The funniest ticket I've ever gotten
Posted by kikn79@reddit | sysadmin | View on Reddit | 537 comments
Somebody had a serious issue with our phishing tests and has put in complaints before. I tried to explain that these were a benefit to the company, but he was still ticked. The funny thing is that he never failed a test, he was just mad that he got the emails... I laughed so hard when I got this, it truly gave me joy the rest of the day.
And now for your enjoyment, here is the ticket that was sent:
Dear IT,
This couldn’t have come at a better time! Thank you for still attempting to phish me when I only have 3 days left at
. I am flattered to still receive these, and will not miss these hostile attempts to trick the people that work here, under the guise of “protecting the company from hackers”. Thank you also for reinforcing my desire to separate myself from these types of “business practices”. Best of luck in continuing to deceive the workers of
with tricky emails while they just try to make it through their workdays. Perhaps in the future someone will have the bright idea that this isn’t the best way to educate grownups and COWORKERS on the perils of phishing. You can quote your statistics about how many hacking attacks have been thwarted, but you are missing the point that this is not the best practice. There are better ways to educate than through deception, punishment, creation of mistrust, and lowered morale. I do not expect a reply to all of this, any explanation supporting a business practice that lowers morale and creates mistrust among COWORKERS will ring hollow to me anyway.
Surph_Ninja@reddit
These kinds of tests are critical training tools. We’ve gotta train people to be skeptical about emails.
But practice some emotional intelligence and empathy. These tests absolutely create an adversarial relationship between IT and the users. From their perspective, it’s like a coworker trying to trick them into getting fired. Regardless of our intent, that’s how it feels.
This is a very good reason why you should contract a third party vendor to run these for you. When the users complain about the phishing tests, then you commiserate with them, and give them a ’yeah, I hate them too. wish we didn’t have to do it, but the insurance company makes us.’ Keeps the relationship between users & IT positive and feeling collaborative.
blueish55@reddit
Regardless or what happens and who does what they would also be pissed if they or someone else got phished and brought everything down
There's no winning
The reality is that phishing is fundamentally a human problem and there's no real way to fix it
Surph_Ninja@reddit
What’s your point exactly? It can’t be fixed, so we shouldn’t do the training at all? Or we shouldn’t consider the proper way to train in a way that doesn’t affect morals?
blueish55@reddit
my point is that you can't automate it like a fucking biscuit production chain, and it's that it's a constant uphill battle where people will constantly feel wronged or upset
wtrbotid@reddit
well said
Valdaraak@reddit
Dude's gonna blow a gasket when the next company he goes to does the same thing.
Starfireaw11@reddit
It's totally a boomer, probably retiring.
prog-no-sys@reddit
Wait until he finds out his new employer requires MFA on his personal cell phone
CmdrKeene@reddit
I'm so sick of this complaint. I wish I could give out those rsa keychains with the LCD screen again so that could be the "thing they have" instead of their cell phone.
I myself do not give a shit. Happy to use my phone to fetch a code.
DJDoubleDave@reddit
At a previous company we actually brought in some hardware fobs to issue due to this complaint. Then people could choose to either use an app on their phone or take a hardware fob.
I think we had only one guy actually take the fob. That's fine though, I do think it's a good practice to make that an option, even if nearly everyone will go for the convenience of using their phone.
If I remember right, the backend setup was a bit of a pain at first, but it wasn't that big a deal to provide them.
bencos18@reddit
I'd take up the fob offer wherever I could lol.
I hate dealing with phone apps and codes haha
RandomDamage@reddit
I had a gig where I had 5 cards and a code fob.
Despite how it sounds it was way better than dealing with purely software-based security.
Valdaraak@reddit
Yubikey.
Nik_Tesla@reddit
A company Yubikey, on my personal keyring!? How dare you sir!
TB_at_Work@reddit
See, that's why I have a SEPARATE KEYRING for my work yubikeys and RSA tokens...
duck__yeah@reddit
I have to carry that in my personal pants pocket? Unbelievable!
Ssakaa@reddit
You have to wear pants for work?
duck__yeah@reddit
Sometimes it's not the side pocket.
