• @LifeInMultipleChoice
      link
      507 months ago

      No need to be, but this is a bad example because if the company can prove you were wreckless intentionally, they have an easy court case and someone now liable for all damages

        • @razorwiregoatlick
          link
          187 months ago

          Given the example from the comic the email he sent would be sufficient proof.

            • @LifeInMultipleChoice
              link
              27 months ago

              … Never worked for for a company that did training in such a way. The training is mandatory because they are usually required to show these items for their insurances. Usually you have weeks if not months notice and have to renew it annually or some dumb crap. They are also usually done on their training websites. 3 companies I have worked for just deactivate your AD account if you don’t get it done in a timely manner. Companies who can lose millions or lose actual information that will hurt other companies and get sued do not mess around with their responsibility on such.

              Mom and pop shop… it wouldn’t matter much in the first place. Restore the data, reset passwords and call it a day. Medical, military, or such… No fun.

            • ɔiƚoxɘup
              link
              fedilink
              -2
              edit-2
              7 months ago

              Negligence of that order would surely be prosecuted.

              Edit: a claim of duress would probably work though.

              • @[email protected]
                link
                fedilink
                207 months ago

                Negligence of that order would surely be prosecuted.

                You mean falling for a phishing scam? You must not have any experience in security if you truly believe that they’re going to prosecute someone for that lmao.

                Of course, if the employee openly expressed their carelessness and distain for their employer that changes things but that seems unlikely to be the case in reality.

              • @[email protected]
                link
                fedilink
                107 months ago

                I can’t really imagine it working. Maybe resulting in a firing with cause at max.

                Also, what would the company win by suing? The employee is most likely broke, and anything recouped is offset by the negative PR.

        • pewter
          link
          67 months ago

          Oddly, “wreckless” might mean the exact opposite.

  • Boozilla
    link
    English
    887 months ago

    I will think about this every time we have a meeting to discuss the stupid “shame and train” faux phishing attacks they run on us at work.

    Pro-Tip: If you set up the right kind of filtering you’ll never see those stupid things. (Fight club rules).

    • @ozymandias117
      link
      English
      567 months ago

      The one they use at my work is extra silly, as it adds an extra email header saying it’s coming from a phishing campaign

      • @frickineh
        link
        537 months ago

        Ours do that too. It’s so obvious that I’m not sure if they think we’re all stupid, except then I remember that some of my coworkers actually are stupid, so it’s probably aimed at them.

        • @cm0002
          link
          597 months ago

          except then I remember that some of my coworkers actually are stupid, so it’s probably aimed at them.

          I work in IT and have done these campaigns, if you’re on Lemmy, you’re probably not the target audience lmao

          • @LowtierComputer
            link
            357 months ago

            There’s an older guy in my group who rants and raves about how all the new training is a waste of time. Discrimination, harassment, safety, information security, all of it. But he specifically hates the fraud and phishing training.

            He’s the only one in our group that has failed any of the test emails.

        • @[email protected]
          link
          fedilink
          English
          247 months ago

          I’ve worked with a dude for years who I would consider smart both technically and non-technically. One time we got an email at work with an attachment that was something like “microsoft_update.exe.txt”. The email said “due to a technical limitation on the email system, this file needs to be renamed to drop the .txt and executed to apply a critical to your computer.”

          It was, in my mind, such an obvious phishing attempt that I laughed out loud and said “who the fuck would ever fall for this?” Then my coworker popped his head over the cube wall and said “WAIT WHAT? We weren’t supposed to run that?!”

          Fortunately, the security team sat nearby and heard the whole thing and rushed over to quarantine his PC

          • @Emerald
            link
            157 months ago

            quarantine his PC

            You mean shut it off and steal and the Ethernet cable? Lol

            • @[email protected]
              link
              fedilink
              117 months ago

              You DONT want to turn it off. Digital forensics work WAAAAAAY better if you have a memory dump of the system. And all the memory is lost if you turn it off. Even if the virus ran 10h ago and the program has long stoped running, there will most likely still be traces in the RAM. Like a hard drive, simply deleting something in RAM doesn’t mean it is gone. As long as that specific area was not written over later it will still hold the same contenta. You can sometimes find memory that belonged to a virus days or even weeks after the infection if the system was never shut down. There is so much information in ram that is lost when the power is turned off.

              You want to 1: quarantine from network (don’t pull the cable at the system, but firewall it at the switch if possible) 2: take a full copy of the RAM 2.5: read out bitlocker keys if the drive is encrypted. 3: turn off and take a bitwise copy of the hard drive or just send the drive + memory dump to the forensics team. 4: get coffee

              • @Emerald
                link
                77 months ago

                Why would you be doing digital forensics?

                • @KISSmyOSFeddit
                  link
                  137 months ago

                  To find out if nuking that one workstation is enough or if you have to take more drastic measures.

