this post was submitted on 16 Jun 2024
372 points (98.4% liked)

Cybersecurity - Memes

1962 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
372
Phishy (i.imgur.com)
submitted 4 months ago by [email protected] to c/[email protected]
33 comments fedilink hide all child comments
 
all 34 comments
sorted by: hot top controversial new old
[–] [email protected] 87 points 4 months ago (9 children)

My company started with mandatory cybersecurity trainings for all employees. The training tool sends out automated emails to remind you when you have to do a new part of the training.

These emails, from a cybersecurity course, followed all the rules of being a phishing email:

  • Sent from a non-company server
  • Had a big red button to click here
  • Urged you to take action ("You have 5 days to complete your training")

IT decided to fix that, by adding a line to the emails that this email is really from our company. Like a phisher wouldn't think of saying "nah, trust me bro, I'm totally legit"

[–] [email protected] 27 points 4 months ago* (last edited 4 months ago)

My company sends out these kids of phishing scam test emails too. They were actually pretty decently faked. But, they use the same identifying string in the header of each and every one, so I made an outlook rule to quarantine them In a particular folder so that I could correctly report all of them. Occasionally I report the weird legitimate email surveys we get from HR too and mass emails from IT with bad spelling, just so they don't get suspicious of my perfect record.

[–] [email protected] 26 points 4 months ago (1 children)

That’s what always kills me… the line of “this is not a phishing email” as if just anyone can’t add that. If anything that line makes me more suspicious.

[–] [email protected] 9 points 4 months ago (1 children)

They could send an email from a legit company email stating "mail XXX will send you some legit emails in a week or so, do them."

[–] [email protected] 4 points 4 months ago

That's what my company finally did, it works out a LOT better for everyone.

[–] [email protected] 24 points 4 months ago

My company unfortunately uses Microsoft 365 and when they started setting that up, I got an e-mail from a microsoftonline.com domain, which asked me to enter my username and password.
I reported that mail immediately as phishing. Like, it used the ol' confusing domain trick and everything, it's gotta be phishing.

Turns out, nope, Microsoft legitimately operates that domain and uses it for account notifications of all things. Great job, guys.

[–] [email protected] 9 points 4 months ago

I blocked these emails for years for this reason. We actually do get real phishing attempts about once every other month when a client gets compromised. Makes everyone at our company very vigilant.

Management got pissed when I hadn't done any of them. Apparently, the emails in english/spanish/french with "click me" links were legit, lol. I set up extensive rules and blocklists for a reason. Pretty sure it's for SOC2 compliance or something.

[–] [email protected] 8 points 4 months ago

We had something like this too. The header had our company's logo as just a rectangular white picture. It looked like someone just copy/pasted the first result on Google images.

[–] [email protected] 6 points 4 months ago

Yeah you'd think a company could forward from their own domain or something, but I get a ton of legit emails from non company domains because I guess they're to lazy? Anyway, I just try not to click any email links.

[–] [email protected] 5 points 4 months ago (1 children)

The correct solution to this is to have the training emails say to log in to take the training, no link in the email at all

[–] [email protected] 10 points 4 months ago (1 children)

A better way would be to have the link be to the company's webserver which could then redirect to the external course.

I offered to set this up for my company (it's not that hard) but nah, they went with telling everyone to click on a link to an unfamiliar site to learn about why they shouldn't click on links to unfamiliar sites.

[–] [email protected] 3 points 4 months ago

Then you are still trusting people to hover the link before clicking which from what I've seen isn't the best. Though there is the added benefit of using this as additional training to hover...

[–] [email protected] 4 points 4 months ago

Had this at a previous company. Why didn't they just use their regula URL instead of "(company)university.com" I don't know. Reported as fishing

[–] [email protected] 4 points 4 months ago (1 children)

Then both the csec course failed to educate the employees, because a responsible trained employee would report or ignore those mails lol

[–] [email protected] 8 points 4 months ago

The emails were mass reported, up to the point there was an internal message sent around to stop reporting them because they are legitimate. Of course, no action was taken to make them look less suspicious.

If I'd ever want to phish someone at my company, I'd know exactly what to do. Make the email look exactly like the training ones.

[–] [email protected] 37 points 4 months ago (2 children)

I emailed my IT team when I saw something suspect (which was a phish test), and they said "good job, but in the future click the link we insert in the email body to report"

Hmm...actually, I'd rather not click anything in a dodgy email, thanks.

[–] [email protected] 23 points 4 months ago (1 children)

And now you've passed the second test. Don't trust links in dodgy emails.

[–] [email protected] 16 points 4 months ago (1 children)

The lesson was "don't trust anybody, not even your own IT team"

[–] [email protected] 7 points 4 months ago

Especially your own IT team.

[–] [email protected] 4 points 4 months ago (1 children)

Do they mean a banner in the message with a report suspicious link?

[–] [email protected] 4 points 4 months ago (1 children)

Yes. It's a legitimate inserted banner that goes on every inbound. It just blew my mind a bit that the correct action was to click a link in an email!

[–] [email protected] 2 points 4 months ago

Thanks to microsofts excellent design team they will be hiding buttons in the bar in outlook new so most vendors are moving to banners with actions.

[–] [email protected] 21 points 4 months ago (1 children)

This same thing happened at my company recently. We get tons of phishing and scam emails, and then one day another one shows up out of the blue with a very suspicious subject line, so I ignore it. IT guy had to jump on a meeting with the whole office the next morning to explain that yes it is a legit email so please stop reporting it and also please complete the training by clicking the link inside the email.

Like, I feel like if you send your "training" email to people in the form of a well-known phishing scam email, there's no need to ensure that they follow up with the training, because either they are tricked by the subject line and then directed to complete the email safety awareness training (presumably you would know who clicked on it to make sure they actually do complete it), or they're intelligent enough to not click on it in the first place and thus already computer-literate enough to not get scammed by obvious bullshittery.

[–] [email protected] 8 points 4 months ago

Sounds like a genius move if he didn't then fuck it up by the meeting thing.

[–] [email protected] 14 points 4 months ago

My company sends fake phishing mails and once you open the link it says "you're lucky, this was just a test" and you get tons of new fakes. I think I never got a mail from outside tho I didn't click all so who knows

[–] [email protected] 12 points 4 months ago* (last edited 4 months ago) (1 children)

Yeah okay but our company IT dept sent out a security training link in an email titled "Win a free cruise!!!!" None of us clicked on it it's like you tell us not to open emails like this, but you send an email like this in order to train us not to open emails like this.

[–] [email protected] 11 points 4 months ago (1 children)

It's targeted to those who need the training.

[–] [email protected] 4 points 4 months ago (2 children)

But it was a mandatory training!

[–] [email protected] 3 points 4 months ago* (last edited 4 months ago)

I work in corporate IT and I can guarantee that no one in the IT department gives a rats arse if you do the training or not. It's management that care.

[–] [email protected] 3 points 4 months ago

Says a lot about how highly your IT department thought of the employees if they communicated mandatory training that way. They expected a 100% of staff "gets fooled by obvious-sounding phishing spam".

[–] [email protected] 6 points 4 months ago

Unsolicited Email is Unsolicited

Simple as

[–] [email protected] 2 points 4 months ago

That's how you get signed up for remedial security training.