Transcript

Panel 1: [Coworker in a red tie with dark hair leans into the cubicle of IT who is busy on a computer, a key card or ID hangs around his neck]

Coworker: I clicked an email link and it says I need training?

Panel 2: [IT stops working and looks irritated]

IT: Ah yes. The Training.

Panel 3: [IT sprays the coworker with a spray bottle]

FSHSSSH

FSHSSSH

FSHSSSH

IT: BAD! THAT WAS BAD!

Panel 4: [IT continues spraying the coworker, now crouching down hands raised defensively as the water is sprayed in his face. IT ha a look of glee on his face as another coworker walks by with a look of concern on her face, papers in hand.]

FSHSSSH

FSHSSSH

FSHSSSH

FSHSSSH

FSHSSSH

Coworker: HISSS!

Alt Text

The next training module unlocks after three hisses

.

Source

  • MrShankles@reddthat.com
    4·
    3 days ago
    • Message Details
    • xxxx.ThreatSim. org (or something similar)
    • Report Phishing
    • Thank you for detecting this phish sim and keeping us safe

    A decade with 100% accuracy, and I still haven’t gotten a prize. Worst game ever

  • valtia@lemmy.worldEnglish
    4·
    3 days ago

    I failed an internal phishing test one time, the first time I’ve been on the receiving end of the tests instead of the one making it up and sending it out

    Anyway, I was still new at the company so I wasn’t sure of all the usual domains and processes they have. During an all-hands meeting, the CEO mentioned that we will be receiving our bonuses soon and to make sure to adjust your settings if you want to avoid it all going into your 401k or something. A week later, I get an email saying that I need to adjust my payroll settings for the upcoming bonus. Turns out, it was a phishing test. Jokes on me, the real email to adjust those settings came 4 months later.

    • FuglyDuck@lemmy.worldEnglish
      43·
      5 days ago

      They do that here routinely. The last time they sent it using the email account that is basically the one email that you do not ignore because they use it for urgent “please push the patch asap” type emails.

      If that email is compromised they got bigger issues.

      • kibblebits@quokk.auEnglish
        22·
        5 days ago

        They bought a domain name similar to ours and sent out emails with links to the domain and a clone login page. Pretty sneaky.

        • Otter@lemmy.caM
          10·
          5 days ago

          At a previous job, they used to send them fairly often, using various tricks to keep people on their toes. I found it fun

          • Nighed@feddit.ukEnglish
            6·
            5 days ago

            All of ours have phishing in the URLs or in the email headers, if only real phishers were so nice!

      • Otter@lemmy.caM
        8·
        5 days ago

        What would that be testing, whether the users are psychic? If the email sender is legitimate, then what else would users need to do?

        • FuglyDuck@lemmy.worldEnglish
          7·
          5 days ago

          my team actually does pretty good with the cyber security checks. the people running the have to meet a certain amount of metrics so they figured “hey if we send it from this one email, everyone is going to trust us!” … because that’s what they’re supposed to do… Which makes a terrible thing to do. because now they’re always going to be asking if this new email is another test.

          (Bruh. if you want us to go to training, just ask.)

          • Buddahriffic@lemmy.world
            3·
            4 days ago

            I wish they’d take the test ones one step further and actually try to phish some information. I failed one of those tests but realized it right after clicking the link, but it didn’t matter because they assume that clicking the link means you’re going to provide everything else they are looking for.

            Not sure what kind of links your regular urgent emails usually have, but if you’re regularly clicking strange links as part of your job, they should really take it to the next step and see if you were going to provide credentials or something before failing the test because otherwise it just means people are afraid to do their jobs because it might be another test.

      • surewhynotlem@lemmy.world
        2·
        5 days ago

        that email is compromised they got bigger issues.

        Sending an email doesn’t have authentication. I can send an email as literally anyone. It’s a very trusting protocol.

        Now, if your company is particularly good they might have set up protections from this. But it’s not required, and not super common.

        • FuglyDuck@lemmy.worldEnglish
          1·
          4 days ago

          An email service can check every email and catch the vast majority of spoofed headers pretty easily.

          You’re right, it’s possible that the email is spoofed and passed the header checks, or that email is already compromised, or something.

