external domains. Any one of them can be spoofed, and contain a malicious payload. If your company is not growing, and has had the same employees for 20 years, then sure, stop the test fishing emails. Otherwise, they are a useful training practice for new employees.
    • One possible way to get them to stop if they are doing this frequently is to report the scam emails directly to the authorities. If the police start investigating their fake phishing attempts it may get them to rethink things.
    • by AmiMoJo ( 196126 )

      I've found that companies can't use PGP/GPG. It's just too complicated for the staff, and they won't do any training.

      It's particularly annoying with GDPR requests because they often want to use some dodgy looking "secure" file transfer website that requires you to agree to all sorts of terms and conditions. When you ask them to use just GPG, decades old tech that should be trivial to integrate into whatever app they use, they just can't. They don't know how, the IT department has never heard of it or thinks

      • I hate that argument, incompetence has got to stop being the gold standard. I don't care if people don't know how to integrate with GPG / PGP, just do it. A lot of people in IT are grossly unqualified, and don't know what PGP / GPG is. In one notable case. I had a client react like I tried to hack their system, when they got my public key. It took ~5 emails, with URLs to explain what the key was for, he was a CISO / CTO for a large company.
        • by AmiMoJo ( 196126 )

          I think the problem is that GPG/PGP don't integrate well with email clients, or make the process of sending someone an encrypted email simple. Maybe it could be better integrated and easier to use, maybe we just need a better system.

          • It's very easy to use, Gpg4win: https://www.gpg4win.org/ [gpg4win.org], if you install it, the configuration takes minutes, and you're good to go. Even with an email client as load grade as Outlook, within 10 minutes, of just very simple click interactions and some typing, you're up and running, with an automated solution. If you're using the web version of Outlook, or Gmail, it's a little harder, but they make some excellent browser extensions.

            Speaking from a company prospective, just use Thunderbird or Outlook (de
            • by AmiMoJo ( 196126 )

              I wouldn't call gpg4win "easy", even if you understand the principles behind public key crypto.

              • Easy is relative, I can think of a lot of commonly used platforms that are harder to use. Anyway, the point is instead of doing pointless fishing tests and silly cybersecurity training, IT should be more proactive. The cybersecurity training my partner takes every year is so bad, I finally snapped and emailed her manager an outline of how much it got wrong. My N page email got so much traction that two government agencies are getting involved to review processes for health care in Ontario. The email
  • Evidence (Score:5, Insightful)

    by bill_mcgonigle ( 4333 ) * on Thursday May 23, 2024 @03:53PM (#64494303) Homepage Journal

    > There is no evidence that the tests result in fewer incidences of successful phishing campaigns

    Did you test?
    Did you measure?
    Did your failure rates go up or down?
    Does your training suck?
    Do different organizations have different results?
    Do different job types have different results?
    Is a guy in sales given the same training as a gal in applied mathematics?

    "There is no evidence" is a reason-halting phrase used more often than not to mislead.

    Of course there's no evidence of deception here.

    • A lot has been published about the effectiveness of anti phishing testing and cheesy training videos.
      He offers this study: https://arxiv.org/pdf/2112.074... [arxiv.org] as evidence that these things don't work.

    • Re:Evidence (Score:5, Interesting)

      by Richard_at_work ( 517087 ) on Thursday May 23, 2024 @04:47PM (#64494445)

      Many years ago, in a small family run business of about 120 employees and an internal IT department of about 8 of us, we (meaning a couple of us independent devs) decided to do this test (this was like 2003), so we put together a very obvious .exe in vb6 which when run just flashed a screen up and immediately closed. But behind the scenes, it transmitted a bunch of data back to our endpoint, including Windows username, IP address etc. Enough to say "it could have taken anything".

      And we sent it to several people in the office as a generic "you have been chosen as a winner, open the attachment to claim your prize" email, just a small selection of people. Including the IT director.

      The IT director was the only person to open it, and when we approached him about it we got severely reprimanded and told never to do it again. Basically he was embarrassed.

      About a month later, the IT director brought the latest virus into the office on his laptop - yes, he had been opening random attachments on it again and it had got around the company virus scanner.

      But sure, we were the problem...

