Phishing Tests, the Bane of Work Life, Are Getting Meaner (msn.com) 99
U.S. employers are deploying increasingly aggressive phishing tests to combat cyber threats, sparking backlash from workers who say the simulated scams create unnecessary panic and distrust in the workplace. At the University of California, Santa Cruz, a test email about a fake Ebola outbreak sent staff scrambling before learning it was a security drill. At Lehigh Valley Health Network, employees who fall for phishing tests lose external email access, with termination possible after three failures.
Despite widespread use, recent studies question these tests' effectiveness. Research from ETH Zurich found that phishing tests combined with voluntary training actually made employees more vulnerable, while a University of California, San Diego study showed only a 2% reduction [PDF] in phishing success rates. "These are just an ineffective and inefficient way to educate users," said Grant Ho, who co-authored the UCSD study.
Despite widespread use, recent studies question these tests' effectiveness. Research from ETH Zurich found that phishing tests combined with voluntary training actually made employees more vulnerable, while a University of California, San Diego study showed only a 2% reduction [PDF] in phishing success rates. "These are just an ineffective and inefficient way to educate users," said Grant Ho, who co-authored the UCSD study.
And they should be mean (Score:5, Informative)
All it takes is one idiot in your organization and 'poof' there goes millions of dollars.
Re:And they should be mean (Score:5, Insightful)
But it's pointless if it does nothing to address the problem, or actually make it worse.
At that point, it's just revenge fantasy.
Re: (Score:2)
Re: (Score:2, Interesting)
Interesting FP branch, but the "meanness" becomes an impediment to getting things done. In my "career segment" at a famous three-letter company the constant validations an cross-checks became obstacles, especially in the email systems. I certainly hope the main beast has been buried by now...
Always feels pointless to ask or think about solutions in Slashdot, but I think the key has to involve creating a cost for creating identities. In the extreme case a human being might have to present unfakable and physi
Re:And they should be mean (Score:4)
Interesting FP branch, but the "meanness" becomes an impediment to getting things done. In my "career segment" at a famous three-letter company the constant validations an cross-checks became obstacles.
Just follow up ever attempt with a personal phone call, to verify who it is, or ask for a face to face meeting, as AI can do pretty good imitations of people's voices. Maybe call security as well.
I think that's called malicious compliance. I call it making your problem someone else's problem, and you aer just hailed as the ultimate security minded employee, always checking, always vigilant, and really annoying.
Re: (Score:2)
Mod parent funny and correct my comment thusly:
c/an cross-checks/and cross-checks/
Re: (Score:2)
Why is it that techno-bro's "solutions" to the problems they created in the first place is always to construct some insane techno-dystopia where the entire life of every citizen is necessarily monitored, analyzed, brokered, and micromanaged?
Are you just incapable of seeing how such a system could be gamed by dedicated actors working for months or years to establish accounts with high trust? How completely useless it would be as soon as one of those "legitimate identities" with "the most weight" is compromis
Re: (Score:2)
I'm not saying the game can ever be won. But we have to keep fighting on the theory that there are such things as truth and reality.
However if there is such a thing as a just gawd it's hard to see why he hasn't already thrown the game down a black hole...
Re: (Score:1)
Re: (Score:2)
If it's a way to get "revenge" on useless users who refuse to get with normal security practices, I'm fine with that.
You're fine with spending time, money and effort on something that does not address the problem, or actually makes it worse?
Really?
Re: (Score:2)
You're fine with spending time, money and effort on something that does not address the problem, or actually makes it worse?
I agree they don't work on educating some people, but I think his main point is, "This finally gives me a hard reason to revoke their access".
And we saw they are letting people go if they fail three times. So those strategies would actually achieve the goal, no?
Re: (Score:2)
because they've spent 40 hours a week in front of a computer for the last 25 years and still don't know what a "web browser" or the "start menu" is.
