| ▲ | cedilla 6 days ago |
| All that anti-phishing training that taught us to look closely at the URL and now it's all just safelinks.protection.outlook.com |
|
| ▲ | Workaccount2 6 days ago | parent | next [-] |
| My It department does mandatory phishing training every year, and then for the "test" e-mails, they spoof a domain and whitelist the DMARC on their side so it goes through. So we get e-mails from @microsoft.com and it's only if you dig in the metadata that you see it failed authentication. The only tell in the e-mail is checking the URL, which doesn't tell you much because tons of regular e-mails use tracker redirects too. They even send emails from our own domain or the domain of our payroll company. I won't type out my rant, but our IT department is a few guys who couldn't figure out what to do when their competitive xbox FIFA 2006 dreams failed, heard IT pays a lot with not much work, and then sat through the certs. |
| |
| ▲ | stronglikedan 6 days ago | parent | next [-] | | > heard IT pays a lot with not much work I want to live in this fantasy world! (Our IT dept is so overworked that I go out of my way to work around them purely out of empathy.) | | |
| ▲ | throwawaylaptop 6 days ago | parent [-] | | Every industry has its bad employers and good. I know teachers that make $50k and no pension, with others making $93k, halfways to their pension at 35yrs old, get almost 12 weeks off total a year, and work from 8am to 3pm (1 hour lunch, 1 hour for 'prep' aka Netflix) and home by 335, and no, they basically never do any work at home. She technically has students (10 year olds she sends links to for their chrome books) about 5x53 minutes a day. | | |
| ▲ | fair_enough 6 days ago | parent [-] | | That sounds like a good semi-retirement gig just to get out of the house for a little while. If you're teaching the tech-related electives rather than mandatory core courses, the students are likely a lot more pleasant to deal with. I took German just to get away from the all the kids taking Spanish or French who were just there because they have to get their foreign language credit. | | |
| ▲ | throwawaylaptop 5 days ago | parent [-] | | Yes, just what we need, retired people with a whole career of making income behind themselves taking another decent entry level job someone one just out of college can get. (No teaching credential needed for substitute teachers usually) | | |
| ▲ | fair_enough 5 days ago | parent [-] | | If a semi-retired engineer with 2-4 decades of work experience makes a better public high school STEM teacher, then I hope a lot more engineers do it as a semi-retirement gig. The aspiring career schoolteachers will just have to find a job in a field that is short-staffed, like registered nurses or one of the trades. I'm sure that comes across as "let them eat cake" to some Bernie moron, but going back to school for 6 months is small potatoes, and doing a little market research before making big financial decisions like choosing your college major in the first place is basic adult responsibility. If we apply the "lump of labor" fallacy everywhere else honestly and consistently, we would have to be opposed to immigration and trade because "those damn foreigners" went and "took er jerbs". https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRtkJaZ... | | |
| ▲ | throwawaylaptop 4 days ago | parent [-] | | I am 100% opposed to immigration too. | | |
| ▲ | fair_enough a day ago | parent [-] | | You're opposed to immigration until you personally can have greater freedom or a higher standard of living somewhere else. | | |
| ▲ | throwawaylaptop 9 hours ago | parent [-] | | No doubt I could enjoy a better life somewhere in the world. But I dont expect that country to let me move there and give me their opportunities. |
|
|
|
|
|
|
| |
| ▲ | bongodongobob 6 days ago | parent | prev | next [-] | | No one in IT wants to deal with that stuff. Upper management requires it for compliance and cyber insurance. | |
| ▲ | BobbyTables2 4 days ago | parent | prev | next [-] | | My company does similar phishing thing. Except their system adds extra headers related to the phishing… Wonder if they even know… Thus, I created an Outlook rule to automatically move them to a dedicated folder… (;-> | |