      After that we made sure the network had him on his own vnet that was firewalled off from everything else.

    • Does your training suck?

      Yes. Almost always. After some of those videos I feel dumber after than I did before I started.

    • Re: (Score:3, Insightful)

      by Darinbob ( 1142669 )

      I tend to delete them, before realizing they were probably a test (ie, the phake phishing was a bit too bizarre for a real phishing campaign). That's ok though, I passed even though I didn't report the email. But anyone who opened the email and then clicked on the link absolutely needs to take training!! So what if it annoys some snowflake over in Google? In the real world it does catch out the gullible employees who probably shouldn't be using something as advanced as email...

      • Exactly.

        In my org, we don't enforce training for clickers/openers. No shame, anyone can fall for a phishing e-mail. Even I, who came up with the training and mock-phishing campaigns and can usually spot a phishing e-mail at a glance, have fallen for some well-timed, well executed phishing messages. As in, I clicked, but, of course, once I got to the next stage of redirect or credential spoof, it was obvious.

        Phishing tests are just a way to get people "inoculated" so they are less likely to fall for 99% of p

    • Re:Evidence (Score:5, Interesting)

      by geekmux ( 1040042 ) on Thursday May 23, 2024 @05:30PM (#64494541)

      At my last company, I had to run a similar compliance program. The main metrics I had were the employee “click” rate, which would vary depending on the complexity of the phishing campaigns we ran (we purposely increased the deceptiveness of the phishing emails over time), and user feedback.

      The overall click rate over time decreased approximately 15% across the board from pre-program levels, but the main satisfaction I took away from it was the employee feedback. An user being rather proud of the fact that they would submit a suspect email to me, and I would inform them that it is indeed phishing, is kinda cool.

      Because I tried to treat the entire program as a considerable educational benefit both professionally and personally, employees I think appreciated it. Programs like this can work. Like many things, it can depend on how it is managed.

    • "There is no evidence" is a reason-halting phrase used more often than not to mislead.

      I am not aware of any evidence. Therefore, no one is aware is any evidence, and furthermore, such evidence does not exist. ... Oh and trust me, I am aware of all possible locations of any possible evidence.

      This is just another manifestation of the blind wise men and the elephant.

  • by SethJohnson ( 112166 ) on Thursday May 23, 2024 @03:56PM (#64494311) Homepage Journal
    These tests are intended to satisfy the goal of 'doing something' but not risking catastrophic results. They only mimic those random scattershot emails attackers send out.

    A more accurate test would mimic the scenario that an employee's email or laptop becomes compromised and the attackers can review all the emails that are sent out to the general distribution lists within an organization. Then the phishing attack would mimic those companywide emails like "Please participate in this greatest-place-to-work survey" or "Be sure to fill out this smart sheet if you're attending the company picnic." The body and subject are copied from those original emails and the links take the victim to a zero-day exploit download. Obviously, a test wouldn't follow through to the download step.
    • by ranton ( 36917 )

      A more accurate test would mimic the scenario that an employee's email or laptop becomes compromised and the attackers can review all the emails that are sent out to the general distribution lists within an organization. Then the phishing attack would mimic those companywide emails like "Please participate in this greatest-place-to-work survey" ...

      That is how our company's phishing tests are done. Most of them look very similar to our internal Workday site or some other employee engagement app. It's pretty obvious our security team is contracting with someone who is catering these emails specifically for our company.

    • by jythie ( 914043 )
      And once it becomes a sign of 'doing something', the goals no longer align. My company's IT department actually cheats to keep their numbers up.. they time your fake emails to align with expecting real ones. For instance.. a couple weeks ago I put in a purchase order for something... the next day I got a fake phishing email about 'your order XYZ!'
    • My employer doesn't need to make the fake phishing messages look like real company messages because they make the real company messages look like fake phishing messages.

      Whenever I get "An Urgent message from " I still flag it as a phishing attempt even though it's just a "sender is an idiot" problem, in the vain hope they'll learn to tighten up their internal messaging style.

    • by Anonymous Coward

      A more accurate test would mimic the scenario that an employee's email or laptop becomes compromised and the attackers can review all the emails that are sent out to the general distribution lists within an organization.