          • Boozilla
            link
            English
            97 months ago

            Even a smart person can have a bad day / moment of weakness. If you are super busy / stressed out and some email comes that looks like a bullshit request from HR or IT or whatever, it can be tempting to just try to knock it off your plate real quick so you can get back to whatever fire you were fighting.

            My tactic these days is I pretty much don’t click on ANYTHING in an email, so it’s an ingrained habit. If it’s a link to something, it’s usually one I can navigate to myself using my browser. If it’s an attachment, we use a file sharing system that stores these so I can just go to that and see what’s in there.

            It’s inconvenient, and you don’t always have these work-around options, but by trying to make into an automatic habit, it has saved me a couple of times.

      • Boozilla
        link
        English
        57 months ago

        That’s really funny. It’s like you work for Dunder-Mifflin.

        • @smort
          link
          37 months ago

          Lots of us do lol

      • @[email protected]
        link
        fedilink
        47 months ago

        Lmao, the other day I had to whitelist some domains used for phishing training emails in the anti-phishing software we use just so they wouldn’t get nuked, then I had to whitelist them in another anti-phishing software so they wouldn’t have - huge red header injected on the top of the email body warning the user it was phishing.

      • @Magister
        link
        37 months ago

        haha same for me, the header contains the word “gophish”, easy to filter it

        • borari
          link
          fedilink
          27 months ago

          Damn. I’ve scripted out the entire process of verifying an owned domain in a hosted mail providers system, deploying the ec2 infrastructure, and installing and configuring gophish for a campaign, along with tearing everything down.

          That header thing gophish adds is a default option that you can override by just setting that header to an empty string. Whoever runs campaigns for your employer either wants to make it easy for you to pass or doesn’t care about their job at all.

          I’ve done it in the context of red team/adversary emulation campaigns before though, so the opsec needed to be a bit tighter than the mandatory phishing awareness stuff i guess.

    • @[email protected]
      link
      fedilink
      13
      edit-2
      7 months ago

      The Microsoft 365 admins at my workplace were doing something like this. It’s got some sort of built-in phishing simulation functionality (I think it’s this: https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations). The idea is that the recipient clicks a button in Outlook to report it as suspicious, and get a “congrats you did the right thing” notice.

      However, it seems like IT security were unaware of the test, because they started blocking the emails and blackholed the domain the emails linked to (meaning it doesn’t resolve on our network any more). They also reported the domain as phishing to some safe browsing vendor we use, which propagated into the blocklist Chrome uses. It was a shared domain Microsoft use for this training (it was one of the domains on this list: https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-get-started?view=o365-worldwide) so Microsoft probably had to deal with un-blocking it…

    • Hossenfeffer
      link
      fedilink
      English
      107 months ago

      Alternatively, over-report. Spelling mistake on an email from a colleague? Seems phishy to me. Email from a colleague with an attachment? Phishy! Unsolicited email from a client? Phishy! Email from ‘social committee’ sent to everyone in the team? Phishy!!!

      • @[email protected]
        link
        fedilink
        67 months ago

        Please don’t.

        I have to initiate those, or it looks bad for compliance. We sell software, we get SOC 2 attestations yearly. We start getting points marked off for very general security and compliance measures customers will question our products and not renew or not purchase in the first place, because if we can’t even secure our own employees and promote awareness, what does that say about our product?

        Sincerely, the guy everyone hates and makes your work life harder.

        • @[email protected]
          link
          fedilink
          37 months ago

          Maybe don’t gaslight people and they wouldn’t respond by assuming everything is more gaslighting.

      • @son_named_bort
        link
        47 months ago

        Received an email about phishing? Oh, you better believe that’s phishy!

      • Boozilla
        link
        English
        37 months ago

        I have done some minor malicious compliance / prankster sabotage sort-of like that in the past. I got called on the carpet. It was fun, though!

      • @TexasDrunk
        link
        17 months ago

        I’m never going to have to reply to an email again.

    • @[email protected]
      link
      fedilink
      107 months ago

      except too many companies take that extra step of being annoying:

      • you get a write up if you fall for the phishing
      • you get a write up if you don’t fall for it but also fail to report it
      • you get a write up if you don’t fall for it and do report it but don’t use the correct report form
      • @MotoAsh
        link
        97 months ago

        We’re supposed to forward the spear fishing emails to IT but I always just report as spam and go about my day. Was only nervous the first couple times I ignored an obvious internal phishing test but apparently they don’t care if we don’t fall for it.

        • BubbleMonkey
          link
          fedilink
          27 months ago

          Mine was like that too so I just deleted them and moved on. I sat right next to the security team and would thus know when they were going out, so they gave no shits as long as you didn’t fall for it.

          It also helped that my team was the only in the company that didn’t really get email. Everyone else got hundreds a day (no joke, they used way too many mail lists) and we got maybe 5-10, all internal or auto-generated, so everything was super obvious, and IT was well aware of this.

      • HubertManne
        link
        fedilink
        77 months ago

        you also fail if you use the right form but don’t staple a cover sheet for the tps form followup.

