the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work!
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
-
@0xabad1dea This heavily overlaps with a wider societal problem of legitimate customer service communication being largely indistinguishable from scams to most people - intentional confusion and constant change, huge amounts of information disclosure required to do anything without always knowing why (and hesitation can be penalized), and so on. Pretty much entirely by design, in an attempt to minimize anyone's desire to ever contact companies directly.
@lupinia @0xabad1dea And encouraging people to write their emails with an LLM to "sound professional" means that they end up reading like the emails that scammers write with an LLM to "sound professional".
-
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
@pmb00cs
I'm angry just reading this.
@0xabad1dea -
@0xabad1dea I got a similar email... from IT. It was basically, "Congratulations! You've been selected as a trial user for our new authentication system. Please click here to go to a dodgy URL and fill in all your existing credentials." With no contact listed. And no information about it on the intranet.
It took some digging before I found someone in IT support that could verify that it wasn't a phish.
@guigsy @0xabad1dea Even worse when it originates from a department that should know better.
-
@pmb00cs
I'm angry just reading this.
@0xabad1dea@xinit @0xabad1dea it did, eventually, illicit an apology from senior leadership for the "poor timing" of it all.
-
@0xabad1dea then there's ones from banks, government things, big brands etc.
@jwdt @0xabad1dea tertiary health care providers that you’ve never heard of but apparently the anesthesiologist doesn’t work for the hospital not bill through the hospital and in this modern day decides to email and text you to demand payment
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea I've tried to get them to compile statistics on internal comms that were reported as Phishing so we could try hunt down the perps. Potentially creating a wall-of-shame for them.
Big nope (zero surprise).
-
@pmb00cs
I'm angry just reading this.
@0xabad1dea@xinit @0xabad1dea funnily enough it wasn't as bad as when they decided to save money by switching from Yorkshire Tea to Tetley Tea. That decision lasted about a month.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea During the summer before I started college, I got an email from (what appeared to be) a separate health care provider telling me to click the link and enter my social security number to register myself in their system. This was from an external email address, and I received no notice about it from the college, but after looking around it was actually legitimate.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea is your CEO a deposed Nigerian prime minister or something?
-
@guigsy @0xabad1dea Even worse when it originates from a department that should know better.
@TomDB @0xabad1dea yeah. I checked colleagues and nobody else had received the message. It looked very phishy. It said "you must do this within 7 days"... so I ignored it. Only to receive an identical message, giving me another 7 days. After a few weeks, I was motivated enough to stop the spam and make the effort to find out if it was legit. Extremely poor infosec practices from my IT department.
-
@0xabad1dea This heavily overlaps with a wider societal problem of legitimate customer service communication being largely indistinguishable from scams to most people - intentional confusion and constant change, huge amounts of information disclosure required to do anything without always knowing why (and hesitation can be penalized), and so on. Pretty much entirely by design, in an attempt to minimize anyone's desire to ever contact companies directly.
@lupinia @0xabad1dea When so much “legal, legitimate” business is basically a scam, how can anyone tell?
-
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
@pmb00cs @0xabad1dea Love your IT department for that little "fuck u" Mr CEO email
-
@s0 @0xabad1dea I had the same experience multiple years in a row.
Vague "click now to get started with your experience" button in an external email that wasn't white listed. Turned out to be cyber security training. -
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea I mean, it must be a test, right? A free gift, from corpo? C'mon.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea This pisses me off so much!
Not (for me) internal corporate, but marketing depts. Notably Barclays sending “Dear customer click here for your wonderful offer” emails. -
@0xabad1dea I mean, it must be a test, right? A free gift, from corpo? C'mon.
@Tom_ofB I'm pretty sure it's just corporate logo swag distribution being framed as "a thank-you gift"
-
@Tom_ofB I'm pretty sure it's just corporate logo swag distribution being framed as "a thank-you gift"
@0xabad1dea ohhh, I get it. "the gift is free" is just lossy transmission, the full meaning was
"the gift is you can be free advertising for the company". That's awesome, double plus good, really. -
@jwdt @0xabad1dea tertiary health care providers that you’ve never heard of but apparently the anesthesiologist doesn’t work for the hospital not bill through the hospital and in this modern day decides to email and text you to demand payment
@jwdt @0xabad1dea small business tax guy deciding to modernize and calling his secure file drop through some SaaS provider securefile and that being the subdomain on it. Phish alarms blaring, but we got the domain from him in conversation and he’s normal so it just doesn’t register to him that it sounds very bad.
-
@0xabad1dea Every few months, it seems, we get email at work from an address we've never seen before, along the lines of "log into the new HR portal at [dodgy external address]", signed "HR department". Nothing to connect it to this specific employer, no names, etc. Every time I report it as obvious phishing. Every time it turns out the great and powerful overlords have signed a new contract with an even dodgier provider.
i send valid links to colleagues throguh https://shadify.link/