Part of this is the IT dept's fault. How often do users talk to each other and use those terms? Instead of web browser, they think about Chrome or Firefox. Instead of the start menu, most users have all the programs they use pinned to their taskbar or a shortcut on their desktop. Using terms like Start Menu, Taskbar, System Tray, or context menu just confuses them because none of their coworkers use those terms either. We think it is common knowledge where the system tray is located, or how to start th
Re: And they should be mean (Score:2)
Re: And they should be mean (Score:2)
Use Zero Trust Network Access instead of perimeter-based security.
Re: (Score:1)
Use Zero Trust Network Access instead of perimeter-based security.
But would this solve the problem where the help desk is fooled into resetting the password and MFA of a high-value individual, giving the attackers their foothold?
..up to a point (Score:5, Insightful)
Re: (Score:2)
Claiming there is an ebola outbreak where you work is a bit like faking your death for a practical joke: it can to serious harm under the wrong conditions and that's just not acceptable for a drill.
I'm not so sure about that. It's like a random fire drill. It's a good way of identifying that people may panic and allows you to put in place systems to deal with that panic.
Re: ..up to a point (Score:2)
Re: (Score:2)
I work in a gov't lab. We handle "select agents" (ebola is but one of them) a prank e.mail on an ebola outbreak would have far-reaching effects.
Re:And they should be mean (Score:5, Informative)
I got a phishing email right before Christmas, it seemed to come from my boss and was telling me I had gotten a Christmas bonus. Of course I didn't, that cheapskate asshole has never given me a Christmas bonus in the 7 years I've been working for him. I haven't even had a raise in 4 years.
I quit. That was the last straw.
Re: And they should be mean (Score:2)
Supposedly, cybercrime is victimless, just digits and money covered by insurance companies. But having been brought in to do the mop up on a number of large hits, I can tell you it costs lives with a noticeable uptick in deaths in single driver crashes, stro
Re: And they should be mean (Score:2)
I hope it didn't infect your Christmas spirit and you've moved on to a better working environment not dependent on supernatural beings improving management's softskills.
Re: (Score:2)
My comment was about a fucked up phishing test and a cheapskate boss.
Re: And they should be mean (Score:2)
Re: And they should be mean (Score:2)
Re: (Score:2)
No, they should stop using single-factor authentication, or stop using passwords entirely. Take the money spent on these phishing drills, and spend it instead on hardware keys or some other passwordless authentication system. Phishing is instantly solved.
Re: And they should be mean (Score:2)
For example the recent MonikerLink bug, CVE-2024â"21413, that simply required a user to open an email.
Re: (Score:2)
If you have no legitimate passwords to enter in the course of doing your job, then there's nothing to type when the phishing attack asks you to log in. So yeah, passwordless authentication does defeat phishing.
https://www.scworld.com/resour... [scworld.com]
Re: And they should be mean (Score:2)
It's not going to stop zero-click attack such a user opening an email that will launch an attack through an exploit in Outlook or an exploit in WhatsApp that could infect a user's device even if they ignored the call and never answered.
Once in, malicious code could be used to monitor and attack the network from within the network on a trusted machine until it found a higher value target.
https://www [csoonline.com]
Re: (Score:2)
You're right, hardware keys don't block malware from being installed through phishing attacks.
Re: (Score:2)
If it's that important it should be protected by something better than threats.
Fight Fire With Fire (Score:1)
Troll those trolls!
I wanted to click the links in TFS (Score:1)
They're getting stricter because it doesn't work (Score:5, Insightful)
An attorney I know got training from their IT department that included (among other things) a plain English, simple checklist of things to look out for, and how to report suspicious emails.
Then he received a legitimate email from IT about some training, that a) came from a previously unknown email address, b) linked to a previously unknown web site, c) threatened dire consequences if the training wasn't completed within a few days (which required entering a lot of personal and professional information), and literally checked every box on that checklist except bad grammar. It was announced in advance through regular IT email channels, but that as several weeks in advance.