      This topic comes up many times on Slashdot, like a broken record, I will say what I always say...

      If your security depends on regular employees being able to spot fraud, you have no real security. Even professionals who study fraud all the time can make mistakes. Mistakes caused by being tired, lazy, distracted, etc... If professionals can't be 100%, ordinary employees can't be anywhere near that.

      These tests are 100% pointless busy work and employees should be irritated by having to do them.

  • says the company reading your business emails.
  • X-PHISHTEST (Score:5, Interesting)

    by Chelloveck ( 14643 ) on Thursday May 23, 2024 @04:04PM (#64494335)

    Thankfully, my company's phishing tests include an X-PHISHTEST header. Anyone with the least bit of knowledge can trivially write a mail client rule that bins them unread.

    What would help way more than phishing tests is if companies trained their employees not to send email that LOOKS LIKE phishing. I see email all the time that looks like a phishing scam, only to find out it's an actual HR or IT email. "Click here to login to your new employee benefits account! Use your domain userid/password." with a link to some third-party provider I've never heard of. Or, "IT needs proof that your hard drive is encrypted. Respond to this email with a screenshot of your FileVault recovery key." Swear to the BOFH, they actually sent me that email.

    • What would help way more than phishing tests is if companies trained their employees not to send email that LOOKS LIKE phishing. I see email all the time that looks like a phishing scam, only to find out it's an actual HR or IT email. "Click here to login to your new employee benefits account! Use your domain userid/password." with a link to some third-party provider I've never heard of. Or, "IT needs proof that your hard drive is encrypted. Respond to this email with a screenshot of your FileVault recovery key." Swear to the BOFH, they actually sent me that email.

      This. 100%. For me it was some kind of company survey... it arrived from an unknown address, we weren't told about it ahead of time either via an announcement or working its way down the management chain... so I kept reporting it as a phishing attempt. Sorry, but if you're going to use an external site for something like this or for any new benefit/service, you need to let us know in advance of these things showing up... or have them direct us to an internal, protected site with further information to re

      • by tlhIngan ( 30335 )

        This. 100%. For me it was some kind of company survey... it arrived from an unknown address, we weren't told about it ahead of time either via an announcement or working its way down the management chain... so I kept reporting it as a phishing attempt. Sorry, but if you're going to use an external site for something like this or for any new benefit/service, you need to let us know in advance of these things showing up... or have them direct us to an internal, protected site with further information to read

      • by leptons ( 891340 )
        I do the same exact thing. I don't care about their fucking survey, they've pissed me off with their stupid phishing test courses and endless phishing test emails. So in response to that, I'll just mark everything that could be phishing as phishing even if it's not. They can deal with the consequences of their shitty phishing tests, which is less engagement in all their other HR stupid shit. I'm just so frustrated with the fake phishing emails and the stupid mandatory courses I have to take even if I haven'
    • Thankfully, my company's phishing tests include an X-PHISHTEST header. Anyone with the least bit of knowledge can trivially write a mail client rule that bins them unread.

      This would probably elicit a training requirement at my company, as they expect us to forward the "phishing email" to an abuse mailbox, which is, of course, a questionable way of handling actual phishing emails.

      What would help way more than phishing tests is if companies trained their employees not to send email that LOOKS LIKE phishing. I see email all the time that looks like a phishing scam, only to find out it's an actual HR or IT email. "Click here to login to your new employee benefits account! Use your domain userid/password." with a link to some third-party provider I've never heard of. Or, "IT needs proof that your hard drive is encrypted. Respond to this email with a screenshot of your FileVault recovery key." Swear to the BOFH, they actually sent me that email.

      Automated SSO redirects would resolve the first problem, but again, seems pretty questionable to me, (do you *really* want to let a third party get access to internal logins?) The second is just... looney.

    • I had email awhile back, from a third party to engage in third party training authorized by my company. This was legit, it was set up by HR. The snag was, my training username and password were my own corporate username and password (password from about 6 months prior). Right there in plain text in a thid party email. I was blown away that anyone could get my password without me knowing without a keylogger.