| ▲ | fair_enough 5 days ago | parent | prev | next [-] | | My university pulled the same BS 10-15 years ago. The worst part is that they sent the "test" email from the same email address they use for all of their other announcements, and then had the gall to send an automated "shame on you" reply if you clicked their link. Knowing what I know now about the IT staff and professors and knowing in hindsight only 3-4 of my CS classes were of any relevance to my work, I seriously regret not cheating my way through undergrad. I wish I could take back the time I wasted on Java and spend it with my N64. | |
| ▲ | cameron_b 6 days ago | parent | prev [-] | | Hey, simulating the hack is a lot better than using some canned tool with blatant knowbe4 urls. | | |
| ▲ | Workaccount2 6 days ago | parent | next [-] | | The problem is that if you click one of the links, you need to do (well sort of) the hour long phishing class and testing again. But of course, nowhere in the class do they say anything about not trusting e-mails from a known safe domain. Whats funny though is that if you click the link in a phishing test, they will e-mail you to complete the training. But there is no enforcement (general management doesn't care), so you just get a daily e-mail telling you that you are overdue. It also however stops them from sending the fake phishing emails. So a bunch of us clicked the phishing link, marked the "do your training" e-mail as spam, and now never get bothered. | | |
| ▲ | arcfour 5 days ago | parent [-] | | Where I was, they tracked who didn't do it, and came down on them, then their manager, and then it became an HR issue. Only one or two people went down the HR path, and then they did the training pretty quickly. Of course it didn't start harsh, just "hey, a reminder, we are tracking this and you need to do it" but when you blatantly ignored it the response got more firm. Also, the last one I took they talked about phishing using a malicious Google docs link IIRC. Anecdotes don't mean you know everything about a system. |
| |
| ▲ | 201984 6 days ago | parent | prev | next [-] | | For anyone subjected to these, they usually contain the header X-PHISHTEST which you can create a filter for, and then either send them to trash or put them in a special folder so you can report them later. | |
| ▲ | bongodongobob 6 days ago | parent | prev [-] | | You can use whatever urls you like. |
|
|
|
| ▲ | syllogism 6 days ago | parent | prev | next [-] |
| In Europe there are legitimate and extremely established services that require you to input your bank login details into something other than your bank's website. It's madness. |
| |
| ▲ | dtech 6 days ago | parent | next [-] | | There's no legitimate case for that since PSD2 (mandatory since 2020). Are you not confused by that? PSD2 doesn't share your credentials. I'm an European and have never needed to use nor encountered those services. | | |
| ▲ | siva7 6 days ago | parent | next [-] | | PSD2 is just MFA, it doesn't prevent shady companies still asking your login credentials, even if you must authorize that login from your official banking app. Klarna is one of many examples - they ask me for my bank credentials on their own website so they can crawl all my finance data . | | |
| ▲ | bradfa 6 days ago | parent | next [-] | | Plaid and Finicity do this in the USA for some linking of banking to other financial products. Feels SO insecure. Connecting my credit union checking account through Plaid even ironically brought me to a login page which explicitly states I should never give my banking password to any other entity. If I need to link my accounts and these services are the only choice then I change my banking passwords immediately after. | | |
| ▲ | chrisweekly 6 days ago | parent [-] | | I thought Plaid used OAuth2. Hmm. | | |
| ▲ | karel-3d 6 days ago | parent | next [-] | | Plaid whole business model is that it uses OAuth2 on banks that support it and export the data through APIs; and for the banks that don't, they ask for name/password and scrape it through "fake" web browser that mimick user behavior on the backend. (I worked for a Plaid competitor. The long-term goal for all similar companies is of course to use OAuth and APIs, because it breaks less often; but since the banks don't offer that, scraping it is!) | | | |
| ▲ | cpburns2009 6 days ago | parent | prev [-] | | Plaid asks for your raw bank credentials so that it can scrape up data. That's why I've always refused to use it. | | |
|
| |
| ▲ | StopDisinfo910 6 days ago | parent | prev | next [-] | | I have a Klarna account I opened when their flex account rate was amongst the best you could get and I don't remember them ever asking for my bank credential. I think Bankin' used to before PSD2 and to get a bit more information from some banks but then again Bankin' is a financial agreggator whose explicit purpose is crawling your banking data so it's not too surprising to see them asking for your credentials. | | | |
