the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work!
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea Every few months, it seems, we get email at work from an address we've never seen before, along the lines of "log into the new HR portal at [dodgy external address]", signed "HR department". Nothing to connect it to this specific employer, no names, etc. Every time I report it as obvious phishing. Every time it turns out the great and powerful overlords have signed a new contract with an even dodgier provider.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
Ah, classic corporate Overlords.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea This heavily overlaps with a wider societal problem of legitimate customer service communication being largely indistinguishable from scams to most people - intentional confusion and constant change, huge amounts of information disclosure required to do anything without always knowing why (and hesitation can be penalized), and so on. Pretty much entirely by design, in an attempt to minimize anyone's desire to ever contact companies directly.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea Microsoft put a big blue banner on all the broadcast-internal emails.
I was in a meeting of the D&I Council where someone said they'd sent an email about an event and was surprised I didn't know about it. I eventually found the email: it had the same blue banner.
That was when I learned that I had been trained to ignore any email that started with the blue banner. Asking around, I was not the only one. A lot of the internal communication problems had the root cause that there was so much pointless broadcast email that everyone ignored them and missed the important ones.
Someone did an internal thing for a hackathon as an Outlook plugin that would estimate the reading time for emails, interrogate the employee database to find the levels, multiply by the average salary for that level scaled to the reading time, and then give you an estimate of how much an email was costing the company if the recipients read it. It never shipped because management didn't like being reminded that they were burning tens of thousands of dollars with their emails.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea our phishing training started with an unannounced mail from the training site with a button saying "click here".
we were expected to click on it, to access the training.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
my job did this before christmas. they even went an extra mile and registered a new domain "company name christmas gift dot com" and even created a new corporate email address. i was working on infosec department there and we had a looong talk with the marketing folks after this.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea much easier to pass the buck to the end users to do all the work unfortunately
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea Listen, digital signatures and content encryption for emails are far future science fiction. Nobody knows how to do such thing. It's impossible to establish classification of emails by simple technical means.
Also: Many enterprises are very scamy by nature. Towards customers, state and employees.
-
R relay@relay.publicsquare.global shared this topic
-
@0xabad1dea our phishing training started with an unannounced mail from the training site with a button saying "click here".
we were expected to click on it, to access the training.
@fishidwardrobe @0xabad1dea That trainer really knows how to ramp up quickly.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea then there's ones from banks, government things, big brands etc.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea everyone got sent a digital gift card around christmas a couple of years ago. apparently they got thousands of reports (I'd guess about 1/4 of the business)
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea I got a similar email... from IT. It was basically, "Congratulations! You've been selected as a trial user for our new authentication system. Please click here to go to a dodgy URL and fill in all your existing credentials." With no contact listed. And no information about it on the intranet.
It took some digging before I found someone in IT support that could verify that it wasn't a phish.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea I think about this so much at this time of year because I help run a car show and my job is to get everyone to register their cars and pay their entry fees. I've learned that most car enthusiasts are not very tech savvy.
We have a limited time to do this and I'm coordinating hundreds of people. Here I am sending them progressively urgent emails, text messages, and occasional phone calls reminding them to confirm something, update their information, and pay their fees.
My first thought: If someone sent me these messages, I'd delete them because they look like scams.
My second thought after almost everyone does exactly what I ask them to do: "Oh shit, I'm conditioning all of these people to fall for scams."
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea
Here I go on a tangent about CEO gifts.A couple years ago, a now EX-CEO proudly announced his amazing Christmas bonus for everyone.
"It will be more personal than cash!"
Yay, a disappointing box of borrel snacks, we thought.
Somehow, our team's expectations weren't low enough. Cheap corporate merch; a hoodie, a travel coffee mug, and an umbrella. They really GET ME.
So yeah, I'll bet that phishy present will be garbage anyhow.
-
@0xabad1dea Microsoft put a big blue banner on all the broadcast-internal emails.
I was in a meeting of the D&I Council where someone said they'd sent an email about an event and was surprised I didn't know about it. I eventually found the email: it had the same blue banner.
That was when I learned that I had been trained to ignore any email that started with the blue banner. Asking around, I was not the only one. A lot of the internal communication problems had the root cause that there was so much pointless broadcast email that everyone ignored them and missed the important ones.
Someone did an internal thing for a hackathon as an Outlook plugin that would estimate the reading time for emails, interrogate the employee database to find the levels, multiply by the average salary for that level scaled to the reading time, and then give you an estimate of how much an email was costing the company if the recipients read it. It never shipped because management didn't like being reminded that they were burning tens of thousands of dollars with their emails.
@david_chisnall @0xabad1dea I just thought of a justifiable tweak to make the program output even angrier: instead of reporting time spent, report a guessestimated opportunity cost.
e.g. if a company has $10M revenue on $5M staffing costs then report aguesstimated opportunity cost as double each employee's salary.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
-
@0xabad1dea This heavily overlaps with a wider societal problem of legitimate customer service communication being largely indistinguishable from scams to most people - intentional confusion and constant change, huge amounts of information disclosure required to do anything without always knowing why (and hesitation can be penalized), and so on. Pretty much entirely by design, in an attempt to minimize anyone's desire to ever contact companies directly.
@lupinia @0xabad1dea And encouraging people to write their emails with an LLM to "sound professional" means that they end up reading like the emails that scammers write with an LLM to "sound professional".
-
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
@pmb00cs
I'm angry just reading this.
@0xabad1dea -
@0xabad1dea I got a similar email... from IT. It was basically, "Congratulations! You've been selected as a trial user for our new authentication system. Please click here to go to a dodgy URL and fill in all your existing credentials." With no contact listed. And no information about it on the intranet.
It took some digging before I found someone in IT support that could verify that it wasn't a phish.
@guigsy @0xabad1dea Even worse when it originates from a department that should know better.
