We found out that 10% of our users entered their password.
I’m not in cyber security. My role requires me to interact with a lot of people, work on a bunch of different SharePoint links, and on top of that corporate sends a shit pile of email links to training, peakon surveys, and stuff like that. When I started my new job (3 years ago now), I had a pile of training to do as well as my usual work.
I would be fully focused, keyboard clacking loudly and ding! Email. grumble who the fuck is this now? Oh some stupid training link… wham. Phishing training. Fell for it 3 times.
At my work, the bogus phishing attacks are overly believable. They’ll even come from a known in-house email account.
I’ve been dinged twice while otherwise occupied. I’ve stopped checking my email altogether. Play stupid games, win stupid prizes. I am being paid to do a job.
The whole Microsoft 365 system seems to be quite vulnerable to phishing. Sometimes SSO works, sometimes you need a password, maybe 2FA, maybe not. Many microsoft notification emails come from external sources (with a big banner “this email comes from an external sender, be cautious”).
This makes it hard for our brains to spot the small differences that make a phishing campaign successful.
The solution is to suspect every external message and send them all to the phishing mailbox. Tell your boss that you are following the phishing training that you did first.
They will have to get their shit together and send important messages from internal mail addresses. That’s just laziness.
If employers don’t want employees to get phished, a good first step is to not overwork them…
They blast us with the dumbest most obvious phishing simulations. Then send out legitimate “register for this new app” email, which large numbers of people report and the director gets pissed, despite the fact it meets the bulk of the “signs of a phishing email”. Then a month later we get hit by a phishing attack that automated software blocked.
So long as its a 50/50 between your boss being mad or the company losing money employees are going to open the email.
password123
Oh wait, that wasn’t the question?
I’m 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone’s supervisor and made it look like an urgent Teams message was pending.
Usually, if you get phished you lose your bonus. They made an exception that one time.
You lose your bonus? What basement-dwelling neanderthal executive came up with that hogwash?
I dunno…If you’re in a position to get a bonus, you should be smart enough to not click on random links and enter your work password.
I am extremely pro-worker but I would be fuckin pissed if an employee so easily gave a potential hacker access to our systems and that’s what the test is for
To be fair, my job involves very sensitive medical data. We’ve seen entire businesses shut down because of data breaches.
Phishing simulations should be about educating employees, not punishing them. Train them on what they missed and if training material is available check where it might be lacking. Nobody learns from having their bonus taken away. It also only serves to stimulate a culture were people prefer not reporting possible security issues they might have caused, in order to avoid further pay cuts.
I can only imagine how frustrating it would be to get a financial punishment for clicking on links.