      This was Windows, so now I assume that it stores the actual password, not a hash like Unix does, an

      • by Lehk228 ( 705449 )
        mayber you shouldn't use hunter2 as your password at work
      • Windows does not store passwords in plain text.

        • No, that's not what I meant. It is storing presumably an encrypted password. In Unix systems the password is never stored, encrypted or not, instead a hash over the password is stored. The difference is subtle, but it means Unix has security on the password, even crypto level if it uses a SHA, but there's no recovery mechanism to get the password, even superuser or kernel can't do this. If Windows encrypts the password then there's a key available to reverse this (especially if no HSM was available in th

          • It's stored as a hash of course, like any other modern system. If your password was known to IT, they either save the password when you change it, or they use something like a key logger. Either case, that's their prerogative as administrators, though it's a sign of incompetence.

          • I should note, at my last job, they assigned passwords, sent them to us in email, and did not ever allow password changes. This from a huge mortgage servicing company. Incompetence in the extreme.

            They also forced us to install spyware on our home (host) computers, and recorded our screens and activity all day, every day, earning everyone constant bullying from management about taking too long bathroom breaks. When I left, they stole my last paycheck, and lied so I couldn't even get unemployment payments.

      • by tlhIngan ( 30335 )

        I had email awhile back, from a third party to engage in third party training authorized by my company. This was legit, it was set up by HR. The snag was, my training username and password were my own corporate username and password (password from about 6 months prior). Right there in plain text in a thid party email. I was blown away that anyone could get my password without me knowing without a keylogger.

        This was Windows, so now I assume that it stores the actual password, not a hash like Unix does, and t

    • Wow, I have never heard anyone 'swear to the BOFH' before. Seeing your low number next to your handle explains it fully. The IT folks in the business I work for have never heard of the BOFH, which I find amazing!
  • We recently changed the context of the testing since we are required to run it. It is no longer phish testing. It is phish training. If you click a link you are shown a quick screenshot of the email, with some of the tell tails for it being a phish highlighted. I tell the staff to treat it like a game. Make it fun.
  • What I think is dumbest is that these simulations set a header that the incoming mail filter respects so that it will actually get to the users. When we start weakening one layer of security in order to test end users we are not doing ourselves any favors. This just becomes one more thing adversaries can take advantage of.
    • If admins are using the header as a "bypass the filters" token then they are doing it wrong.

      The header should just be a cheap way of classifying the message for reporting purposes not as a filter bypass.

  • by serafean ( 4896143 ) on Thursday May 23, 2024 @04:15PM (#64494353)

    Yeah, I get them. Did a personal post mortem when I failed:
      - The mail client hides the From address, showing only the prettified variant, explicitly hiding domain names.
      - The mail client replaces all links by outlook safelink, so every link looks the same, no matter where it points to.
      - No way to display the links (even the nam0.safelink variant) before clicking.
      - The email was exactly one sentence, verbatim as would come from our Workday system, at a time I was expecting a notification from the system.
      - I was in a hurry, and wanted to see those docs.

    When I opened the raw email, all the red flags were plainly visible. My message is: stop prettifying by hiding information...
    The fun part is that the AV caught it, and I didn't get a fail. So much for those statistics...

    • When I received one of these, I (carefully) clicked it on purpose because it looked like an email trying to pretend it was phishing and not a genuine phishing email. I wanted to investigate it and see what it really was. I've seen tons of phishing emails, but nothing that looked quite like this. When I was told I failed a test, I explained my case and cried to my boss and got out of training lol.

    • by Pitawg ( 85077 )

      safelink url can be decoded by splitting args field=value pairs and using base64 and/or url safe hex (%3A = : ) conversion maybe even more than once, showing you the actual url safelink checks against it's list. Just look for https%3A%2F%2F%2F and search for the domain on a search page. Complaints of victims or valid activity should be in the search results if used much.

      • Informative, thanks.
        But unless adding it as a plugin to Outlook, I'm not doing that for every email...

    • Default Outlook behavior is really bad for spotting phishing scams. It hides domain names, link addresses, and file extensions for the sake of appearance.
  • by neilo_1701D ( 2765337 ) on Thursday May 23, 2024 @04:18PM (#64494367)

    A few months back, we received an email telling us we had been "assigned" a security training course to complete. It looked fake; so fake that half the company ignored it and the other half forwarded it to the IT department saying it was another scam email.