ITWhatYouDidThere@reddit
I forced the company to provide work pants that I put on when I get to the office. Never wash them, so they just stay in there.
notHooptieJ@reddit
protip, just leave it at work, its their property anyway
klausvonespy@reddit
or drop it in the parking lot with a handful of those special USB drives you just happen to be carrying.
notHooptieJ@reddit
dont talk about my digital Art filing system like that.
you wouldnt understand, there's a special pocket in my anime pillow to store the most vital flash drives, the data they contain is priceless.
you just cant get "Art" like that anywhere outside of skeevy warehouses in japan.
Ssakaa@reddit
... you forgot the /s. Please gods tell me you just forgot the /s....
YellowBreakfast@reddit
Just hide it under the keyboard, next to the Post-It with your password.
notHooptieJ@reddit
this guy gets it!
I mean ask HR! thats how THEY do it, and they're the #1 defenders of the company
right!? RIGHT!?
eliasautio@reddit
What? A COMPANY KEYRING in my personally bought trousers pocket? How dare you!
EEU884@reddit
oh shit is that what i sound like to my boss
sitesurfer253@reddit
Probably. Did you ask for a company car to get you to the office, or company clothes so you don't have to use your personal ones? If you're vision impaired, does your employer need to provide a second set of glasses for you to use at work to be able to get your job done?
If the above sound silly to you, that's how you sound when you don't want to use an authenticator on your phone.
EEU884@reddit
I sometimes make my boss pick me up for work. I fought against the company clothes. I have made the company pay for a 2nd set of glasses for VDU work as is the law. I don't like having anything work related on my personal kit the exception I have made is the authenticator as I don't upgrade my personal phone anywhere near as much as I nick better work phones when they become available.
Commercial-Fun2767@reddit
People have reasons for this to be personnal but not other things. It’s about laws… if laws says so, then it’s good.
klausvonespy@reddit
I don't disagree but ultimately employment is mostly not protected by contracts, at least in the US. If your employer wants you to do something you refuse to do, you can quit. You can refuse to do it and they can fire you.
The company will evaluate whether it is in their interest to acquiesce or kick you out. There are basic human right things that make some questions like this complex, but "I don't wanna install an app on my phone" isn't one of those rights.
BGrunn@reddit
Yes.
visibleunderwater_-1@reddit
Good day to you, Sir! I SAID GOOD DAY!
bobsmith1010@reddit
"will you pay me to carry around this on my keychain?"
theedan-clean@reddit
Jokes on them. I had custom, company branded, bright fucking company orange keytags printed and attached to the keys before distributing them to employees. Think the red “Remove Before Flight” canvas tags.
Don’t like using your personal phone? Yubikey. Don’t like having it on your personal keychain? Here’s a new company keytag.
The keychains were all of $2/each for a batch of a couple hundred, and I’m pretty sure the print house threw in an extra 50. On top of the $60/ea you send on Yubikeys or $20/ea on Yubico Security Keys, if these save even a couple keys from loss, it was worth the effort.
And before you say “you shouldn’t identify the company on the key”, well, TFB.
williamp114@reddit
A Yubikey, on my keyring? It's more likely than you think.
Yake404@reddit
This had me howling
Crafty_Train1956@reddit
Cool, enjoy replacing them every time someone forgets it.
changee_of_ways@reddit
Christ yes. Way too goddamned expensive for places with high turnover of lots of low-wage workers that still need access to computers.
ArchonOfThe4thWAH@reddit
This is the way.
Jazzlike_Fortune2241@reddit
my company wouldn't let me use my Yubikey lol I said it's more secure than my phone...
tdhuck@reddit
Good, I wouldn't want anyone asking me to use their personal yubikey. The company should provide one, but absolutely not use a yubikey that doesn't belong to the company.
Extension-Bitter@reddit
It is.. but not every company is willing to enable a security mechanism, configure it correctly, fit in the policy and conditional access for that one guy.
WilfredGrundlesnatch@reddit
$55.
canondocreelitist@reddit
Some MFA apps can completely wipe your phone when they off board/fire you. Enjoy that.
cd1cj@reddit
What apps? I want to make sure my employer can't do this to my phone.
