194
submitted 3 months ago* (last edited 3 months ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world

We found out that 10% of our users entered their password.

top 36 comments
sorted by: hot top controversial new old
[-] Track_Shovel@slrpnk.net 22 points 3 months ago

I'm not in cyber security. My role requires me to interact with a lot of people, work on a bunch of different SharePoint links, and on top of that corporate sends a shit pile of email links to training, peakon surveys, and stuff like that. When I started my new job (3 years ago now), I had a pile of training to do as well as my usual work.

I would be fully focused, keyboard clacking loudly and ding! Email. grumble who the fuck is this now? Oh some stupid training link... wham. Phishing training. Fell for it 3 times.

[-] cron@feddit.org 23 points 3 months ago

The whole Microsoft 365 system seems to be quite vulnerable to phishing. Sometimes SSO works, sometimes you need a password, maybe 2FA, maybe not. Many microsoft notification emails come from external sources (with a big banner "this email comes from an external sender, be cautious").

This makes it hard for our brains to spot the small differences that make a phishing campaign successful.

[-] KevonLooney@lemm.ee 21 points 3 months ago

The solution is to suspect every external message and send them all to the phishing mailbox. Tell your boss that you are following the phishing training that you did first.

They will have to get their shit together and send important messages from internal mail addresses. That's just laziness.

[-] BearOfaTime@lemm.ee 5 points 3 months ago

Haha, love it

[-] gibmiser@lemmy.world 11 points 3 months ago

If employers don't want employees to get phished, a good first step is to not overwork them...

[-] BearOfaTime@lemm.ee 1 points 3 months ago

Especially with the HR/Corp BS

[-] lolrightythen@lemmy.world 6 points 3 months ago

At my work, the bogus phishing attacks are overly believable. They'll even come from a known in-house email account.

I've been dinged twice while otherwise occupied. I've stopped checking my email altogether. Play stupid games, win stupid prizes. I am being paid to do a job.

[-] Malfeasant@lemm.ee 4 points 2 months ago

Same. IT has inside info no real phishers will have. So far only got dinged once, but that's enough. I was already terrible about answering emails, now I'll be worse.

[-] sheogorath@lemmy.world 17 points 3 months ago

I never got phished by the simulations because I never open my emails. If there’s something that needs my attention either someone will Slack me or a ticket on Jira made.

[-] Diplomjodler3@lemmy.world 16 points 3 months ago

password123

Oh wait, that wasn't the question?

[-] GoofSchmoofer@lemmy.world 5 points 3 months ago

Put an ! at the end and it will be more secure.

[-] RamblingPanda@lemmynsfw.com 4 points 3 months ago

Lol, we use the same password

[-] Neuromancer49@midwest.social 12 points 3 months ago

I'm 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone's supervisor and made it look like an urgent Teams message was pending.

Usually, if you get phished you lose your bonus. They made an exception that one time.

[-] ted@sh.itjust.works 22 points 3 months ago

You lose your bonus? What basement-dwelling neanderthal executive came up with that hogwash?

[-] Neuromancer49@midwest.social 4 points 3 months ago

To be fair, my job involves very sensitive medical data. We've seen entire businesses shut down because of data breaches.

[-] Aganim@lemmy.world 12 points 3 months ago

Phishing simulations should be about educating employees, not punishing them. Train them on what they missed and if training material is available check where it might be lacking. Nobody learns from having their bonus taken away. It also only serves to stimulate a culture were people prefer not reporting possible security issues they might have caused, in order to avoid further pay cuts.

[-] JoeyJoeJoeJr@lemmy.ml 2 points 2 months ago

If someone is consistently falling for phishing emails (real, or from the IT department), shouldn't that person eventually be fired? Isn't that a punishment?

If there is neither a punishment nor a reward, what is the incentive to learn? Some people may not need one. Many others do.

I agree that a single failure resulting in the loss of significant income might be harsh, but I think there needs to be a way to convince people to take the issue seriously, and a punishment of some kind is therefore always warranted (e.g. eventual firing).

You can balance out the issue by creating a reward system as well, e.g. if you report all of the test emails sent to you in a year (i.e. not just ignore them), your bonus is increased by X% or something. Similarly, if you report an actual phishing email, your bonus is increased by some percent, even if you initially fell for it. I think it is possible to foster a consciousness and honest culture, with a system that includes punishments.

[-] glimse@lemmy.world -3 points 3 months ago

I dunno...If you're in a position to get a bonus, you should be smart enough to not click on random links and enter your work password.