    Funny thing was, at an all-hands a week later the CEO explained that it was legitimate and we did need to do the course - although, given the response she did concede that the company had passes the anti-phishing test rater well!

    • Yeah, our HR department likes to do contests and giveaways that look a lot like phishing scams. I always flag them as such. Some people don't think about how sketch their emails look before sending them.
      • by leptons ( 891340 )
        Right before Christmas I got an email from my boss that was a gift card. Of course it was a phishing scam, but it really hurt because I haven't had a raise in 3 years, and I've never had a bonus. That's what tipped me off, my boss is a fucking cheapskate, so I knew he wouldn't be sending me any kind of bonus. It was just extra shitty that they try to enroll me in another training course right before christmas. FUCK YOU IT DEPT.
    • by leptons ( 891340 )
      My IT dept has made me so paranoid, I send them copies of lots of legitimate emails I receive because I'm afraid they're going to try to enroll me in the stupid phishing course again. I've never had an actual phishing email, only the ones they send trolling me. So they've created a problem now that I need them to clear every email I get before I'll interact with it.

      I hope I annoy the IT department as much as those stupid training courses have annoyed me.
  • Jebus Cristo we live in a weird world these days.

    • I failed the test. Stop testing me.

      Well... A previous president did suggest that the CDC stop/slow testing for the CORONA virus to avoid bad statistics, as if less testing would mean fewer sick people, so there's some president. :-)

      Trump suggests US slow virus testing to avoid bad statistics [apnews.com]
      Trump on coronavirus: ‘If we stop testing right now, we’d have very few cases, if any’ [thehill.com]
      Trump now says he wasn’t kidding when he told officials to slow down coronavirus testing [cnn.com]

      Google: CORONAvirus trump suggest not testing [google.com]

      • Just like how a "bloodbath in the automotive industry if I'm not elected" became a threatened "bloodbath if I'm not elected," right? This is more of the extremist, activist press intentionally misquoting Trump thousands of times.

        Trump said “When you do testing to that extent, you’re going to find more people, you’re going to find more cases,” Trump said. “So I said to my people, ‘Slow the testing down, please.’ They test and they test.”

        A pretty good joke, but

        • Whoops, didn't close that bold tag, sorry about that.

        • Way too many people dismiss things Trump says are jokes, when it's more likely that he's (a) actually an idiot, (b) actually really informed, or (c) testing things out / running them up the flag pole / throwing spaghetti against the wall, etc... to see what he can get away with. Ignore his "jokes" at your own peril.

        • from the second to last link, where you said, "He made a joke and gave no such order."

          "President Donald Trump now says that he was not kidding when he told rallygoers over the weekend that he asked staff to slow down coronavirus testing, undercutting senior members of his own administration who said the comment was made in jest. “I don’t kid, let me just tell you, let me make it clear,” Trump told a reporter on Monday, when asked again if he was kidding when he said Saturday he instruc

          • Read what you just wrote. He did NOT undercut or contradict what he said.

            • I have no idea what you are looking at, but the quote was, "I don’t kid, let me just tell you, let me make it clear,”. That and that he did in fact tell his staff to slow down on coronavirus testing, which your posting says was a joke on his part.
              • That and that he did in fact tell his staff to slow down on coronavirus testing

                And that was in jest. From the article (which apparently YOU didn't read):

                "But Trump had a different story, telling a reporter that though he an order to slow down testing, he really did tell his people that the United States would look better if fewer coronavirus tests were performed."

    • Jebus Cristo we live in a weird world these days.

      I just go by Chris. These days.

  • A lot of insurers are requiring these now.

    I've found that, among my circle of nerd friends, the companies where they do a proactive training with interactive exercises prior to sending the phising emails, nobody seems to mind them so much. If they're just sent out of the blue with a gotchya message for failure? Yeah, you pissed off your users. It's much like every other aspect of business. Treat the employees like human beings you sorta have a modicum of respect for? No issues. Treat them like cattle or chi

  • You are training your people to recognize all the scams GMail sends their way. You're undermining our business model!

    and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.

