A lot of hacking is actually social engineering. It’s not hard to get a tech-illiterate person to give up their password, and that’s the softest target for an attack.
Nowadays you’d probably be more likely to get a hit by putting an “Anime titties” label on the drive
I prefer a label that says, “Warning: USB stick contains scary virus. Do not plug into a computer”
the softest target
Managment making notes
All employes must be buff.
Fitness trainings for everyone are now mandatory!
Problem solved.
Or even jaded tech savvy people. I work in IT and there have been a number of times that I have witnessed or heard about people who know better causing an incident because they’re burnt out or irate.
I am so sick of everyone asking me for my password with no spaces or capitals.
Hacker voice: “I’m in”
Looks at overly complicated industry software he’s never even heard of before
“I’m out”
Wait, I have an idea! Yes, just as I thought, I can overlay their proprietary operating system with this fancy looking graphical interface that resembles nothing and gain full control of their system. I’m back in!
I was thinking of the James Bond movies where they show hacking to be a guy wearing glasses looking for a glowing ball in a flashing GUI that he rotates around somehow by typing really fast.
We have these obligatory online seminars about web security /privacy at work.
Turns out that for some reason, with Privacy Badger enabled, they appear as “passed” instantly. I never saw a single second of these endless seminars.
I tried to tell the IT guy but he couldn’t care less and I suspect he didn’t even know what Privacy Badger actually is
Its like the only accurate part of hackers
We get fake phishing emails that are actually from IT and if we don’t recognize and report them, we get a talking-to. It’s a good way of keeping employees vigilant.
A friend (who actually works in IT) apparently has a good system at his company. It actually automates turning real phishing attempts into internal tests. It effectively replaces links etc and sends it onwards. If the user actually clicks through, their account is immediately locked. It requires them to contact IT to unlock it again, often accompanied by additional training.
Wait. So your friend’s company has the ability to reliably detect phishing attacks, but instead of just blocking them outright, it replaces the malicious phishing links with their own phishing links, sends those on to employees, and prevents them from doing their jobs of they fall for it?
Sounds like your friend’s company’s IT people are kind of dickheads
I work at a company that does something similar; it can be annoying to deal with these fake phishing emails from our own IT, but a 10-15 minute training session if you fail is a lot less disruptive than what can happen if you clicked the real link instead.
I consider myself a bit more tech-savvy than average, but I’ve almost fallen for a couple of these fake phishing emails. It helps me to keep up with what the latest versions of these attacks look like (and keeps me on my toes too…)
It’s not every phishing email. I think it’s technically those that get through the initial filters, and get reported, but don’t quote me on that. Apparently it’s quite effective. They also don’t need to report every one. It’s only if they do something that could have compromised the company that causes a lock down. It’s designed to be disruptive and embarrassing, but only if they actively screw up.
My last company did this. They’d also send out surveys and training from addresses I didn’t recognize, so I’d report those, too, only to be told they were legit 😂
Yeah this is a running joke at our workplace too. Only to be asked by some manager to do those week or few later
I send supervisor emails about stuff I’m not gonna do to my spam folder as well…
“Did you get the email?”
“Nope, sorry, it looked a little suspicious so I didn’t open and sent it to spam…”
Basically you created a echo chamber at work where you can only hear what you want to hear
We get those, but the sender email shows up as blahblah@employersname.kn0wbe4.compromisedblog.org or whatever. Literally the most obvious possible address. I’m always tempted to forward one to IT and ask if they’re serious with that shit.
Ours are the opposite: the sender’s email shows up as a normal name@company.com email. Gmail is supposed to warn when a return address is being spoofed like that, but I guess my company turned that warning off for these fake phishing emails. There’s still no SPF but I don’t check the SPF unless an email looks suspicious so I hope that that warning will work for real, sophisticated phishing.
But if they’re recognized it means they aren’t doing a good enough job faking them