![Acceptable Use Pawlicy [TrueNuff]](https://lemmy.world/pictrs/image/c1e2ddf4-6afb-48f1-aede-85c3359f36ad.jpeg){kind=link}
Transcript
Panel 1: [Coworker in a red tie with dark hair leans into the cubicle of IT who is busy on a computer, a key card or ID hangs around his neck]
Coworker: I clicked an email link and it says I need training?
Panel 2: [IT stops working and looks irritated]
IT: Ah yes. The Training.
Panel 3: [IT sprays the coworker with a spray bottle]
FSHSSSH
FSHSSSH
FSHSSSH
IT: BAD! THAT WAS BAD!
Panel 4: [IT continues spraying the coworker, now crouching down hands raised defensively as the water is sprayed in his face. IT ha a look of glee on his face as another coworker walks by with a look of concern on her face, papers in hand.]
FSHSSSH
FSHSSSH
FSHSSSH
FSHSSSH
FSHSSSH
Coworker: HISSS!
Alt Text
The next training module unlocks after three hisses
.
They do that here routinely. The last time they sent it using the email account that is basically the one email that you do not ignore because they use it for urgent “please push the patch asap” type emails.
If that email is compromised they got bigger issues.
They bought a domain name similar to ours and sent out emails with links to the domain and a clone login page. Pretty sneaky.
At a previous job, they used to send them fairly often, using various tricks to keep people on their toes. I found it fun
All of ours have phishing in the URLs or in the email headers, if only real phishers were so nice!
What would that be testing, whether the users are psychic? If the email sender is legitimate, then what else would users need to do?
my team actually does pretty good with the cyber security checks. the people running the have to meet a certain amount of metrics so they figured “hey if we send it from this one email, everyone is going to trust us!” … because that’s what they’re supposed to do… Which makes a terrible thing to do. because now they’re always going to be asking if this new email is another test.
(Bruh. if you want us to go to training, just ask.)
I wish they’d take the test ones one step further and actually try to phish some information. I failed one of those tests but realized it right after clicking the link, but it didn’t matter because they assume that clicking the link means you’re going to provide everything else they are looking for.
Not sure what kind of links your regular urgent emails usually have, but if you’re regularly clicking strange links as part of your job, they should really take it to the next step and see if you were going to provide credentials or something before failing the test because otherwise it just means people are afraid to do their jobs because it might be another test.
Sending an email doesn’t have authentication. I can send an email as literally anyone. It’s a very trusting protocol.
Now, if your company is particularly good they might have set up protections from this. But it’s not required, and not super common.
An email service can check every email and catch the vast majority of spoofed headers pretty easily.
You’re right, it’s possible that the email is spoofed and passed the header checks, or that email is already compromised, or something.
That said, using one’s one legitimate email in a phishing test. They said the same stuff. So we spent about a month calling them for every email they sent (including the “you need to sign up for training”)
It creates more problems than it’s worth, and they caught the point pretty quickly.
Hah! I did the same with every spam email that got through the filter.