this post was submitted on 29 Mar 2025
974 points (98.8% liked)
iiiiiiitttttttttttt
748 readers
11 users here now
you know the computer thing is it plugged in?
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The only phishing e-mails I receive are from my employer. As a matter of process I report these e-mails like a diligent lackey, then upon receiving an e-mail congratulating me on passing their test, I report that one too. I think the non-test phishing reports undergo manual review so I hope I'm wasting someone's time somewhere in payback.
Still haven't forgiven them for a tone-deaf 'we care about you during COVID' phishing e-mail they sent when everyone was genuinely struggling.
Same here, and I got annoyed at these emails filtering through the different rules that I have set up. I realized that the test emails all had some values in the headers to indicate them as such, so I set up a rule to filter them out to a separate folder. It obviously defeats the point, but it's much less annoying.
Need to take it a step further. IIRC, they usually use a tracking link with your address encoded into it, so they know who clicked the link. Need to crack whatever encoding they use, and start "clicking" links for senior leadership.
Neat thing I learned at a past company. The phishing emails had links (the ones you aren't supposed to click on) that either contained the email address of the person getting tested, or it pulled it somehow. It was really easy to figure out where that information needed to go in the URL. This is how tracking "failures" was tested and reported. I would just put in the email address of people from the opsec team into that url, copy it, and paste it into one of those global website testers that checked if a site was available from different countries around the world (I'm assuming using some kind of VPN).
Theoretically it should have given these people failures in their own tests, and also come from all sorts of weird locations globally.
Not sure if it actually did, but I like to think I wasted at least some of their time.
Never got in trouble for it so who knows.
This is ingeniously spiteful and I love it.
I report any and all emails from anyone on the CSIRT team as suspicious.
They did a phising test targeting every employee without informing me (internal ITSM lead) first. So they deserve the extra work, and my entire team does the same.
Do you feel like you should be excluded? Did you get the results afterwards?
I often conduct phishing tests for customers where only 1 or 2 people are in the loop to cover as many peepz as possible.
If it was conducted properly, it would have been fine to not inform me.
They made it way too hard to spot that anything was off until after you'd clicked something in the email, combined with blasting 2000+ people with the email at the same time.
Our employees are trained to call helpdesk ASAP at any sign of potential issues where your credentials have gotten stolen, hundreds of people called in the first 10 minutes of the email being sent out because they had opened the email and got scared and thus called, I got called in from my vacation by one of the people on my team, and I called everyone else in from vacation.
I should've absolutely been informed about this. But considering how fucking dumb whoever did the test was, I'm not surprised I wasn't. The KPMG consultant who was clearly not an infosec person at all got fired after this.
You might have a lot of phishing emails that the company filters out without you ever seeing them. For these tests, they do things to make sure this email will get through, even if the automated filters would have otherwise blocked it.
That's a good point; my company actually does implement something like this, though it invites intervention from the recipient for confirmation. I have previously received e-mail notifications stating that an e-mail has been 'held' as being suspicious and provided me an option to 'release' the e-mail (in these cases the e-mails were genuine and known in advance to me).
Of course, I have no simple way to determine if there is also an additional hard filter that blocks out obvious phishing with no notification to the end user.
There are likely two things going on.
One is a hard block for phishing, ones you will never see, never be alerted of, and never be told about unless you go digging for a missing email you know should have come through.
The other is a soft block for spam. You will likely get an email about the spam being quarantined with the option to release the spam into your inbox.
If the phishing emails were shown as quarantined, you’d end up with hundreds of quarantined emails a day for anyone with a public facing name. Our CFO for instance gets the most out of anyone in the company, numbering in the thousands.
This is a good explanation. I can see how a multi-tiered approach like this makes sense, particularly for those most public-facing. Thanks.
I got a list of domains used by the phish testing company, and passed them around my department.
I just ignore all emails. I have found too many phishing emails and have decided that our systems appear to be compromised. It hasn't improved since I reported them, so I am playing it safe. PM me when you need to communicate, and keep meetings on the calendar, I'll show.
Except for the tiny fact that a phishing email wouldn't give a fuck about being "tone deaf" and would bank on the "nobody bad would ever send an email like this!".
Sure, a genuine phishing e-mail wouldn't give a fuck. But fake phishing e-mails sent from an employer should give a fuck about retention and employee engagement. Drawing attention to how much you don't care about your employees while exploiting their emotions isn't all that conducive to maintaining a healthy workforce/morale.
There are ways to demonstrate the lengths bad actors are willing to go without being a douche.
As an example, find out something the employer actually will be doing (or already does) and pre-empt it with a related, but not identical, phishing test. After the test has elapsed, send a follow up explanatory e-mail, with genuine content e.g. "We won't pay you $10,000,000 to have a baby, but did you know about our generous maternity leave package?"
That implies they care about our feelings. When actually they want us to remember we only get paid if we're of pecuniary value to them. Even at a good company like mine.