CmdrKeene@reddit
I manage this for both corporate owned and personal owned devices for huge corporation. That functionality does not exist even if we wanted it to.
We can wipe a corporate owned phone. But for a personal device we can only remove the corporate apps or the corporate partition of the phone (Android work profile)
There is no situation where we can erase somebody's personal phone.
canondocreelitist@reddit
Maybe your company cant, doesn't mean other companies can't, and don't. Do a Google search if you don't believe me.
ObiLAN-@reddit
It's such an anoying complaint too. Like, yes Bob you have to spend 5 seconds to open the app to approve. Yes Bob, it's a standard security practice these days. Lol.
Peronally that decisions above my pay grade.
I just lock the account, inform the manager, and they can work with the employee on a solution, like the company providing them additional hardware for MFA.
trail-g62Bim@reddit
I dont have a problem with MFA. I do have a problem with it on my personal cell phone.
Then again, I work in govt and everything is foiable. MFA wouldnt be a problem but as a matter of practice, I keep all personal devices separate.
I also do think generally that if a company wants an employee to use a specific piece of equipment, they should provide it.
metalwolf112002@reddit
The "if they want me to use it, they'll pay for it" argument for MFA is a pet peeve of mine.
Does your employer pay your gas mileage between your house and work? Unless you have a company vehicle you can drive home, the answer is probably no.
I see no distinction between the gallon of fuel my SUV uses to drive me to and from the office, and the few MB used out of the 256gb my phone has to store an mfa app. In fact, that app is cheaper than the fuel cost.
cosmos7@reddit
This. Yubikey, dongle, authenticator app on company device... they pick, I use. But company wants something they are responsible for providing it.
p47guitars@reddit
do you use authenticator for your own devices / accounts?
is it really that much of a sin to have google authenticator or microsoft authenticator run on it?
cosmos7@reddit
Of course.
For use with work purposes? Absolutely... no different than requiring me to bring my own laptop or office supplies to do my job. As an employee if the company has a need they provide the means. If they provide a Yubikey (or whatever) and we both agree I can use my device as an alternate method that's one thing, but mandating use of personal equipment is an absolute no-go.
Commercial-Fun2767@reddit
Tell me what you think of these example: - You bring your lunch in company plastic bags? - You refuse to work where there is no cantine? - You require company car or full reimbursement of your own car? - Company underwear? - You wear glasses and your boss wants you to see, company glasses? - If no one sees you, can you use one of your own pencils? - How much money is required to do home working?
The only reason to refuse the use of personal stuff I understand is if it costs you anything. Authenticator on your smartphone costs nothing.
For your personal laptop it’s NOT the same. It’s not easy to bring with you.
notHooptieJ@reddit
none of those things require compute power on a personal device, and "trust me bro" data concerns on an item filled with personal information.
if you wanted me to store your mystery blackbox in my bedroom i'd have similar concerns.
i mean i get it, and i begrudgingly put it one of my devices, and even accepted the mdm lockdown so i could check my pay stubs on my phone.
but seriously i accepted it because i didnt wanna be "that asshole" on my first day.
id really really really prefer that shit be off my personal device, but im well down the road now, its not worth rocking the work boat.
and therein lies the issue, most of us dont like it , but we like eating and paying our bills, so we dont bitch anywhere but reddit.
Commercial-Fun2767@reddit
That’s the same for Outlook. I see less concern about connecting mail work account on smartphone than Authenticator for work MFA
rockstarsball@reddit
but the entire point of laptops is that they are easy to bring with you...
Commercial-Fun2767@reddit
And the whole point of a foldable bike is the same. Try to put it one your pocket.
rockstarsball@reddit
you sir, underestimate the amount of Jncos i still have perfectly preserved
cosmos7@reddit
Lunch time is my time not company time. I can do as I please, including leaving to get food or simply fasting and taking a nap.
I am required to report in person how I get there is up to me. If I am required to visit / service remote locations during work hours during work hours then company is obligated to provide transportation or reimburse cost of using my own.
Your examples are dumb and demonstrate a lack of understanding of labor laws and IRS rules. As an employee the company can dictate how work is performed, but is required to provide the means to do so.
