this post was submitted on 31 Aug 2023
1593 points (99.1% liked)

Comic Strips

12626 readers
3761 users here now

Comic Strips is a community for those who love comic stories.

The rules are simple:

Web of links

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] ArbitraryValue@sh.itjust.works 45 points 1 year ago (13 children)

We get fake phishing emails that are actually from IT and if we don't recognize and report them, we get a talking-to. It's a good way of keeping employees vigilant.

[–] cynar@lemmy.world 36 points 1 year ago (1 children)

A friend (who actually works in IT) apparently has a good system at his company. It actually automates turning real phishing attempts into internal tests. It effectively replaces links etc and sends it onwards. If the user actually clicks through, their account is immediately locked. It requires them to contact IT to unlock it again, often accompanied by additional training.

[–] zalgotext@sh.itjust.works 2 points 1 year ago (4 children)

Wait. So your friend's company has the ability to reliably detect phishing attacks, but instead of just blocking them outright, it replaces the malicious phishing links with their own phishing links, sends those on to employees, and prevents them from doing their jobs of they fall for it?

Sounds like your friend's company's IT people are kind of dickheads

[–] lazyshit@sh.itjust.works 9 points 1 year ago

I work at a company that does something similar; it can be annoying to deal with these fake phishing emails from our own IT, but a 10-15 minute training session if you fail is a lot less disruptive than what can happen if you clicked the real link instead.

I consider myself a bit more tech-savvy than average, but I’ve almost fallen for a couple of these fake phishing emails. It helps me to keep up with what the latest versions of these attacks look like (and keeps me on my toes too…)

[–] rbits@lemm.ee 2 points 1 year ago

Well the company probably can't detect them reliably, so wih the ones it does detect it trains them to avoid the ones that they can't detect.

[–] cynar@lemmy.world 2 points 1 year ago

It's not every phishing email. I think it's technically those that get through the initial filters, and get reported, but don't quote me on that. Apparently it's quite effective. They also don't need to report every one. It's only if they do something that could have compromised the company that causes a lock down. It's designed to be disruptive and embarrassing, but only if they actively screw up.

[–] grysbok@lemmy.sdf.org 32 points 1 year ago (1 children)

My last company did this. They'd also send out surveys and training from addresses I didn't recognize, so I'd report those, too, only to be told they were legit 😂

[–] hemko@lemmy.dbzer0.com 3 points 1 year ago (1 children)

Yeah this is a running joke at our workplace too. Only to be asked by some manager to do those week or few later

[–] SMITHandWESSON@lemmy.world 11 points 1 year ago* (last edited 1 year ago) (1 children)

I send supervisor emails about stuff I'm not gonna do to my spam folder as well.....

"Did you get the email?"

"Nope, sorry, it looked a little suspicious so I didn't open and sent it to spam.."

[–] average_internet_enjoyer@lemmy.world 2 points 1 year ago (1 children)

Basically you created a echo chamber at work where you can only hear what you want to hear

[–] SMITHandWESSON@lemmy.world 2 points 1 year ago (1 children)
[–] average_internet_enjoyer@lemmy.world 2 points 1 year ago (1 children)

I just realised how you control reality at work and how much enjoyment you get.... Until you are enjoying too much and get fired

[–] SMITHandWESSON@lemmy.world 2 points 1 year ago

...but until then😈

[–] HeyJoe@lemmy.world 6 points 1 year ago

We do as well, except we only concern ourselves with the people who click them.

[–] son_named_bort@lemmy.world 4 points 1 year ago

My workplace does this too. I can usually tell when the email isn't a legit phishing email but an IT test though. Not sure how helpful that is.

[–] Samsy@lemmy.ml 4 points 1 year ago* (last edited 1 year ago)

That's neat, will steal this.

[–] GBU_28@lemm.ee 4 points 1 year ago

Lol I don't click shit.

[–] frickineh@lemmy.world 3 points 1 year ago (1 children)

We get those, but the sender email shows up as blahblah@employersname.kn0wbe4.compromisedblog.org or whatever. Literally the most obvious possible address. I'm always tempted to forward one to IT and ask if they're serious with that shit.

Ours are the opposite: the sender's email shows up as a normal name@company.com email. Gmail is supposed to warn when a return address is being spoofed like that, but I guess my company turned that warning off for these fake phishing emails. There's still no SPF but I don't check the SPF unless an email looks suspicious so I hope that that warning will work for real, sophisticated phishing.

[–] XaeroDegreaz@lemmy.world 2 points 1 year ago

Same. Users who click on links get signed up for remedial training courses lol

[–] ScreamingFirehawk@feddit.uk 1 points 1 year ago

I always just ignore anything that looks dodgy, I can't be bothered to spend the time reporting emails when I get so damn many that are either spam or phishing

[–] ikapoz@sh.itjust.works 1 points 1 year ago

We do too, so I just tell my team to flag everything as spam

[–] fidodo@lemm.ee 1 points 1 year ago (1 children)

But if they're recognized it means they aren't doing a good enough job faking them

[–] shasta@lemm.ee 2 points 1 year ago

Oh well, time to get better IT guys