the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work!
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea I've tried to get them to compile statistics on internal comms that were reported as Phishing so we could try hunt down the perps. Potentially creating a wall-of-shame for them.
Big nope (zero surprise).
-
@pmb00cs
I'm angry just reading this.
@0xabad1dea@xinit @0xabad1dea funnily enough it wasn't as bad as when they decided to save money by switching from Yorkshire Tea to Tetley Tea. That decision lasted about a month.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea During the summer before I started college, I got an email from (what appeared to be) a separate health care provider telling me to click the link and enter my social security number to register myself in their system. This was from an external email address, and I received no notice about it from the college, but after looking around it was actually legitimate.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea is your CEO a deposed Nigerian prime minister or something?
-
@guigsy @0xabad1dea Even worse when it originates from a department that should know better.
@TomDB @0xabad1dea yeah. I checked colleagues and nobody else had received the message. It looked very phishy. It said "you must do this within 7 days"... so I ignored it. Only to receive an identical message, giving me another 7 days. After a few weeks, I was motivated enough to stop the spam and make the effort to find out if it was legit. Extremely poor infosec practices from my IT department.
-
@0xabad1dea This heavily overlaps with a wider societal problem of legitimate customer service communication being largely indistinguishable from scams to most people - intentional confusion and constant change, huge amounts of information disclosure required to do anything without always knowing why (and hesitation can be penalized), and so on. Pretty much entirely by design, in an attempt to minimize anyone's desire to ever contact companies directly.
@lupinia @0xabad1dea When so much “legal, legitimate” business is basically a scam, how can anyone tell?
-
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
@pmb00cs @0xabad1dea Love your IT department for that little "fuck u" Mr CEO email
-
@s0 @0xabad1dea I had the same experience multiple years in a row.
Vague "click now to get started with your experience" button in an external email that wasn't white listed. Turned out to be cyber security training. -
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea I mean, it must be a test, right? A free gift, from corpo? C'mon.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea This pisses me off so much!
Not (for me) internal corporate, but marketing depts. Notably Barclays sending “Dear customer click here for your wonderful offer” emails. -
@0xabad1dea I mean, it must be a test, right? A free gift, from corpo? C'mon.
@Tom_ofB I'm pretty sure it's just corporate logo swag distribution being framed as "a thank-you gift"
-
@Tom_ofB I'm pretty sure it's just corporate logo swag distribution being framed as "a thank-you gift"
@0xabad1dea ohhh, I get it. "the gift is free" is just lossy transmission, the full meaning was
"the gift is you can be free advertising for the company". That's awesome, double plus good, really. -
@jwdt @0xabad1dea tertiary health care providers that you’ve never heard of but apparently the anesthesiologist doesn’t work for the hospital not bill through the hospital and in this modern day decides to email and text you to demand payment
@jwdt @0xabad1dea small business tax guy deciding to modernize and calling his secure file drop through some SaaS provider securefile and that being the subdomain on it. Phish alarms blaring, but we got the domain from him in conversation and he’s normal so it just doesn’t register to him that it sounds very bad.
-
@0xabad1dea Every few months, it seems, we get email at work from an address we've never seen before, along the lines of "log into the new HR portal at [dodgy external address]", signed "HR department". Nothing to connect it to this specific employer, no names, etc. Every time I report it as obvious phishing. Every time it turns out the great and powerful overlords have signed a new contract with an even dodgier provider.
i send valid links to colleagues throguh https://shadify.link/
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea I thought infosec ppl had all forgotten how to riot, this is very hopeful
-
@0xabad1dea our phishing training started with an unannounced mail from the training site with a button saying "click here".
we were expected to click on it, to access the training.
@fishidwardrobe @0xabad1dea yes, mine too. I reported it and, because we do have a really good internal person that is responsible for this sort of thing, now we always get an email first saying on how you will get this dodgy-looking thing but it’s real.
-
@0xabad1dea our phishing training started with an unannounced mail from the training site with a button saying "click here".
we were expected to click on it, to access the training.
@fishidwardrobe that's actually a good idea lol
if you don't click on suspicious links, you probably don't need phishing training -
@0xabad1dea
Here I go on a tangent about CEO gifts.A couple years ago, a now EX-CEO proudly announced his amazing Christmas bonus for everyone.
"It will be more personal than cash!"
Yay, a disappointing box of borrel snacks, we thought.
Somehow, our team's expectations weren't low enough. Cheap corporate merch; a hoodie, a travel coffee mug, and an umbrella. They really GET ME.
So yeah, I'll bet that phishy present will be garbage anyhow.
@xinit @0xabad1dea A friend working at the occupational health and safety clinic, a vegetarian, mind you, got a basket of Italian delicacies, including prosciutto, every year.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea One of my petty pleasures is marking all of the emails from our infosec contractor as phishing attempts. They start with things like "You have been assigned" and I'm like, I don't work for you, red flag, red flag! Also they have a history of "fake phishing" people in order to chide them, so they are literally known bad actors. Welp, that's gonna be my story when they finally track down my boss and complain that I've been ignoring them for 6 years.
-
@0xabad1dea One of my petty pleasures is marking all of the emails from our infosec contractor as phishing attempts. They start with things like "You have been assigned" and I'm like, I don't work for you, red flag, red flag! Also they have a history of "fake phishing" people in order to chide them, so they are literally known bad actors. Welp, that's gonna be my story when they finally track down my boss and complain that I've been ignoring them for 6 years.
@bremner I have in fact said to my coworkers "Emails from the corporate overlord aren't real until my manager asks why I haven't responded yet"
[to be clear, we were a small company that was acquired by a much bigger company in another country]