In a firm with several hundred attorneys, he was the only one to report it to IT.
No amount of training will ever fix stupid.
Re: (Score:2)
An attorney I know got training from their IT department that included (among other things) a plain English, simple checklist of things to look out for, and how to report suspicious emails.
Then he received a legitimate email from IT about some training, that a) came from a previously unknown email address, b) linked to a previously unknown web site, c) threatened dire consequences if the training wasn't completed within a few days (which required entering a lot of personal and professional information), and literally checked every box on that checklist except bad grammar. It was announced in advance through regular IT email channels, but that as several weeks in advance.
In a firm with several hundred attorneys, he was the only one to report it to IT.
No amount of training will ever fix stupid.
Exactly this. Most internal corporate communication that asks employees to do something somewhere online is done so poorly as to be indistinguishable from phishing.
Re: (Score:3)
And that's the test. Anyone who doesn't report that as an obvious bad phishing attempt should be lectured at this point.
Re:They're getting stricter because it doesn't wor (Score:4, Funny)
As part of a pen test, I sent out a phish to a few emails I harvested from the target website. My phishing server caught creds from people I never even sent the email to (your basic log in to web mail to avoid your account being deleted phish with a bogus link). It turns out an administrator spotted the phish and sent a warning email to all warning people not to click that link. My phish was attached, presumably so people could see what they shouldn't click. MANY of them clicked right there in the message attached to the warning.
Re: They're getting stricter because it doesn't wo (Score:1)
It's not that the employees are particularly stupid, it's more like the challenges of modern IT have raised the IQ bar rather high. The rise of LLMs will raise it even higher.
Re: (Score:2)
If your training gives you a simple, objective list of criteria on what makes an email suspicious, like "did it come form an email address you haven't gotten email before, while claiming to be from someone you have" or "does it include a link to a web site you don't recognize", and you - despite your training - do not report it as suspicious when you get an email that checks every box on the list, the problem isn't the rise of modern IT raising the bar, the problem is you are stupid. Literally so stupid you
Re: (Score:2)
And at some places of employment, where you move to is the unemployment office for violating security policy.
Re: (Score:2)
True, and that's where a baseball bat can come in handy.
Re: (Score:2)
The proper term is "clue bat," and yes.
Re: They're getting stricter because it doesn't wo (Score:2)
That and it's actually pretty fun.
Re: (Score:2)
A large law firm in a major city does, yes.
Re: (Score:2)
Zuck owns it?
Re:They're getting stricter because it doesn't wor (Score:5, Insightful)
So far from training us to spot phishing attempts it feels more like they are training us to ignore them!
Re:They're getting stricter because it doesn't wor (Score:5, Interesting)
Re:They're getting stricter because it doesn't wor (Score:4, Insightful)
"No amount of training will ever fix stupid."
But who do you are you claiming was the stupid party?
1) The person who flagged the email that was pre-announced to be legitimate?
2) The people who did not flag the email that matched almost all the criteria but was pre-announced to be legitimate?
3) The people who sent a legitimate email that matched the criteria for a phish?
4) The people who thought training on those criteria was valuable?
Re: (Score:3)
3) The people who sent a legitimate email that matched the criteria for a phish?
This is one of my favourite things to experience in a company. I remember during one phishing campaign there were promises of winning a free iPod (it was a while ago). People who fell for it were directed to a site that basically said what amounted to "No stupid why would your company give you a free iPod, you already get paid to be here, and we have a spot bonus system".
Anyway fast forward a couple of weeks and I get an email from the plant manager. I get a free iPod. Legit. Turns out that someone complain
Re: (Score:1)
Then he received a legitimate email from IT about some training, that a) came from a previously unknown email address, b) linked to a previously unknown web site, c) threatened dire consequences if the training wasn't completed within a few days (which required entering a lot of personal and professional information), and literally checked every box on that checklist except bad grammar.