          That said, using one’s one legitimate email in a phishing test. They said the same stuff. So we spent about a month calling them for every email they sent (including the “you need to sign up for training”)

          It creates more problems than it’s worth, and they caught the point pretty quickly.

          • surewhynotlem@lemmy.world
            1·
            4 days ago

            spent about a month calling them for every email

            Hah! I did the same with every spam email that got through the filter.

    • HeartyOfGlass@piefed.socialEnglish
      7·
      5 days ago

      My former workplace stopped publishing the stats on which department had the most failures when the first round showed more than half of the executives clicked the scam link in their email.

    • LittleBorat3@lemmy.world
      3·
      5 days ago

      There’s so much bullshit that I just erase quicker than my shadow. When that thing on the bottom left pops up, there’s a trashcan on the notification.

      I erase anything that is not addressed to me directly in that split second.

  • Yondoza@sh.itjust.works
    19·
    5 days ago

    I work at a large well established company. I get so many legitimate emails from outside our domain that I am required to click on. Performance reviews, company surveys, corporate training…

    Then they wonder why people click fishing links. Bugs the crap out of me. I’m not going to remember the exact domain of the survey company we use, what are you crazy?

    • thebestaquaman@lemmy.world
      8·
      5 days ago

      I’m not going to remember the exact domain of the survey company we use, what are you crazy?

      I agree, and have decided to err on the side of caution, and also put the irritation over on higher-ups. If I get some link I’m required to click that I’m not actively expecting from an unrecognised address, just trash the email. A couple times, I’ve gotten follow-up from a superior asking me why I haven’t responded to <survey>, and I just tell them I haven’t seen it and that it probably got caught in my spam filter. They send me the link in question, and I respond.

      I quite quickly realised that most of those surveys they need “everyone” to respond to will just slide quietly by when I do this, so I don’t need to spend time on them. My reasoning is that if it’s actually important, I’ll get it through a reliable channel, and so far that’s worked.

      To be fair, I also dump anything that comes from some variant of “noreply” to junk. I figure that if I can’t reply, and I’m not actively expecting the email enough that I check my junk folder, it isn’t important.

    • Nighed@feddit.ukEnglish
      4·
      5 days ago

      We use mimecast, so all links in emails are replaced with links through mimecast for them to check.

      That means you can’t see the original link easily though… So makes it harder to check if they are iffy.

    • MonkderVierte@lemmy.zip
      2·
      5 days ago

      Look at the URL before you click. Enforcing plain text mails makes it easier.
      Spam/phishing also usually neglect the plain-text part in copying company mails. Yeah, a lot of shitstain companies too, but spam still looks different in plain text.

  • Ariselas@piefed.caEnglish
    9·
    5 days ago

    Jokes on you, I click on that link to waste a 1/2 hour of paid time “training”.

      • Ariselas@piefed.caEnglish
        10·
        5 days ago

        Maybe, but I work at a university. With all of the faculty refusing to use the institution’s hardware and bringing their own, students with God knows what, and some of our infrastructure still running windows 95 because they won’t buy new software, I’m pretty sure the whole place is unfixable. Half of our IT rage quits every few months

      • MinnesotaGoddam@lemmy.worldEnglish
        1·
        4 days ago

        some of us like the ol’ spray bottle and newspaper tho, has nothing to do with being a risk. i mean there’s so much shit management out there they’d never invest the time to learn how to communicate properly with their employees. have you ever heard of any company anywhere doing that? I haven’t.

  • Folstar@lemmus.orgEnglish
    7·
    4 days ago

    IT the next day “We spent an absurd amount of money on a new 3rd party service without telling anyone and for some reason nobody is opening the emails that company sent to our employees. Are they stupid or something?”.

    • bingrazer@lemmy.world
      2·
      3 days ago

      We had a mandatory training earlier this year (the typical “don’t harass your coworkers stuff”), but the account they sent the link from was a a 32 character string of random letters and numbers followed by a domain I didn’t recognize. I reported it as phishing since none of the links led to the company’s domain. I got in trouble about a month later because the deadline had passed and I hadn’t taken the training.