the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work!
-
@jwdt @0xabad1dea tertiary health care providers that you’ve never heard of but apparently the anesthesiologist doesn’t work for the hospital not bill through the hospital and in this modern day decides to email and text you to demand payment
@jwdt @0xabad1dea small business tax guy deciding to modernize and calling his secure file drop through some SaaS provider securefile and that being the subdomain on it. Phish alarms blaring, but we got the domain from him in conversation and he’s normal so it just doesn’t register to him that it sounds very bad.
-
@0xabad1dea Every few months, it seems, we get email at work from an address we've never seen before, along the lines of "log into the new HR portal at [dodgy external address]", signed "HR department". Nothing to connect it to this specific employer, no names, etc. Every time I report it as obvious phishing. Every time it turns out the great and powerful overlords have signed a new contract with an even dodgier provider.
i send valid links to colleagues throguh https://shadify.link/
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea I thought infosec ppl had all forgotten how to riot, this is very hopeful
-
@0xabad1dea our phishing training started with an unannounced mail from the training site with a button saying "click here".
we were expected to click on it, to access the training.
@fishidwardrobe @0xabad1dea yes, mine too. I reported it and, because we do have a really good internal person that is responsible for this sort of thing, now we always get an email first saying on how you will get this dodgy-looking thing but it’s real.
-
@0xabad1dea our phishing training started with an unannounced mail from the training site with a button saying "click here".
we were expected to click on it, to access the training.
@fishidwardrobe that's actually a good idea lol
if you don't click on suspicious links, you probably don't need phishing training -
@0xabad1dea
Here I go on a tangent about CEO gifts.A couple years ago, a now EX-CEO proudly announced his amazing Christmas bonus for everyone.
"It will be more personal than cash!"
Yay, a disappointing box of borrel snacks, we thought.
Somehow, our team's expectations weren't low enough. Cheap corporate merch; a hoodie, a travel coffee mug, and an umbrella. They really GET ME.
So yeah, I'll bet that phishy present will be garbage anyhow.
@xinit @0xabad1dea A friend working at the occupational health and safety clinic, a vegetarian, mind you, got a basket of Italian delicacies, including prosciutto, every year.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea One of my petty pleasures is marking all of the emails from our infosec contractor as phishing attempts. They start with things like "You have been assigned" and I'm like, I don't work for you, red flag, red flag! Also they have a history of "fake phishing" people in order to chide them, so they are literally known bad actors. Welp, that's gonna be my story when they finally track down my boss and complain that I've been ignoring them for 6 years.
-
@0xabad1dea One of my petty pleasures is marking all of the emails from our infosec contractor as phishing attempts. They start with things like "You have been assigned" and I'm like, I don't work for you, red flag, red flag! Also they have a history of "fake phishing" people in order to chide them, so they are literally known bad actors. Welp, that's gonna be my story when they finally track down my boss and complain that I've been ignoring them for 6 years.
@bremner I have in fact said to my coworkers "Emails from the corporate overlord aren't real until my manager asks why I haven't responded yet"
[to be clear, we were a small company that was acquired by a much bigger company in another country]
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea My bank did something like this, even asking me to log in to my account using the button in the email. Customer support didn't see the problem as they "could confirm" the email in my inbox was real. More or less wrote their head lawyer that I thought they were complicit in identity theft. Don't think I ever got a reply, but their policy changed after that.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea remind me, when i changed my contract, the hr ask some administratives pieces which i give to her
Some time later, i receive an email at my personnal email adress from someone i do not know, asking the same pieces
In my head, it was phishing, but no, the hr Just not send the pieces to him (i learn that later) >< -
@fishidwardrobe that's actually a good idea lol
if you don't click on suspicious links, you probably don't need phishing training@mo @0xabad1dea true, but we were all told (eventually) that we had to click on the suspicious link, which is kind of the opposite
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea I had two different employees get scammed out of $500 because they thought I emergency emailed them in the middle of a meeting that I needed $500 in gift cards from Walmart and to just send me the numbers off the cards in email-not sending to my actual email of course.
I was APPALLED any employee thought I would ask them for money. I mean, I would not even ask you for a quarter to get a bottle of water from a vending machine. I had to announce at a meeting I will never ask for $$ -
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea when I started at my current employer, I discovered they’ve outsourced parts of their onboarding process to a third party. Many of the emails I got from the third party resembled phishing attempts, such that I marked several as phishing tests.
-
@0xabad1dea Microsoft put a big blue banner on all the broadcast-internal emails.
I was in a meeting of the D&I Council where someone said they'd sent an email about an event and was surprised I didn't know about it. I eventually found the email: it had the same blue banner.
That was when I learned that I had been trained to ignore any email that started with the blue banner. Asking around, I was not the only one. A lot of the internal communication problems had the root cause that there was so much pointless broadcast email that everyone ignored them and missed the important ones.
Someone did an internal thing for a hackathon as an Outlook plugin that would estimate the reading time for emails, interrogate the employee database to find the levels, multiply by the average salary for that level scaled to the reading time, and then give you an estimate of how much an email was costing the company if the recipients read it. It never shipped because management didn't like being reminded that they were burning tens of thousands of dollars with their emails.
@david_chisnall @0xabad1dea I just set up an Outlook rule (rather, a battery of rules) to funnel emails not addresses to me individually and from comms@initech.example etc into a subfolder called "Corporate" I only look at every couple of days.
-
@fishidwardrobe that's actually a good idea lol
if you don't click on suspicious links, you probably don't need phishing training@mo @fishidwardrobe @0xabad1dea At least not that level. Move directly to Advanced class.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
can't be worse then that recent thing in Korea where the ad campaign seemed to praise a brutal crackdown by the gov't that killed students
thank god for it isn't as bad as it can be ?
I guess
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
The real scary email isnt some dumb phishing. The scary is straight forward.
"We are a #ransomware operator. We would like for you to run this script on your work machine. If you do, we'll pay you $1000 in your choice of crypto. If they pay the ransom, we pay you 10%."
That weaponizes ransomware so that everybody is a potential #insiderthreat. And given these days with so much job abuse due to terrible conditions, sending a few of these emails are sure to hit someone disgruntled enough to say fuckit.
-
R relay@relay.infosec.exchange shared this topic