    Too late. We already hate Google.

  • Apparently, I need to change my my Sig back to In Soviet Russia, Trojan Exploits YOU! [slashdot.org]

    1) 99% of computer users do not know what they are doing.
    How do I open my email again?

    2) Computer users do not read.
    This Microsoft prompt I got from clicking this Onedrive link on this encrypted email with bad grammer looks weird and didn't take my username and password the first time. I better enter it again just to be sure...

    3) If a computer user can click on it, they will.
    Sure! I'm gonna open this PDF file attachment fro

  • If they did, they won't see whether or not I opened it. I have my Thunderbird email client set to ~do not open external links~ so the tracking pixels (or whatever) would not work.
  • A former employer of mine used to send tranches of these out regularly. Being slightly paranoid, I kept a VM snapshot available, would instantiate it, check all the links, terminate the VM, and file a security notification form (it was good enough to not be super obviously our internal phish, and I thought it would be helpful to identify the miscreants and notify security about what might well have been an actual phishing attack).

    Instead of “thanks, well spotted” that resulted in mandatory

    • by leptons ( 891340 )
      > I had mitigated the risk, and informed the authorities. Sadly, the Powers that Be had a process, and the process had to be followed irrespective of the facts on the ground.

      They may tell you that, but it's not true.

      I got a test phishing email, and reported it as phishing, but somehow that got me enrolled in training. I was fucking furious because I did the right thing. They told me there was nothing they could do, I had to take the training. I complained some more and insisted that I had marked it a
  • My company recently conducted one of these phish tests. Normally, email from outside the organization is marked with "This message originated from outside your organization." But the security team decided it would be a good idea to explicitly remove this label from their phish test, even though it did come from outside the organization.

    If you're trying to train people to look for this label, then why on earth would a phish test suppress it? What exactly are they trying to train people to look for?

  • What's the difference in meaning between being more resilient to phishing attempts & being more resistant to them? Could someone please tell the "journalist" whose job it is to know what words mean?
  • Meanwhile, a big chunk of the phishing spam I get comes from gmail users. Stuff like fake Norton, Geek Squad, and PayPal invoices. Thanks, for trying, Google!
  • When not part of the security org it was always difficult to know if there was a coordinated attack against the company or a test.

    The best you could do is forward the "attack" email of to the phishing alert mailbox, tell your co-workers to be careful and hope for the best.

  • ... when you point out the flaws in their emails to them, either.

    It's been a while since I had to deal with a server I didn't control (university-required Microsoft account), but they stopped sending me "test" emails after I took one of their supposedly-legitimate messages and reported it to them as an attack message. In detail, with almost a dozen phishing attack items listed.

    After that, I guess they figured I wouldn't succumb to an attack, since I showed them how they couldn't compose a real email without

  • If you don't want employees clicking on phishing links, don't allow (third-party domain) links in emails. Also, require SMS (to an in-office phone) or TOTP authentication on accounts.
    • Also, require SMS (to an in-office phone) or TOTP authentication on accounts.

      People are setting up man-in-the-middle (MITM) attacks for services such as Microsoft 365 and then targeting company employees. These attacks forward all M365 login screens, thus they even include your company's personalized corporate branding. Since everything you see is forwarded, that also includes the MFA screens. Your login details are forwarded to M365 and you're successfully logged in, but the attacker has stolen your au

  • that the PRIMARY source of phishing mails is Google-splaining to us that we shouldn't be trying to train folks to stop engaging with phishing mails

    Maybe the self-reflection mirror is on the blink

  • used to do security at an MSP... and the clients that used phishing email training and testing were significantly less likely to have employees fall for actual attacks.

    We've seen some stunningly well researched and crafted emails, using ever more elaborate methods to bypass filtering, spf, dkim, link checks, attachment scans... It's not perfect, but when deployed correctly and actually managed correctly- the staff had no issues with it and we actually saw higher engagement between them and the security team

  • As someone with >10K unread emails in my inbox I'm highly unlikely to even notice.
  • I browse the links sometimes just to see how creative the attackers are

The gent who wakes up and finds himself a success hasn't been asleep.

Working...