      • Boozilla
        link
        English
        27 months ago

        Where I work, they haven’t taken it that far yet. But I would not be surprised if they go to that in the future. The email rules / filters can still help with it.

      • @[email protected]
        link
        fedilink
        27 months ago

        Yeah my company sets a goal of how many you need to report every year, if you don’t then you need to take mandatory training (same if you fail and click on a link)

    • @Magister
      link
      87 months ago

      My company is using some tool to generate those kinds of false scam emails every few weeks, so I created a rule in Outlook that if the header contains the word “gophish”, it put a label “lol phishing” on it, so I know to just delete them…

      • Boozilla
        link
        English
        27 months ago

        shhhhhhh.

        Good for you, though.

    • @johannesvanderwhales
      link
      77 months ago

      I worked at a place that actually tracked whether you reported the fake phishing emails or not…

      • Boozilla
        link
        English
        27 months ago

        The right email rule can make that easier, too. Hee hee

    • @IsThisAnAI
      link
      57 months ago

      Plenty of companies will assign you extra training because you aren’t reporting.

      • Boozilla
        link
        English
        27 months ago

        The usual “dance, monkey, dance” from corporate.

        • @IsThisAnAI
          link
          57 months ago

          The Internet: fuck these companies for leaking my data.

          Also the Internet: fuck taking these classes on security and forcing me to reread policies and sops.

          Fucked if you do, fucked if you didn’t.

          • Semi-Hemi-Lemmygod
            link
            English
            17 months ago

            This makes me wonder just how awful it would be if we didn’t have these dumb classes and obvious test emails.

          • deaf_fish
            link
            fedilink
            -17 months ago

            Hey, if running a business was easy, everyone would be doing it. We can’t have that.

    • @Turbofish
      link
      57 months ago

      Ugh. I got one of them recently and clicking on it and hitting report as spam apparently registers as me having interacted with the email so I have to do the security course again.

      • Boozilla
        link
        English
        37 months ago

        It’s glitchy AF. There’s a known bug where it can report you if you simply preview the email, too. In some environments, anyway.

    • @Fredselfish
      link
      17 months ago

      Our company has started doing that. How do I filter them out?

      • Boozilla
        link
        English
        2
        edit-2
        7 months ago

        It varies depending on your email client and the fake phishing service / implementation. (Sorry, I hate non-specific answers like this, too). For me, all I had to do was add an Outlook rule that looks for a certain keyword in the email header. The keyword is a weird/unique string that’s only associated with the fake phishing company. If that word is anywhere in the email header, my rule chucks it into a folder where I just ignore it. Your client should let you view the header / raw email and you can look for a pattern that way.

        It’s a pretty safe rule as far as email rules go. The only risk I can think of is that it could lull me into complacency, but working for the man does that, anyway. I’ve been getting away with it for over a year, and it’s nice not seeing the dumbass fake phishing things. Note that we are not mandated to report them, but we get assigned extra training if we click on any links in them. Your employer may have different rules.

  • @WiseWoodchuck
    link
    337 months ago

    Why did the hacker leave their purple dildo out on their desk? Awkward 😬

      • @[email protected]
        link
        fedilink
        12
        edit-2
        7 months ago

        The thing that doesn’t make sense to me is when vendors have their own domain and site but they use a freemail account (Yahoo, Hotmail, Gmail, etc). If you really want to run your business using a free service, at least use an email forwarder at your domain.

  • @teamevil
    link
    137 months ago

    The password is either admin or password

    • @[email protected]
      link
      fedilink
      317 months ago

      Summer2024 Autumn2024 Spring2024 Winter2024

      Are the most common passwords for regular employees. Update the year with the current or previous one.

      Source: I was in IT.

      P.s. if you have access to the physical location. Look for post-it notes under the keyboard.

      • @TexasDrunk
        link
        207 months ago

        Under the keyboard? The company you worked for must be some sort of security company or financial institution. I’ve seen them stuck on the damn monitor.

      • 𝔼𝕩𝕦𝕤𝕚𝕒
        link
        27 months ago

        Oh shit, stealing this. Tired of changing the number on my overly long password. It’s just inconvenient to type 32 charachters when “SeasonYear” would work.

        Bro just made an unknown company a little less secure 💀

      • @IHawkMike
        link
        47 months ago

        I’m sorry, there isn’t an option to arrange icons by “penis.”

    • deaf_fish
      link
      fedilink
      17 months ago

      That proves you were the one that was targeted. It doesn’t say anything about your intentions.

      You could have had the best intentions and just missed the signs that it was a malicious email. Or you could have intentionally clicked on it out of spite.

      If I knew my employee did it out of spite, I would fire them. Otherwise, it falls under the shit happens category, try to do better next time.

      • @teamevil
        link
        17 months ago

        If was so miserable at a job that I thought giving passwords away to random people was a good idea, I would hope that I had moved on long before.

  • @[email protected]
    link
    fedilink
    47 months ago

    Made me laugh, stopping pre-work scrolling and ending on a high note. Let me send you my passwords…