Alt text: Michael Scott Handshake meme. Managers text: “My company Congratulating me on avoiding a phishing test email”. Michael Scott text: “Me, terminally behind on answering email.”

  • Kalkaline @leminal.space
    link
    fedilink
    arrow-up
    39
    ·
    10 months ago

    “Let’s also make our users follow really complex password requirements but have our password creation/change page be different from the actual login screen so they have a really hard time using a password manager”-dumbass IT department

    • Zoidsberg@lemmy.ca
      link
      fedilink
      arrow-up
      18
      ·
      10 months ago

      Change your password every 30 days, and never reuse one, and don’t use a password manager, and don’t write it down anywhere, and…

    • BeardedSingleMalt@kbin.social
      link
      fedilink
      arrow-up
      13
      ·
      10 months ago

      15 character minimum passwords that expire every 90 days and require MFA to remote in from home with 3 separate login sessions just to get to your PC, along with stripped down rights for everyone, even IS. The rights are so strict that if you wanted to, for instance, update a trusted application like Notepad++ because a recent exploit was found which would be a security concern, you can’t use the auto-update feature of the application; you have to download it manually from their repository, and run it using a special admin account created for you that doesn’t have an associated email address but also has a 90 day password requirement. But you wouldn’t been able to use their repository 6 months ago because we block any IP address outside the US and their previous service was located in UK, so if you wanted to keep that piece of software up-to-date with security and vulnerability patches (which they’ve harped on a number of times before) you’d have to find alternative download services located in the US regardless of how shady.

      I wish I was joking.

    • Edgarallenpwn [they/them]
      link
      fedilink
      English
      arrow-up
      7
      ·
      10 months ago

      My current employer actually just changed our password policy to greatly extend the password expiration date. We have cranked up the password requirements a tad, every login has 2FA and permissions are locked down to the size of a gnats asshole. Users seem to like it better since they don’t have to come up with a new password as often and we are telling ourselves it’s harder to brute force.

  • SPRUNT@lemmy.world
    link
    fedilink
    arrow-up
    27
    ·
    10 months ago

    My company sent me a fishing test email from a “no-reply@companyname.com” email address. I sent it to our security department and asked if I would ever get legitimate emails from that address. They never responded except to say that I passed the phishing test, so I set up a filter to automatically forward emails from that to our security department with a message questioning its validity. Let’s security tell me if emails are legit or not.

    • Concave1142@lemmy.world
      link
      fedilink
      arrow-up
      11
      ·
      10 months ago

      My normal method is I will hit the phishing attempt icon that IT Security added to our Outlook on anything that I did not request or sign up for.

      I’m sure the IT Security person who saw all the “free gift card” emails had a great Christmas if they claimed all the gift cards emails they deem legit.

  • Boozilla@discuss.online
    link
    fedilink
    English
    arrow-up
    21
    ·
    10 months ago

    I created an inbox rule for these. The 3rd party phishing shame-and-train company my employer uses always has a certain domain in the email header (even though they always change the ‘from’ address). Has worked perfectly for over 6 months. I’m generally not dumb enough to click on them anyway. But anyone can have a bad day and/or get into a rush and make a mistake. And my boss is a sadistic prick who delights in making workers feel dumb. Yet I’m 100% sure he exempts himself from the phishing shit tests.

      • TORFdot0@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        10 months ago

        The point isn’t to be so tricky to make it too hard for end users to catch it. It’s to train them to start looking at things such as senders domain and to report messages and avoid the link, etc.

  • 15liam20@lemmy.world
    link
    fedilink
    arrow-up
    17
    ·
    10 months ago

    My company appends a ‘think before you click’ header to external emails which are noticeably absent from the phishing tests.

    • Chobbes@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      10 months ago

      Mine always have the ReplyTo field set to the email of the senior security analyst, so I always say hi and tell them that maybe the higher ups need some training on how to not send sketchy as fuck emails that train people to click on phishing links.

  • Zoboomafoo@slrpnk.net
    link
    fedilink
    arrow-up
    13
    ·
    10 months ago

    I eventually clicked the link in the test email out of curiosity, I got a nice popup telling me I fucked up

  • lurch (he/him)@sh.itjust.works
    link
    fedilink
    arrow-up
    10
    ·
    10 months ago

    Mine gives useless bonus points for forwarding the test email or an actual phishing mail to their special security scanner account.

      • YoorWeb@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        10 months ago

        Filters will catch 90% of spam/phishing but there’s always something new that will slip through to inbox.

      • lurch (he/him)@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        There is, but if one gets through, they want us to forward it to this account that will be used to train, fine tune and improve the scanner for all mailboxes, as well as security training for employees.

        • bamboo@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          That makes sense, I thought the security scanner was only triggered if someone forwarded an email after it landed in an inbox.

  • Ainiriand@lemmy.world
    link
    fedilink
    arrow-up
    9
    arrow-down
    2
    ·
    10 months ago

    I am a software developer, I do not read emails. If something is so important that I should know about it someone will hit me up on ms teams or such.

  • MrShankles@reddthat.com
    link
    fedilink
    arrow-up
    7
    ·
    10 months ago

    I always right-clicked for the “more info” (or whatever it was) with any suspicious email. It would look like a bunch of html code that I didn’t really understand, but buried in there would be a company name that was usually obvious, like “phishtesting.com” or some bullshit.

    I always had a 100% report rate, and always joked that I was waiting to get a prize for my accuracy. And obviously, also a joke to ever think I would get anything for it

  • Daniel F.@aussie.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    The best way to avoid scam emails is just to change your email account’s password to a random string, not save it, then log out. I’ve also shredded my SIM card so I can’t receive scam texts.