You are viewing a single thread.
View all comments
88 points

I will think about this every time we have a meeting to discuss the stupid “shame and train” faux phishing attacks they run on us at work.

Pro-Tip: If you set up the right kind of filtering you’ll never see those stupid things. (Fight club rules).

permalink
report
reply
10 points

Alternatively, over-report. Spelling mistake on an email from a colleague? Seems phishy to me. Email from a colleague with an attachment? Phishy! Unsolicited email from a client? Phishy! Email from ‘social committee’ sent to everyone in the team? Phishy!!!

permalink
report
parent
reply
3 points

I have done some minor malicious compliance / prankster sabotage sort-of like that in the past. I got called on the carpet. It was fun, though!

permalink
report
parent
reply
4 points

Received an email about phishing? Oh, you better believe that’s phishy!

permalink
report
parent
reply
6 points

Please don’t.

I have to initiate those, or it looks bad for compliance. We sell software, we get SOC 2 attestations yearly. We start getting points marked off for very general security and compliance measures customers will question our products and not renew or not purchase in the first place, because if we can’t even secure our own employees and promote awareness, what does that say about our product?

Sincerely, the guy everyone hates and makes your work life harder.

permalink
report
parent
reply
3 points

Maybe don’t gaslight people and they wouldn’t respond by assuming everything is more gaslighting.

permalink
report
parent
reply
1 point

I’m never going to have to reply to an email again.

permalink
report
parent
reply
1 point

Our company has started doing that. How do I filter them out?

permalink
report
parent
reply
2 points
*

It varies depending on your email client and the fake phishing service / implementation. (Sorry, I hate non-specific answers like this, too). For me, all I had to do was add an Outlook rule that looks for a certain keyword in the email header. The keyword is a weird/unique string that’s only associated with the fake phishing company. If that word is anywhere in the email header, my rule chucks it into a folder where I just ignore it. Your client should let you view the header / raw email and you can look for a pattern that way.

It’s a pretty safe rule as far as email rules go. The only risk I can think of is that it could lull me into complacency, but working for the man does that, anyway. I’ve been getting away with it for over a year, and it’s nice not seeing the dumbass fake phishing things. Note that we are not mandated to report them, but we get assigned extra training if we click on any links in them. Your employer may have different rules.

permalink
report
parent
reply
10 points

except too many companies take that extra step of being annoying:

  • you get a write up if you fall for the phishing
  • you get a write up if you don’t fall for it but also fail to report it
  • you get a write up if you don’t fall for it and do report it but don’t use the correct report form
permalink
report
parent
reply
7 points

you also fail if you use the right form but don’t staple a cover sheet for the tps form followup.

permalink
report
parent
reply
2 points

Yeah my company sets a goal of how many you need to report every year, if you don’t then you need to take mandatory training (same if you fail and click on a link)

permalink
report
parent
reply
9 points

We’re supposed to forward the spear fishing emails to IT but I always just report as spam and go about my day. Was only nervous the first couple times I ignored an obvious internal phishing test but apparently they don’t care if we don’t fall for it.

permalink
report
parent
reply
2 points

Mine was like that too so I just deleted them and moved on. I sat right next to the security team and would thus know when they were going out, so they gave no shits as long as you didn’t fall for it.

It also helped that my team was the only in the company that didn’t really get email. Everyone else got hundreds a day (no joke, they used way too many mail lists) and we got maybe 5-10, all internal or auto-generated, so everything was super obvious, and IT was well aware of this.

permalink
report
parent
reply
2 points

Where I work, they haven’t taken it that far yet. But I would not be surprised if they go to that in the future. The email rules / filters can still help with it.

permalink
report
parent
reply
56 points

The one they use at my work is extra silly, as it adds an extra email header saying it’s coming from a phishing campaign

permalink
report
parent
reply
5 points

That’s really funny. It’s like you work for Dunder-Mifflin.

permalink
report
parent
reply
3 points

Lots of us do lol

permalink
report
parent
reply
4 points

Lmao, the other day I had to whitelist some domains used for phishing training emails in the anti-phishing software we use just so they wouldn’t get nuked, then I had to whitelist them in another anti-phishing software so they wouldn’t have - huge red header injected on the top of the email body warning the user it was phishing.

permalink
report
parent
reply
53 points

Ours do that too. It’s so obvious that I’m not sure if they think we’re all stupid, except then I remember that some of my coworkers actually are stupid, so it’s probably aimed at them.

permalink
report
parent
reply
24 points

I’ve worked with a dude for years who I would consider smart both technically and non-technically. One time we got an email at work with an attachment that was something like “microsoft_update.exe.txt”. The email said “due to a technical limitation on the email system, this file needs to be renamed to drop the .txt and executed to apply a critical to your computer.”

