| ▲ | cyphar 4 days ago | ||||||||||||||||
A few years ago our annual corporate phishing training was initiated by an email sent from a random address asking us to log in with our internal credentials on a random website. A week later some executive pushing the training emailed the entire company saying that it was unacceptable that nobody from engineering had logged into the training site and spun some story about regulatory requirements. After lots of back and forth they still wouldn't accept that it obviously looked like a phishing email. Eventually when we actually did the training, it literally told us to check the From address of emails. I sometimes wonder if it was some weird kind of performance art. | |||||||||||||||||
| ▲ | ornornor 3 days ago | parent | next [-] | ||||||||||||||||
It’s all just box ticking and CYA compliance. “We got pwned but the entire company went through a certified phishing awareness program and we have a DPI firewall. Nothing more we could have done, we’re not liable.” | |||||||||||||||||
| |||||||||||||||||
| ▲ | apple1417 3 days ago | parent | prev | next [-] | ||||||||||||||||
I once got a "log into phishing training" email which spoofed the company address. No one even saw the email, it instantly hit the spam filter. Our infra guy then had to argue with them for quite a while to just email from their own domain, and that no, we're weren't going to add their cert to our DNS, and let a third party spoof us (or however that works, idk). Absolutely shocking lack of self awareness. | |||||||||||||||||
| |||||||||||||||||
| ▲ | wiseleo 3 days ago | parent | prev | next [-] | ||||||||||||||||
I can't pass phishing training on my first try because it often has bad advice as answers they are convinced are correct. Reading headers is one of such gems. | |||||||||||||||||
| ▲ | lovich 3 days ago | parent | prev [-] | ||||||||||||||||
If Kevin mitnick shows up or is referenced then I’m pretty sure it’s performance art | |||||||||||||||||
| |||||||||||||||||