And if I don't have a smart phone? Not every one is tied to an individual tracking device to mindlessly check their IG every 10 mins. Am I penalized because I don't have one, it stops working or otherwise becomes unavailable? That's the rub with personal devices... if you want to use one because it makes your life easier that's absolutely your choice. My point is that the company cannot require it and must provide an alternate solution.
Might want to reevaluate the absurdity of that statement.
Commercial-Fun2767@reddit
There is a dress code but no work clothes.
Might be dumb but I try to be respectful.
Anyway, this shows why work can’t require you to do this. But it does not shows why worker should refuse it. So, it’s asked. You say no. What is the reason?
Forget your laws. Forget you are egocentric. Think of your neighbour asking you to drive him at the mall.
Don’t think of what your neighbour is to you. Just think of you alone: what does this detour costs you?
I’m sure you’ll elude the question. I’m sorry it’s not crystal clear (I’m dumb).
If you are going to the mall and you have room in your car and the neighbour is not smelly or sticky and not dumb, it nearly costs you nothing. So why?
cosmos7@reddit
I'm not helping a neighbor, and I'm not giving up my precious time, expertise or resources for another entity to make money off of it either. Fuck you, pay me.
Company shit stays on the company-provided device so it can be tossed in a drawer and ignored at the end of the work day, assuming I'm not on call (paid) for some reason.
Commercial-Fun2767@reddit
If you don’t have a smartphone there is no question. My question is why refuse if you have a smartphone.
You didn’t say: what if I don’t eat. What if I live in my work building. What if I go naked.
p47guitars@reddit
I'm ok with it.
effedup@reddit
Next he'll want a company car to get to work, assuming they go in.
p47guitars@reddit
ha! I've actually heard of such things.
YSFKJDGS@reddit
So lets say your company payroll login, or benefits login requires MFA. Do you tell them no?
cosmos7@reddit
Company payroll / workforce / benefits sites generally use company MFA in my experience, so no issue given company already provides MFA solution.
YSFKJDGS@reddit
That's actually really odd and not best practice... what happens when you get fired and now can't access your 401k information anymore, or your previous year w2 stuff?
cosmos7@reddit
You're right that retirement generally requires personal contact info at the very least for recovery. It's on you if you're not saving your paystubs and W2s though, although upon separation if you failed to save copies you simply contact HR... they're required to provide it.
snark42@reddit
I've dealt with ADP, ChexSystems, UKG and some tiny payroll apps, none were tied (exclusively) to my work e-mail/login. I definitely don't think it "generally" does, but I'm sure some larger companies use SAML or something that makes SSO an option.
scriptmonkey420@reddit
Were i work i was part of the Yubikey test roll out. I ended up grabbing 6 yubikeys for testing. Only need one for work so the other 5 i am contemplating on what to use them on in my personal equipment and services. Right now it is just my SSH key login.
Virtual_Happiness@reddit
This is the real problem. If a smart phone is required for workers to do their job, the company needs to provide it. Expecting employees to use their personal devices without compensation is unacceptable.
xixi2@reddit
Should the company also provide you a car to get to work, or pay for your pants and shirt? You are required to wear a pants and shirt (well except the wfh people).
Virtual_Happiness@reddit
When I am driving to and from work, I am not on company time. And yes, if there is a uniform requirement the company should pay for said uniform. Hilariously, most already do so your argument makes no sense.
xixi2@reddit
Your company does not want you to use a specific piece of equipment. You can use any smartphone you'd like. You use a lot of personal items at work, such as clothes. The "no mfa on my personal device!" people need to let this one go.
dansedemorte@reddit
100% this. I dont even hook my personal phone to the guest wifi even though it is an allowed practice.
Which sucks sometimes when I want to sent a picture of some harward thats got a problem to my work system for troubleshooting/support purposes.
the_star_lord@reddit
I don't see the hassle of having a MFA app on a personal phone with a key for my work stuff I'm also local gov (UK).
I don't see how a FOI request would need me to provide my personal phone.
Like I use MFA anyways for personal things, it's a separate account, I don't have to worry about two phones, I can simply delete the registration whenever I want, it takes all of 10 seconds to set up, it saves the company (local gov) money by not having to provide a phone with a SIM / plan, saves on man hours of providing and setting up and tracking a phone.
Like what's the big deal? Maybe I'm missing something massive which would change my mind but off the bat it just seems like ppl think we (IT) will spy if on them if they install Microsoft Authenticator.
kable795@reddit
And then you’ll complain when you get charged for losing the device you only pull out to get a 6 digit code.
Commercial-Fun2767@reddit
I think if I crash in the building with a company truck I’ll be charged too. Or insurances will pay? Can endure the key maybe.
notHooptieJ@reddit
oh its illegal to actually charge you for that, and yes, insurance will payout.
you might not be there to see it, but it will pay out.
the company cant legally charge you for that, but the insurance company will come back around and sue you for it.
Commercial-Fun2767@reddit
You are talking philosophy or your countries laws? For me it’s the first. You are responsible for your actions. You might not want to be responsible for a thing you don’t like about your work. But complaining is not the answer.
effedup@reddit
We just set up an onsite hotelling kiosk computer for those with this attitude.
They usually overcome their issue pretty quickly.
ObiLAN-@reddit
Agreed that's why I wish they'd approve us use of somthing like Yubikey.
I have no issue with people not wanting to ise their personal devices.
I'm mainly jesting towards the people that will complain no matter what device is used for MFA haha.
p47guitars@reddit
Truth. I've had execs blow up at me about MFA, on company provided phones...
"IT TAKES TOO MUCH TIME! IT SLOWS ME DOWN!"
well that breach just took down the company and the insurance people are up YOUR ass for not approving the IT shit needed for cyber insurance, and you're made at me!?
lilelliot@reddit
Honestly, it can be annoying. My current workflow: login times out to M365 (or SFDC), get prompted to login. Login page actually completes a logout on the first try so I hit the browser Back button to get back to a clean login screen. Select username that's pre-populated. Select password from OSX passkey storage, then fingerprint on Macbook to use it. Then 2FA prompt goes to Microsoft Authenticator app on my phone, where I type the code and click "OK", but that's apparently also not enough because I'm prompted for biometric authorization on the phone to submit confirm the OK, too.
Then after all that, I can get back to work. Oh, but wait, it's even better (worse!): when M365 logs you out of a timed out tab and you re-login to a different tab, just ctrl-F5 the timed out tab doesn't reload the previous content. It loads the login screen. So in many cases you have no easy way of figuring out what content had been in that tab in the first place, which is highly disruptive.
This isn't an MFA rant, because I 100% support MFA. I also support policies that never require password rotation. But holy hell, the actual implementation of MFA systems & policies can result in truly awful UX for employees.
Thrashy@reddit
Yes, this can be incredibly frustrating, especially when all the convenience options get shut off or ratcheted down to their least permissive setting by an overzealous administrator. Firing up my work PC from a cold start requires no fewer than three cycles of username+password->enter the security code on my phone -> thumbprint verification to get to the desktop, connect the VPN, and read my email or Teams notifications. And since nothing is allowed to remember a previous authorization, something as simple as connecting to the VPN to work remotely while on a flight requires that I buy WiFi access for both my PC and my phone and then juggle both devices while I'm getting everything set up, so that I can repeat the MS Authenticator dance again for the new VPN connection. It's frankly a bit ridiculous.
lilelliot@reddit
The real frustrating piece here is that it doesn't have to be this way. I spent 8 years at Google and everything "just worked". Why? Because they were early implementers of Zero Trust, and even with 2FA, it was exceptionally easy and seamless (and remote access to [almost all] internal resources was possible via a browser or SSH from any machine anywhere in the world. Can you imagine being on vacation and being able to check your work email (Gmail / Workspace) or other internal apps just through what looks like a standard Google login? It's possible, and it's possible to enable safely!
MemeInBlack@reddit
If I'm on vacation I'm not checking work email. LOL, what do you think a vacation is??
metalwolf112002@reddit
A myth.
steveholt480@reddit
You got it, MFA is inherently not annoying, bad UX is.
dansedemorte@reddit
The problem with my work is that they stuck the phishing button in a spot where you have to open or preview the obvious phish mail. You cant just select it and hit the phish button.
They really dont like you to report suspicious looking internal mail that looks like phishing but actually isn't.
One time the security folk had to send out a separate e-mail saying not to mark the one VP's mass mail as a phising attempt. Im guessing it auto blockedyime because so many people thought it was an actual phish mail from a compromised internal address.
Lefty-Alter-Ego@reddit
IMO MFA is nothing more than an electronic key. An employee shouldn't be required to maintain a smartphone they pay for personally to log into something for work. Amae as I wouldn't expect an employee to provide their own mouse.
Triairius@reddit
My users complain, and my IT manager tells them it’s because of the ‘special nature of the project,’ but it’s standard, basic security. I’d be concerned working anywhere that didn’t require MFA.
kenfury@reddit
I loved my RSA tokens. Seriously. Phones get lost or stolen. My token was sitting in my "must have bag" and wouldn't run out of battery in 24-48 hours.
metalwolf112002@reddit
The company I worked at that offered hard rsa tokens had 3d printed badge holders that held the token on back as well. If I didn't have my token, I didn't have my badge, and I wasn't getting into the building anyway.
My badge was always in 1 of 2 places. Clipped to a belt loop on my pants, or attached to the strap on my lunch bag.
Crafty_Train1956@reddit
Got downvoted and ridiculed for pointing this out in another sub. Being asked to use your cell phone to provide a code to verify your identity is not the big deal some people are trying to make it out to be.
"dont use my personal phone for work" - oh? So how does your employer get in touch with you when you're not in the office?
Oh.. they call you? On your phone? How dare they ask you to use your personal phone for work. tsk tsk tsk.
kirashi3@reddit
The requirement to "get in touch" with employees outside of regular working hours constitutes on-call pay in some jurisdictions.
I'm not saying I would go out of my way to claim "on-call" pay for a simple "hey, want to come in early tomorrow so you can [leave earlier or collect overtime pay]?" question, but legally, in some jurisdictions an employee could keep track of every off-work call / email / text they're "required" to answer, then file this with their local labor board.
I guess it really boils down to liability depending on the laws where you live, work, and play, and how ethical / moral you / your employer are.
p47guitars@reddit
me too.
It's no different than putting a corpo key on your keychain.
Are you really worried about data? We give you a free unmonitored guest network for your phones. Worried about it spying on you? It's microsoft authenticator! Microsoft is shitty, but they are not spying on you and nor can we.
Why is 50mb worth so much fucking hassle?
Moleculor@reddit
Have you ever run into a user who made some bad assumptions about technology?
"The internet is down," when they can't access one website?
"It must be those server upgrades you did," six months ago?
Letting work use your personal phone gives micromanaging manglement a quasi-plausible excuse to demand further access on the same device you use to check personal emails, look at your bank account, and view porn.
All it takes is one moron in HR, a hostile lawyer, a stupid judge, etc, agreeing that "well, you use your cell phone for work, so we need access to examine it for..." and suddenly you have discovery and lawyers digging through your device, or HR threatening your job because they have this insane idea that because you pull out your phone for X, there's a chance you might have some company information on it that they need to view.
It's easier to be able to say that any electronic device they need to look at is their own equipment only. Their laptop, etc. That you don't have anything work related on your phone, and that you've actively avoided putting anything work related on it.
How do you sign on? Oh, that's easy: you have a little physical token.
Is it likely to be an issue? No. But all it takes is once in 30 years for me to regret it.
kirashi3@reddit
You can full-stop right here, because bingo bango this is exactly what can happen during a legal investigation.
While a company's legal team might "only need" access to "company" data, there's no guarantee they won't see personal information (accidentally or on purpose) during the legal discovery phase. This is a non-negotiable liability for me. If a job requires a phone for any reason, the job must provide said phone.
Kraeftluder@reddit
It's completely different. Comparable would be giving the user a yubikey to add to the keychain.
Besides that, you should have certain device requirements and in our case around 35% of our users have devices that aren't or can't be updated for example.
It's simply one of the costs of doing business; you shouldn't have to accept it from your employer and thankfully in many places it is flat out illegal to require your employees to use their personal device if they don't want to.
binaryhextechdude@reddit
We use Microsoft Authenticator with number matching. That means you have to upgrade the auth app to the latest version with the number matching feature. That comes with certain limitations regarding minimum OS version.
Yes the company had a bunch of phones out in the field that didn't meet that requirement and had to be replaced.
Users have been told their phones don't support the required OS version so they will have to be in the office to work until they upgrade their phones.
In a 5000 seat company we have maybe 15 people that refuse to use their private personal phones for MFA. I'm not allowed to be rude to them but I really don't have the time or the interest to listen to them bleating about it. If you wont put it on your phone then work 100% in the office with no email or teams on your phone or access to such from home. Doesn't bother me.
Kraeftluder@reddit
We're a school system. We simply don't have the money to provide all of them with devices every 2 to 3 years. I don't know the exact numbers because I haven't looked at them recently, but we were around 25% who flat out refused to use their personal device. Down from well over 50% 10 years ago.
Neither do I and I don't let them either. But there's an easy enough solution that worked for us; hardware token solutions. And our users are generally used to it, we've had MFA on both our Student Information System and HR system since 2002, when RSA ruled the MFA world. License+token for one user was more expensive back then than a simple Yubikey is in 2024.
If you have a school issued phone, like a principal, you have to use the app. We also issue Yubikeys to privileged accounts. It's not that hard to be a bit flexible.
p47guitars@reddit
sure.
but to the users - I ask them, how are you locking down your own accounts. if they are not doing it for their own accounts, it really makes me not trust the user.
Kraeftluder@reddit
We've found that our security awareness programs do not fall on deaf ears. We asked them about MFA in their personal life (about 80% fill out the survey at the end of the training) and it's seen rapid increases since we started training them.
Some users will be willfully obtuse or ignorant; sure. We find that to be the minority and it's not as if they can go around the requirements we set.
Roarkindrake@reddit
Personally i prefer the rsa because the software token for work on phones breaks so much that its nuts. I got lucky and my rsa token w worked but a few folks had to do the phone thing for a while. It would desync about once a week lol. Plus easier to leave the rsa on the desk to login to switches all night.
PlaneAsk7826@reddit
I just charge them $50 for a Duo key with the LCD. The employee can either install a free app or pay $50.
Brufar_308@reddit
I’m amazed at people that don’t already have at least one Authenticator app on their phone already. We are pretty flexible at work. you can use Ms Authenticator, or google Authenticator, or Duo, or a yubikey. I really don’t care which one you want to use, they are all supported and acceptable. Hope the grant request goes through so we can order yubikeys for everyone.
dansedemorte@reddit
I do, for personal stuff.
For work its piv, yu i and even rsa token. Tepends on where i need to go.
OldSpeckledHen@reddit
I've have an authenticator app for years... I already had it in place for a ton of my own personal stuff.
I use it for Plex, TeamViewer, NVIDIA, Facebook, Discord, Google, Epic Games... adding my company was a total non issue.
Tymanthius@reddit
Mostly I feel the same way. However I completely support those who do not want to use their personal phone at all, or w/o compensation.
I use my personal phone w/o compensation when it makes my life easier. I don't want to carry around more hardware, like an RFID card for the door, and a yubikey for MFA
robotbeatrally@reddit
I do, but even as a sys admin I keep my work and personal phone 100% separate.
Scurro@reddit
I work in education and we still do this for many teachers that refuse to use their smart phone.
It usually lasts until the first time they forget it at home and then call to get mfa reset so they can use the app.
notHooptieJ@reddit
I wish you could too, id much rather have that than a company MDM profile.
dansedemorte@reddit
If the company wants me to use a phone for work they can pay for a fompany phone for me.
ElevenNotes@reddit
That's called being a wage slave 😉.
Reelix@reddit
Oh - Didn't they tell you? It's a hardware-based MFA device to unlock your screen, and the device is company owned in perpetuity, and the authentication cannot be removed. If you leave the company, you lose your personal cellphone as well.
CmdrKeene@reddit
everything about this is false. if the device was purchased by the company they can control it, if it's your personal device, you control it. Having an app that takes the current time on the clock and hashes it into a 6-digit number represents zero company control over your phone. It doesn't become owned by them, the authentication you refer to doesn't exist in the first place, and you don't lose your phone.
tdhuck@reddit
I understand where you are coming from, but that's not the point. The point is that the company wants 2FA so the company needs to provide the solution. Using your personal device should not be part of the solution if it is the ONLY option.