We had the same where I worked! Maybe the same source, perhaps KnowBe4? anyway I rate myself as being able to tell spam from ham, but it was real tough with that one.
Re: (Score:2)
In a firm with several hundred attorneys, he was the only one to report it to IT.
No amount of training will ever fix stupid.
It depends on the context.
In the company where I worked, we had all that training you mentioned. However, every 1-3 years, new guy comes into management, announces new initiatives, and sends out department-wide emails which included links to external domains, or hires external vendors to conduct surveys by sending emails from external domains to everyone with a link to external domains. When you report these emails as phishing, you got back a reply telling you it is legit. Anyone working for longer than
Re: (Score:2)
Training employees to recognize phishing email is all well and good, but what they really need to teach is how to write email that doesn't look phishy. HR and IT departments are both notoriously bad at this. Where I worked simply reporting the messages to IT didn't address the problem. They'd just tell us that it was legit mail but never get word back to the actual sender about how to do it correctly.
At least their honeypot emails had a handy X-PHISHTEST header line that you could easily write a filter f
Amusing (Score:2)
I find the phishing tests at my company to be amusing. They are something like this one (which I'm making up):
"Your organization has instituted random drug testing. Please enter your organization name and your username and password into the form below to confirm that you have received this message."
Re: (Score:2)
Log in to this website with your company email to enroll in DEI training.
Re: (Score:2)
Or opt out of it. Pretty sure that'd catch a lot of flies.
Re: (Score:3)
The last one that caught a number of people:
"An IT audit shows that you've spent 10 hours this week on personal web browsing. Click here to see screenshots of your activity."
Phishing tests more trustworthy than real thing (Score:4, Insightful)
I've seen phishing tests that come from an internal corporate email address, that should not be spoofable (within the corporate email system).
Meanwhile, employees are regularly flooded with unexpected emails that come from outside the corporate domain, include links asking us to log in with corporate credentials, and that turn out to actually be official corporate communication.
The first thing that companies need to do to protect against phishing is to make sure all official communications come from the corporate email domain, instead of whatever third party domain a contractor or service provider happens to be using this week.
Re: (Score:1)
I've seen phishing tests that come from an internal corporate email address, that should not be spoofable (within the corporate email system). Meanwhile, employees are regularly flooded with unexpected emails that come from outside the corporate domain, include links asking us to log in with corporate credentials, and that turn out to actually be official corporate communication. The first thing that companies need to do to protect against phishing is to make sure all official communications come from the corporate email domain, instead of whatever third party domain a contractor or service provider happens to be using this week.
Same problem here. It is very hard to tell if a third-party website is a legit SSO or not. Seems like a very bad idea. Official emails also use a third-party click counter. WTF? Teach me to check the links, then hide them? Then there is "Safe Links" where official links go through a third-party link checker. So they hide the target of links sometimes multiple layers deep, but keep training me to "check" where they go.
Re: (Score:2, Interesting)
we got an email stating the email address and phone number associated with "HSA Bank" account has been changed - did my due diligence and confirmed the email had a different phone number than the one listed on their website (email looked sketchy too)
plus our HSA was through another company... so I reported it... was told it was legitimate..
1 week later i got a piece of paper mail with my new HSA Bank card in it
3 weeks later we get the official email from our company telling us that we were changing HSA prov
Re: (Score:2)
It's not just employers. I see lots of companies do this like medical providers. Can't they just make a redirector from their own domains? Don't use third parties' too like awstrack.me. Ugh!
Add technical incompetence to the list of issues. (Score:2)
Our company added phishing tests to our outbreak 365 suite. M$'s pre-fetching of links in the emails triggered the phishing detection so we all got remedial training assignments. Assignments that appeared as a suspicious looking email from our admin.