It was, in my mind, such an obvious phishing attempt that I laughed out loud and said “who the fuck would ever fall for this?” Then my coworker popped his head over the cube wall and said “WAIT WHAT? We weren’t supposed to run that?!”

Fortunately, the security team sat nearby and heard the whole thing and rushed over to quarantine his PC

permalink
report
parent
reply
59 points

except then I remember that some of my coworkers actually are stupid, so it’s probably aimed at them.

I work in IT and have done these campaigns, if you’re on Lemmy, you’re probably not the target audience lmao

permalink
report
parent
reply
3 points

haha same for me, the header contains the word “gophish”, easy to filter it

permalink
report
parent
reply
2 points

Damn. I’ve scripted out the entire process of verifying an owned domain in a hosted mail providers system, deploying the ec2 infrastructure, and installing and configuring gophish for a campaign, along with tearing everything down.

That header thing gophish adds is a default option that you can override by just setting that header to an empty string. Whoever runs campaigns for your employer either wants to make it easy for you to pass or doesn’t care about their job at all.

I’ve done it in the context of red team/adversary emulation campaigns before though, so the opsec needed to be a bit tighter than the mandatory phishing awareness stuff i guess.

permalink
report
parent
reply
8 points

My company is using some tool to generate those kinds of false scam emails every few weeks, so I created a rule in Outlook that if the header contains the word “gophish”, it put a label “lol phishing” on it, so I know to just delete them…

permalink
report
parent
reply
2 points

shhhhhhh.

Good for you, though.

permalink
report
parent
reply
7 points

I worked at a place that actually tracked whether you reported the fake phishing emails or not…

permalink
report
parent
reply
2 points

The right email rule can make that easier, too. Hee hee

permalink
report
parent
reply
13 points
*

The Microsoft 365 admins at my workplace were doing something like this. It’s got some sort of built-in phishing simulation functionality (I think it’s this: https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations). The idea is that the recipient clicks a button in Outlook to report it as suspicious, and get a “congrats you did the right thing” notice.

However, it seems like IT security were unaware of the test, because they started blocking the emails and blackholed the domain the emails linked to (meaning it doesn’t resolve on our network any more). They also reported the domain as phishing to some safe browsing vendor we use, which propagated into the blocklist Chrome uses. It was a shared domain Microsoft use for this training (it was one of the domains on this list: https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-get-started?view=o365-worldwide) so Microsoft probably had to deal with un-blocking it…

permalink
report
parent
reply
5 points

Ugh. I got one of them recently and clicking on it and hitting report as spam apparently registers as me having interacted with the email so I have to do the security course again.

permalink
report
parent
reply
3 points

It’s glitchy AF. There’s a known bug where it can report you if you simply preview the email, too. In some environments, anyway.

permalink
report
parent
reply
5 points

Plenty of companies will assign you extra training because you aren’t reporting.

permalink
report
parent
reply
2 points

The usual “dance, monkey, dance” from corporate.

permalink
report
parent
reply
5 points

The Internet: fuck these companies for leaking my data.

Also the Internet: fuck taking these classes on security and forcing me to reread policies and sops.

Fucked if you do, fucked if you didn’t.

permalink
report
parent
reply

Comic Strips

!comicstrips@lemmy.world

Create post

Comic Strips is a community for those who love comic stories.

The rules are simple:

  • The post can be a single image, an image gallery, or a link to a specific comic hosted on another site (the author’s website, for instance).
  • The comic must be a complete story.
  • If it is an external link, it must be to a specific story, not to the root of the site.
  • You may post comics from others or your own.
  • If you are posting a comic of your own, a maximum of one per week is allowed (I know, your comics are great, but this rule helps avoid spam).
  • The comic can be in any language, but if it’s not in English, OP must include an English translation in the post’s ‘body’ field (note: you don’t need to select a specific language when posting a comic).
  • Politeness.
  • Adult content is not allowed. This community aims to be fun for people of all ages.

Web of links

Community stats

  • 12K

    Monthly active users

  • 2.8K

    Posts

  • 56K

    Comments

Community moderators