| ▲ | FinnKuhn 5 days ago | parent | prev [-] | | So does Paypal nowadays when you want to open a new account... |
| |
| ▲ | dcminter 6 days ago | parent | prev [-] | | Where a bank doesn't offer compliant APIs, screen-scraping integrations are explicitly allowed. Not sure how common that is at this point. | | |
| ▲ | _boffin_ 6 days ago | parent [-] | | Thousands and thousands of institutions, they scrape. | | |
| ▲ | dcminter 6 days ago | parent [-] | | Not sure what you mean specifically, but generally the organisations doing screen-scraping¹ would prefer to use compliant APIs as they don't require anything like as much maintenance (bank adds a button to the login flow? Kaboom! Integration is broken...) or resources (e.g. running headless browsers). Some markets are pretty much exclusively compliant - I don't think there are any Nordic banks that don't have fully PSD2 compliant APIs for example whereas, if I remember rightly, the Spanish banks were all over the place. I'm fairly out of date though, so things may have improved or exceptions for scraping expired. ¹ Note that I'm talking exclusively about banking integrations here, not AI nonsense. |
|
|
| |
| ▲ | fancyfredbot 6 days ago | parent | prev | next [-] | | Care to mention what these legitimate and established services are? | | |
| ▲ | JLCarveth 6 days ago | parent | next [-] | | Plaid is used by a lot of the major Canadian banks. | | |
| ▲ | raudette 6 days ago | parent [-] | | Flinks is also an often-used aggregator in Canada. "Connecting" savings accounts from EQ Bank or Wealthsimple to an account at TD Bank requires providing TD credentials to Flinks. |
| |
| ▲ | joshuaissac 6 days ago | parent | prev | next [-] | | Sofort used to do this. I don't know if they still do. | |
| ▲ | 6 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | FinnKuhn 5 days ago | parent | prev [-] | | Paypal, Klarna |
| |
| ▲ | didsomeonesay 6 days ago | parent | prev | next [-] | | Name and shame: Klarna did this. Not sure if they still do because i stay well clear of them. | |
| ▲ | BlindEyeHalo 6 days ago | parent | prev | next [-] | | I find this hard to believe and have never seen that ever. | | |
| ▲ | jeltz 6 days ago | parent | next [-] | | It used to be common 5 years ago before PSD2. | |
| ▲ | brettermeier 6 days ago | parent | prev [-] | | Don't understand the downvotes, i never saw that too, and i am shopping online very often. | | |
| ▲ | consp 6 days ago | parent [-] | | If you used the first gen "pay later" services they'd scrape you for "compliance checking" or simply mask it as a transaction which is actually just personal information scraping. Most of the times you did not see it, as it's obfuscated as a part of the transaction. They are also the companies complaining a lot about the "failure" of the PSD standards since it limits how much and how obfuscated they can scrape everything (and there are records). |
|
| |
| ▲ | BrandoElFollito 6 days ago | parent | prev | next [-] | | Are you talking about the possibility to pay via your bank account directly on a checkout page? If so this is the bank page you are using. Can you give some examples? | |
| ▲ | bombcar 6 days ago | parent | prev | next [-] | | Multiple US hospitals and insurance companies use genuine links like doctor-services-for-u.biz - infuriating. | |
| ▲ | PeterStuer 6 days ago | parent | prev [-] | | Are you sure? Never seen any such thing. | | |
| ▲ | jeltz 6 days ago | parent [-] | | It used to be common before PSD2 but I have personally not seen it for some years. | | |
|
|
|
| ▲ | fp64 6 days ago | parent | prev | next [-] |
| I find it very difficult to inspect the email headers in Outlook, I think for the iOS app it's not even possible. It's almost like they want to make it less transparent and secure |
|
| ▲ | devoutsalsa 6 days ago | parent | prev | next [-] |
| I recently reported an email with “glint.email.microsoft” as a phishing attempt, but it turned out to be a corporate survey. |
| |
| ▲ | Thorrez 6 days ago | parent [-] | | Well it's probably hard for anyone except Microsoft to get a domain with the .microsoft TLD. | | |
| ▲ | milkshakes 6 days ago | parent [-] | | what percentage of the online population do you expect to understand this? | | |
| ▲ | greengreengrass 6 days ago | parent | next [-] | | I have often wondered why we don’t see more usage of the brand gTLDs, which many of these big firms own. I muse that this is (part of) the reason why – there simply isn’t the understanding or recognition outside tech circles (or even within tech circles) to comprehend that it is possible to use such a gTLD without a conventional .com or similar suffix tacked on the end. I tend to see it localised to use for marketing micro sites that do not ask for credentials so have no need to establish user trust, or occasionally internal technical uses that will never touch the typical customer’s eyeballs. The other reason I hypothesise is that corporate big brother snooping systems that have whitelists for their trusted services – with entries like mail.google.com or calendar.google.com – are simply too painful at this point for big tech to break for their customers by dropping the .com suffix, so big tech doesn’t bother. No hard data on any of that, though. | | |
| ▲ | Thorrez 6 days ago | parent [-] | | I don't think you can put cookies on a TLD. So if Google used mail.google and calendar.google , the login system would be more complex, because they can't share cookies. | | |
| ▲ | arghwhat 6 days ago | parent [-] | | Modern auth systems do not work by exposing multiple services on a single domain with shared cookies. Instead, they authenticate using a common auth service (say, auth.google), which by virtue of being a single domain can persist shared cookies for all its consumers. This would yield a valid token (possibly a JWT) that the authenticating application can then use however it would like, including as a cookie on the application's own domain. Whenever you go to a service that temporarily sends you to a different login domain (often just immediately redirection you back), this is why. | | |
| ▲ | Thorrez 6 days ago | parent | next [-] | | Some modern auth systems. Not all. I created a separate Chrome profile, and logged in to gmail. Then I disabled javascript, then deleted all my google.com cookies (but left my mail.google.com cookies). Then I reenabled javascript and visited mail.google.com again. I was logged out. So Google is using the google.com cookies. | |
| ▲ | 6 days ago | parent | prev [-] | | [deleted] |
|
|
| |
| ▲ | Thorrez 6 days ago | parent | prev | next [-] | | Yeah, it does make things more difficult in terms of teaching people a simple rule. Instead of "ends with @<company>.com", the rule is "ends with @<company>.com or .<company>". OTOH, there were probably a lot of places already violating the "ends with @<company>.com" rule, e.g. by using subdomains, or even other domains. So very little of the online population was likely using the rule. And with email spoofing, even "ends with @<company>.com" can't be relied on to ensure the email is legit. So the rule of "don't click links in emails" is the only foolproof rule. Though you also need to add "don't copy and paste things from emails". | | |
| ▲ | arghwhat 6 days ago | parent [-] | | Yay for third-party email services that From: be a no-reply address from an entirely different company (and therefore only authenticity validation for that company), and a Reply-To: to some obscure mailbox from the supposed sender. I'm sure that makes perfect sense to most people. > So the rule of "don't click links in emails" is the only foolproof rule. The only truly foolproof rule is "don't open emails". Also helps a lot on mental health and associated expenditures! |
| |
| ▲ | r_lee 6 days ago | parent | prev [-] | | legit. I could imagine something like x-mucrosoft.email etc. being used and the users would just be like well there was email.microsoft so same thing! |
|
|
|
|
| ▲ | jcims 6 days ago | parent | prev [-] |
| Outlook has a rule filter for header content. Just saying I haven't failed a phishing test in ~10 years. |
| |
| ▲ | jsmith99 6 days ago | parent | next [-] | | My IT department use the official Microsoft phishing test. The emails arrive in inbox with 0 headers. (There's also a helpful Microsoft page of all the dodgy sounding domains they've registered for this.) | |
| ▲ | prmoustache 5 days ago | parent | prev | next [-] | | I just don't check my emails anymore. If it is important, people will complain on teams that nobody answer with some sort of urgency and then I'll look for it specifically. | |
| ▲ | sciencejerk 6 days ago | parent | prev | next [-] | | Mind sharing your filter rules? KnowBe4 uses X-PHISHTEST header and I think I saw Proofpoint using something similiar a few years back | | | |
| ▲ | monocularvision 5 days ago | parent | prev [-] | | I did this and it worked for a few months before word got to security who then forced everyone to remove the rule. |
|