Re: (Score:3)
This got me. We have an add-in that comes from the phishing test provider that we're supposed to click to "Report Phishing", that's part of what we're graded on. Instead of clicking their add-on "Report Phishing" button, I clicked on the "Report Phishing" button that is part of Outlook. This triggered the email to be opened and links fetched, flagging me as failing the test so I had to sit in training for a few hours.
I repeatedly told the security team what happened, and was ignored. So now I just completel
And Don't Ignore (Score:5, Interesting)
I tend to ignore much of my email. Deleting it if it's not relevant to my job or what I'm doing. Doesn't matter if it comes from a vendor I recognize (like Red Hat).
But. I have to pay attention to emails now because if I don't catch a phishing email and report it, my "Security Alertness" ratio drops and I get a talking to.
It's almost like InfoSec is sending out ads to make money on the side.
[John]
Re:And Don't Ignore (Score:4, Interesting)
This exactly. I don't even open them, because God only knows what scripts Outlook will still run. But now I have to click them and open them.
It should just be, if you fall for it, you're fired.
Bonus that HR keeps sending out legitimate emails with links to external domains. I've clicked the phishing button on those before, and bosses were unhappy with that.
Re: (Score:2)
I don't even open them, because God only knows what scripts Outlook will still run.
None. Like seriously how incompetent is your IT department if simply opening an email is still a risk in 2025.
I've clicked the phishing button on those before, and bosses were unhappy with that.
Why would they be unhappy? You're following official rules which is that a potentially unsure email is escalated to someone for official review. It doesn't pass the smell test that your bosses would be unhappy about that.
Re: And Don't Ignore (Score:2)
Re: And Don't Ignore (Score:2)
Simple (Score:2)
Re: (Score:3)
Re: Simple (Score:2)
Okay, that last term I just made up, but it is definitely a thing.
there are smart ways and then there is this (Score:3)
There are smart ways and then there is this... you can't get good results by doing stupid things.
I've been on the side where these are created, and used... can say 100% that training works at preventing phishing attacks. IF THE PEOPLE RUNNING THEM ARE SMART and use them correctly.
Any tool in the hands of a dumbass will results in disaster.
For those that get crappy campaigns are likely the recipients of cyber insurance/risk asking for user awareness training and the person responsible for it simply trying to check a box and do the bare minimum.
Can count the number of user account compromises/infections on one hand for the clients that had awareness training run correctly... vs the dozens from those that didn't.
On the side of the companies suffering compromises even with training were due to partner organizations suffering a breach and being used to pivot into them and use established, trusted communications channels (sent email... looks suspicious, but from regular contact... user msgs other person on teams to confirm if it's legit... 2nd user (compromised)... "yeah, it's a report i needed you to take a look as soon as possible"....
let's just say phone calls became the standard for confirming validity of suspicious links/emails after that one... (mind you, they were already told to do so, but ignored the recommendation)
training helps... it's not a cure all... and when done correctly, it does work.
Don't blame the tool for shit results... blame the person using it.
No jokes? (Score:1)
Come on, Slashdot. This story has YUGE potential for stupid jokes.
Works if consistent (Score:4, Interesting)
My best mate told me a while ago about IT sending out emails about warning against checking link names to sites and later sending out test emails with a trap link to test employees.
And then HR sent out surveys via email with links to an unanounced third party site.
Of course, the flak was not directed to HR but the people who didn't take the survey because they adhered to IT security advice.
One more example why I was glad they kicked me out of the company IT years ago. I have no more tolerance of stupidity.
Phising tests are NOT effective, because of EMAIL. (Score:2)
Companies should use allowlists for their servers. (Score:1)
If you send a company an email and your email isn't recognized, then you should get an email back saying you need to request the ability to send them email. The default model of accepting any message from anyone doesn't work in a modern world.
And eventually, you'd probably get some companies that maintained built huge allowlists/inclusionlists that your company could subscribe to just as there are companies that build and maintain databases of every tax for every city, county, state, and federal transactio
Re: (Score:2)
Re: (Score:1)
Can't help with Hacking. That's a different problem.