I am extremely pro-worker but I would be fuckin pissed if an employee so easily gave a potential hacker access to our systems and that's what the test is for

[-] cron@feddit.org 4 points 3 months ago

My understanding is that the phishing awareness mail is part of the training, and NOT a test. But company culture varies of course

[-] cron@feddit.org 4 points 3 months ago

I can only imagine how frustrating it would be to get a financial punishment for clicking on links.

[-] RamblingPanda@lemmynsfw.com 5 points 3 months ago

Easy, never read or open mails. NEVER!

[-] bgb_ca@lemmy.ca 1 points 2 months ago

They tried a similar one on me once. Sent a email saying my boss (by name) sent me a virtual gift card. I immediately knew it was one of their "phishing tests" as my boss is a giant douche who would rather take the time to throw me under a bus than do anything that nice.

[-] Vinny_93@lemmy.world 9 points 3 months ago

They haven't fooled me yet. They're actually fairly easy to spot.

[-] clif@lemmy.world 3 points 3 months ago

The last round my company did was pretty damn good. The email itself was well done and professional looking. They even registered a domain that was one letter different than the company name for the source email domain and the phishing form.

It was still one of those things that makes you hesitate like "your password has expired, click here to reset it" and the email client blatantly flagged it as being from outside our true domain. The client warning was the easy thing to spot, the rest was really well done.

[-] APassenger@lemmy.world 4 points 3 months ago* (last edited 2 months ago)

That's the odd thing with where I work, until recently all the phishing simulations were from within the company domain and so lacked the [External...]

It's not impossible for an already infiltrated network, but I still expect to see that it came from outside. Maybe that's me, tho.

Wdits: spullings <- like those

[-] clif@lemmy.world 1 points 2 months ago

Wow, that is impressively sneaky to use the legitimate domain.

[-] Got_Bent@lemmy.world 8 points 3 months ago

I got phished circa 2001. Got about three thousand drained from my bank account which I shockingly got back. (Though Elon's PayPal threatened to sue me over it but never did when I told them to come and get me over the failure of their own security)

I've never responded to any email requesting login since no matter how legitimate it may be.

[-] ironhydroxide@sh.itjust.works 8 points 3 months ago* (last edited 3 months ago)

In my company about half the services in use, that require SSO login, are flagged as "external" when receiving emails. Along with the fact that quite a few of the services don't use https, so all downloads from them (doc services) are flagged as untrusted in modern browsers.

Users are just used to ignoring the warnings designed to stop the majority of easily identified flags, because the actual work requires it.

[-] Thebeardedsinglemalt@lemmy.world 7 points 2 months ago

They blast us with the dumbest most obvious phishing simulations. Then send out legitimate "register for this new app" email, which large numbers of people report and the director gets pissed, despite the fact it meets the bulk of the "signs of a phishing email". Then a month later we get hit by a phishing attack that automated software blocked.

My company ones are always super obvious. One of the best ones though was on valentines day spoofing a valentines ecard from a coworker in your organization

[-] faebudo@infosec.pub 4 points 3 months ago

Yes but the only relevant metric is how many reported it. Doesn't matter if they delete, read, click or enter data. We're only interested in the information that a phish got through our security controls (=we failed our users), so we can investigate (and clean up if needed) the impacted mailboxes and accounts.

[-] brianorca@lemmy.world 2 points 2 months ago* (last edited 2 months ago)

No, this is about the fake phishing emails that are released inside the network to test user response. If clicked, they report to IT which users need more training.

[-] faebudo@infosec.pub 2 points 2 months ago

Yes I know. We do simulations but we only measure who reports them and provide training how to report them (In the mail itself). No shaming for user who click them and no additional training on how to look at details.

It makes no sense training the user in looking at for example the links if all the big vendors use suspicious links anyway. For example the phishers use OneNote shares to phish, but those are hosted on Microsoft which by itself is legitimate. The only way a user really is able to recognize a phish is if it is unsolicited (report the mail as spam) or if it looks legit but asks for credentials (report it, we use SSO everywhere possible and you should never be asked for credentials for one of our platforms). We cannot do this for all vendors however and the users are encouraged and trained on using Passkeys or Autofill by the company provided password manager so that they get suspicious when no autofill is possible, then they can report the mail.

It's not always possible to recognize phishing from the get go and security is better suited to investigate than rando from the logistics department.

[-] itsgroundhogdayagain@lemmy.ml 3 points 3 months ago

My company is the only one trying to phish me at work

[-] CheeseNoodle@lemmy.world 2 points 3 months ago

So long as its a 50/50 between your boss being mad or the company losing money employees are going to open the email.

[-] Taiatari@lemmynsfw.com 1 points 3 months ago

I need that template :D

this post was submitted on 19 Aug 2024
194 points (99.5% liked)

Cybersecurity - Memes

1893 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS