Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
simoncion 4 days ago

> These companies tell customers to be suspicious of phishing attempts, and then they pull these stunts.

Yep. At every BigCo I've worked at, nearly all of the emails from Corporate have been indistinguishable from phishing. Sometimes, they're actual spam!

Do the executives and directors responsible for sending these messages care? No. They never do, and get super defensive and self-righteous when you show them exactly how their precious emails tick every "This message is phishing!" box in the mandatory annual phishing-detection-and-resistance training.

cyphar 4 days ago | parent | next [-]

A few years ago our annual corporate phishing training was initiated by an email sent from a random address asking us to log in with our internal credentials on a random website.

A week later some executive pushing the training emailed the entire company saying that it was unacceptable that nobody from engineering had logged into the training site and spun some story about regulatory requirements. After lots of back and forth they still wouldn't accept that it obviously looked like a phishing email.

Eventually when we actually did the training, it literally told us to check the From address of emails. I sometimes wonder if it was some weird kind of performance art.

ornornor 3 days ago | parent | next [-]

It’s all just box ticking and CYA compliance.

“We got pwned but the entire company went through a certified phishing awareness program and we have a DPI firewall. Nothing more we could have done, we’re not liable.”

cyphar 3 days ago | parent [-]

I agree, but I really wonder where on earth they find these people.

simoncion 3 days ago | parent [-]

If you're talking about the companies who provide the "training", either they're the lowest bidder, closely linked to someone who is buddies with someone important in the company [0], or both.

[0] ...so the payments serve the social function of enriching your buddy and improving your status in the whole favor economy thing...

apple1417 3 days ago | parent | prev | next [-]

I once got a "log into phishing training" email which spoofed the company address. No one even saw the email, it instantly hit the spam filter.

Our infra guy then had to argue with them for quite a while to just email from their own domain, and that no, we're weren't going to add their cert to our DNS, and let a third party spoof us (or however that works, idk). Absolutely shocking lack of self awareness.

darthwalsh 2 days ago | parent [-]

When they send out the phishing-simulation email campaign from the "compromised insider account" it's going to fool a lot more people!

wiseleo 3 days ago | parent | prev | next [-]

I can't pass phishing training on my first try because it often has bad advice as answers they are convinced are correct. Reading headers is one of such gems.

lovich 3 days ago | parent | prev [-]

If Kevin mitnick shows up or is referenced then I’m pretty sure it’s performance art

cyphar 3 days ago | parent [-]

If only, it would've been an honour to get phished by Mitnick. Rest in peace...

lovich 2 days ago | parent [-]

Years of useless knowB4 trainings with him in the video have given me a twitch whenever I hear him referenced

Macha 3 days ago | parent | prev | next [-]

I remember an email I once got.

Title: "Expense report overdue - Please fill now"

Subject:

<empty body>

<Link to document trying it's best to look like google's attachment icon but was actually a hyperlink to a site that asked me to log in with my corporate credentials>

---

So like, obviously this is a stupid phishing email, right? Especially as at this time, I had not used my corporate card.

A few weeks later I got the finance team reaching out threatening to cancel my corporate card because I had charges on it with no corresponding expense report filed.

So on checking the charge history for the corporate card, it was the annual tax payment that all cards are charged in my country every year, and finance should have been well aware of. Of course, then the expense system initially rejected my report because I couldn't provide a receipt, as the card provider automatically deducts this charge with no manual action on the card owner's side...

mhh__ 3 days ago | parent | prev [-]

Yielding to anything you say is a no-no because part of the deal is that you, as a geek, must bend over to their unilateral veto over everything in the company