For spoofed email...
The company should likewise check all other embedded email addresses and websites against the inclusion list. The company could either cripple non-conforming addresses or bounce the email with a message that the sender must validate those email addresses through the standard process.
(eg:
Check the Email Header: View the "Return-Path" and "Received" fields to see the real sender.
âoe... Verify Links Before Clicking: Hover over links
For example ... (Score:3)
Subject: A fork in the road
(Here sucker - I mean - fishy ...)
Only works on the scam illiterate (Score:2)
The training is ineffective on those who could spot a phishing message, and not those who keep falling for scams. Likewise, the ones vulnerable to phishing would still be vulnerable to other forms of scams, such as being asked by a customer to change the shipping address of something already in transit (then doing a chargeback).
What the training does - require skilled users to constantly monitor e-mail for things that they wouldn't normally receive. If the training is poorly designed, then it trips various
Re: (Score:3)
Of course they are a threat. They have never had any security clearance done on them (thus the one who resigned when the media reported on his eugenics postings) and who knows what they're screwing up to justify their existence.
For all the talk of "exposing" things, it sure is interesting how much effort President Musk is putting into hiding what his people are doing.
"Termination possible after three failures" (Score:2)
The longer you are employed at a company, the odds of opening an email and accidentally clicking the link approaches 1. So this appears to be a creative way to force people to retire!
It really ought to be a moving window, like 3 failures within 1 year, or per 1,000 e-mails.
Like real Ebola (Score:2)
" a test email about a fake Ebola outbreak sent staff scrambling before learning it was a security drill."
Like real Ebola, people felt a strange desire to go to an airport and book a middle seat. :-)
A philosopher would call this a "category error" (Score:4, Informative)
The company is testing humans for their ability to do something they are inherently bad at.
Filtering programs, such as the one at spamcop.net, do it well:
- I haven't had a false positive for about three years.
- I get a false negative about once a month.
Whenever I get an email at a customer's, I run it through the spamcop filter. That reliably identifies the phishing-test emails,
I prefer to report those on the equivalent of the IT slack channel, so others aren't caught out by them (;-))
Why not phishing resistant MFA? (Score:1)
We've had security keys for over a decade. I'm sure there are other phishing resistant MFA solutions as well. Why 100% rely on humans to detect phishing instead of implementing technical safeguards?
Hard to distinguish spam from our own marketing (Score:1)
I work in a small finance / fintech company. We offer investment services and small loans.
I get to see both spam and scams reported by the users, and our own outbound communications - marketing and debt collection. The line between those two is _very_ thin. Of course we are not scamming anyone or trying to phish out passwords. But our own messages are "your account is overdue and needs attention", "campaign - opportunity to invest at good rates", "click here to join with the campaign".
I have trouble myself
Fixing the wrong thing (Score:1)
What emails? (Score:2)
The first time I got one I checked the source and found a header indicating it was simulated phishing. A quick rule later and now they all end up in junk automatically.
otoh maybe people like us aren't the target for these things :D
Re: (Score:2)
What bothers me more is every email that's not from our domain has a big banner at the top warning us of this. It renders summaries in the email list useless. This is especially annoying given our teams runs our own GitHub Enterprise instance on a different domain so all the notifications email are borked.
Beat IT at their own game (Score:1)
My employer uses an external cybersecurity consulting firm to send out phishing simulations. I figured out what custom headers they were using to get them through our spam filters, and then set up an Outlook rule to automatically report and then delete.
Re: Beat IT at their own game (Score:2)
see further, Stanford Prison Experiment (Score:2)
Security is based on trust. A trust that goes both ways. Instilling fear doesn't build trust. Tests like these, and I am using that term lightly, will likely makes users fearful and quite possibly result in making those who identify low ball phishing test drills smug.
The single most important component in security is communication. Particularly with mistakes. This is central to training required to be certi