• @Hagdos
    link
    1076 months ago

    My company started with mandatory cybersecurity trainings for all employees. The training tool sends out automated emails to remind you when you have to do a new part of the training.

    These emails, from a cybersecurity course, followed all the rules of being a phishing email:

    • Sent from a non-company server
    • Had a big red button to click here
    • Urged you to take action (“You have 5 days to complete your training”)

    IT decided to fix that, by adding a line to the emails that this email is really from our company. Like a phisher wouldn’t think of saying “nah, trust me bro, I’m totally legit”

    • @subtext
      link
      346 months ago

      That’s what always kills me… the line of “this is not a phishing email” as if just anyone can’t add that. If anything that line makes me more suspicious.

      • Fushuan [he/him]
        link
        fedilink
        English
        96 months ago

        They could send an email from a legit company email stating “mail XXX will send you some legit emails in a week or so, do them.”

        • newbeni
          link
          46 months ago

          That’s what my company finally did, it works out a LOT better for everyone.

    • @[email protected]
      link
      fedilink
      27
      edit-2
      6 months ago

      My company sends out these kids of phishing scam test emails too. They were actually pretty decently faked. But, they use the same identifying string in the header of each and every one, so I made an outlook rule to quarantine them In a particular folder so that I could correctly report all of them. Occasionally I report the weird legitimate email surveys we get from HR too and mass emails from IT with bad spelling, just so they don’t get suspicious of my perfect record.

    • Ephera
      link
      fedilink
      246 months ago

      My company unfortunately uses Microsoft 365 and when they started setting that up, I got an e-mail from a microsoftonline.com domain, which asked me to enter my username and password.
      I reported that mail immediately as phishing. Like, it used the ol’ confusing domain trick and everything, it’s gotta be phishing.

      Turns out, nope, Microsoft legitimately operates that domain and uses it for account notifications of all things. Great job, guys.

    • @[email protected]
      link
      fedilink
      96 months ago

      I blocked these emails for years for this reason. We actually do get real phishing attempts about once every other month when a client gets compromised. Makes everyone at our company very vigilant.

      Management got pissed when I hadn’t done any of them. Apparently, the emails in english/spanish/french with “click me” links were legit, lol. I set up extensive rules and blocklists for a reason. Pretty sure it’s for SOC2 compliance or something.

    • AggressivelyPassive
      link
      fedilink
      86 months ago

      We had something like this too. The header had our company’s logo as just a rectangular white picture. It looked like someone just copy/pasted the first result on Google images.

    • @[email protected]
      link
      fedilink
      8
      edit-2
      6 months ago

      Yeah you’d think a company could forward from their own domain or something, but I get a ton of legit emails from non company domains because I guess they’re to lazy/too much effort? Anyway, I just try not to click any email links.

    • @[email protected]
      link
      fedilink
      English
      76 months ago

      Then both the csec course failed to educate the employees, because a responsible trained employee would report or ignore those mails lol

      • @Hagdos
        link
        86 months ago

        The emails were mass reported, up to the point there was an internal message sent around to stop reporting them because they are legitimate. Of course, no action was taken to make them look less suspicious.

        If I’d ever want to phish someone at my company, I’d know exactly what to do. Make the email look exactly like the training ones.

    • @[email protected]
      link
      fedilink
      English
      56 months ago

      The correct solution to this is to have the training emails say to log in to take the training, no link in the email at all

      • @[email protected]
        link
        fedilink
        106 months ago

        A better way would be to have the link be to the company’s webserver which could then redirect to the external course.

        I offered to set this up for my company (it’s not that hard) but nah, they went with telling everyone to click on a link to an unfamiliar site to learn about why they shouldn’t click on links to unfamiliar sites.

        • @[email protected]
          link
          fedilink
          English
          36 months ago

          Then you are still trusting people to hover the link before clicking which from what I’ve seen isn’t the best. Though there is the added benefit of using this as additional training to hover…

    • qevlarr
      link
      46 months ago

      Had this at a previous company. Why didn’t they just use their regula URL instead of “(company)university.com” I don’t know. Reported as fishing