Alt text: Michael Scott Handshake meme. Managers text: “My company Congratulating me on avoiding a phishing test email”. Michael Scott text: “Me, terminally behind on answering email.”

38 points

“Let’s also make our users follow really complex password requirements but have our password creation/change page be different from the actual login screen so they have a really hard time using a password manager”-dumbass IT department

permalink
report
reply
17 points

Change your password every 30 days, and never reuse one, and don’t use a password manager, and don’t write it down anywhere, and…

permalink
report
parent
reply
20 points

The “Forgot password?” link is my new login process.

permalink
report
parent
reply
13 points

15 character minimum passwords that expire every 90 days and require MFA to remote in from home with 3 separate login sessions just to get to your PC, along with stripped down rights for everyone, even IS. The rights are so strict that if you wanted to, for instance, update a trusted application like Notepad++ because a recent exploit was found which would be a security concern, you can’t use the auto-update feature of the application; you have to download it manually from their repository, and run it using a special admin account created for you that doesn’t have an associated email address but also has a 90 day password requirement. But you wouldn’t been able to use their repository 6 months ago because we block any IP address outside the US and their previous service was located in UK, so if you wanted to keep that piece of software up-to-date with security and vulnerability patches (which they’ve harped on a number of times before) you’d have to find alternative download services located in the US regardless of how shady.

I wish I was joking.

permalink
report
parent
reply
6 points

My current employer actually just changed our password policy to greatly extend the password expiration date. We have cranked up the password requirements a tad, every login has 2FA and permissions are locked down to the size of a gnats asshole. Users seem to like it better since they don’t have to come up with a new password as often and we are telling ourselves it’s harder to brute force.

permalink
report
parent
reply
23 points

My company sent me a fishing test email from a “no-reply@companyname.com” email address. I sent it to our security department and asked if I would ever get legitimate emails from that address. They never responded except to say that I passed the phishing test, so I set up a filter to automatically forward emails from that to our security department with a message questioning its validity. Let’s security tell me if emails are legit or not.

permalink
report
reply
11 points

My normal method is I will hit the phishing attempt icon that IT Security added to our Outlook on anything that I did not request or sign up for.

I’m sure the IT Security person who saw all the “free gift card” emails had a great Christmas if they claimed all the gift cards emails they deem legit.

permalink
report
parent
reply
1 point
Deleted by creator
permalink
report
parent
reply
20 points

I created an inbox rule for these. The 3rd party phishing shame-and-train company my employer uses always has a certain domain in the email header (even though they always change the ‘from’ address). Has worked perfectly for over 6 months. I’m generally not dumb enough to click on them anyway. But anyone can have a bad day and/or get into a rush and make a mistake. And my boss is a sadistic prick who delights in making workers feel dumb. Yet I’m 100% sure he exempts himself from the phishing shit tests.

permalink
report
reply
10 points

Knowbe4? That’s who we use and their stuff is pedestrian

permalink
report
parent
reply
3 points

The point isn’t to be so tricky to make it too hard for end users to catch it. It’s to train them to start looking at things such as senders domain and to report messages and avoid the link, etc.

permalink
report
parent
reply
2 points

Using this too. But you have to report them, can’t just filter and forget.

permalink
report
parent
reply
20 points

Where I work you only pass the test if you report it to IT, otherwise it’s 3 hours of training with the rest of the idiots.

permalink
report
reply
11 points

Does IT want useless reports? Because that’s how you get useless reports?

permalink
report
parent
reply
9 points

Yes. They do.

permalink
report
parent
reply
4 points
*

There are no “useless reports” when compared to the alternative

permalink
report
parent
reply
5 points

The IT people send out the phising mail themselves as part of a test. It isn’t an actual phising mail, just something made to look and act like one. In the end they have a report which people fell for it, which ignored it (or were ooo) and which reported it.

Reporting is done via the report phising feature in Outlook. For consumers it’s sent to Microsoft, but for businesses you can configure those reports to do what you want. It’s actually a really good feature and people should always use it.

permalink
report
parent
reply
3 points

Does your IT team tell you that they’re performing the test and to report, or is reporting phishing always constantly recommended. I’ve managed a small org ( <100 ) email server and we tried to have people report suspicious emails and it was so much noise and wasted so much time. Of course the CEO isn’t requesting you buy gift cards, what am I going to do about it. I’d say the money would be better spent on a better system rather than hope one human forwards it to another human.

permalink
report
parent
reply
1 point

No, it’s better to get some useless reports than to get no reports at all because “somebody will surely report this”.

Also people stay alert when punishment is an option.

permalink
report
parent
reply
1 point

It’s actually a big problem: https://en.wikipedia.org/wiki/Alarm_fatigue more alerts is not always better.

permalink
report
parent
reply
-3 points

This is how they justify their jobs.

permalink
report
parent
reply
9 points

No. Technically illiterate users, that’s how we justify our jobs.

permalink
report
parent
reply
2 points
Deleted by creator
permalink
report
parent
reply
1 point

Justify their jobs? Their job is to set shit up, then be around at all times to help already frustrated people to do something they just forgot how to do today for no reason. And then, to politely listen as the person makes excuses to preserve their ego

Security compliance? That’s handed down to them. If they had a hard on for cyber security, they could make 2-3x as much and no longer have to explain to people that they joined the wrong teams call

I make a point to get to know the service staff. Chat with the custodian. Go to IT when you don’t have a problem… Get to know them a little as a person. Then, when you have a problem, you don’t have to make a ticket and wait for them to get to you. You already know them, and they feel respected as a person - they might not drop everything, but they’re going to bend the rules and quietly tell you how to navigate the system to get what you need as painlessly as possible

They’ll also know if you’re an idiot or not already - they might know to trust you at your word, or they might know tech makes your eyes go glassy and hold your hand patiently… But either way, the respect makes them want to help you, and the preexisting relationship makes the whole experience less painful

It is a shit job… It’s the overlap between being in the service industry and a tech worker. Almost all of them couldn’t make it in a more specialized role that would pay far, far more, and if you walk in during downtime half of them will be practicing their programming hoping to get a better job

permalink
report
parent
reply
-1 points

I think you mean satisfy regulatory requirements.

permalink
report
parent
reply
5 points

Damn, that’s kinda harsh.

permalink
report
parent
reply
17 points

My company appends a ‘think before you click’ header to external emails which are noticeably absent from the phishing tests.

permalink
report
reply
5 points

Mine always have the ReplyTo field set to the email of the senior security analyst, so I always say hi and tell them that maybe the higher ups need some training on how to not send sketchy as fuck emails that train people to click on phishing links.

permalink
report
parent
reply

memes

!memes@lemmy.world

Create post

Community rules

1. Be civil

No trolling, bigotry or other insulting / annoying behaviour

2. No politics

This is non-politics community. For political memes please go to !politicalmemes@lemmy.world

3. No recent reposts

Check for reposts when posting a meme, you can only repost after 1 month

4. No bots

No bots without the express approval of the mods or the admins

5. No Spam/Ads

No advertisements or spam. This is an instance rule and the only way to live.

Sister communities

Community stats

  • 12K

    Monthly active users

  • 3.5K

    Posts

  • 109K

    Comments