I work in IT and I won't use my personal devices for company use. Others may not want to carry a second phone or, in this case, a second device like a yubikey, but the company should offer the yubikey or app on personal cell phone, if the employee chooses their cell phone, that's great, but they had a choice.
dustojnikhummer@reddit
Why is this not a valid complaint again?
CmdrKeene@reddit
For me it's because it doesn't store or hold any company's data any more than a keychain. It doesn't track or connect to your account, it doesn't know your location or even if/when it gets used. The 6 digit codes are computed by looking at the clock, not connecting to some spy server. It's merely a thing you have, like a keychain, and doesn't involve having company data on a personal device.
This would be like someone saying they don't want the key fob because it takes up room on their personal keychain.
In both cases the user can get a separate keychain or a separate phone if they need more separation. We aren't mandating you have to use your personal phone here.
dustojnikhummer@reddit
Good, because there are people on this very subreddit who don't see it this way. It's "my way or highway", ie "use your personal phone for MFA or I will make your life a fucking hell". And then they wonder why users dislike our kind.
I have a separate work phone (one of only a few people here) but it is important people get the choice.
Jaereth@reddit
We literally have to do this because of buttbabies not wanting to install Duo Mobile on their phones...
Arudinne@reddit
Token2. Works with O365.
I have one attached to a test account. Only thing it doesn't work with is our Fortigate VPN that still uses NPS, but we're moving to SAML SSO VPN which the token does work with.
robisodd@reddit
Amazon link for those curious: https://amzn.com/dp/B07RQPJNZH
Arudinne@reddit
That's not the model we use, but getting one off Amazon to test with is cheap. Once we decided to make them generally available we purchased them directly from Token2.
Som1tokmynam@reddit
Yeah, just be careful, depending on your conditional access policies, ours has "require compliant device", (The built it "browser" of forticlient doesnt work have to use "use external browser") and those tags arent processed by chrome unless you install the microsoft single sign on extension.
(Better to use edge, but thats another battle, for the next guy, already tried to make ppl use edge...)
Arudinne@reddit
Don't have that yet, but we bought EMS so we might try some enforcement stuff there in the future.
Datsun67@reddit
The SAML implementation works smoothly with fortigate SSLVPN. We were able to toss out our fortiauthenticators.
Arudinne@reddit
We have a FortiGate VM running in Azure that we're using to move everyone to the SAML SSO VPN. Once that's done, we plan to convert the on-prem units as well. Maybe configure a Traffic Manager Profile to spread the users across all. Or might just keep everyone on the cloud one.
willwork4pii@reddit
We have phone call enabled, which, ironically they have little hate toward receiving a call on their personal phone?
RubixRube@reddit
The RSA keychain will get lost continaully and it WILL be your fault.
AMDIntel@reddit
At my opd job we used Fortitokens. Physical for those that wanted it and an app for those who had work phones or were ok with personal phones.
CmdrKeene@reddit
I wish we could do something physical for those that wanted it but didn't want to carry an entire second phone. I'm actually always surprised by how many DO want a second phone, I'm so very happy to have my work profile on my personal android device. I even have a work phone number that can ring into that. It's practically like having a dual sim phone from my pov.
For auth app we let anyone use any TOTP app they want, although I advocate for MS Auth because we use so much MS stuff and I love the push notification/fingerprint experience versus typing a code. I honestly want my company to stop even allowing the SMS option at all but there would be way too much complaining if we did that.
Vektor0@reddit
They don't understand technology, and so, similar to that old saying, they treat it like it's magic. That includes making up lore and rituals.
loop_us@reddit
Is this an American thing? Because this would be highly illegal in Germany and I think in the rest of the EU too.
TurkeyMachine@reddit
Apparently a phone with the Authenticator app shared among some 20-odd employees is the best solution. No other phones on deck for reasons. Makes me chuckle.
nullpotato@reddit
To be fair: being required to do work stuff on my personal device with no compensation is BS
blackletum@reddit
100% agreed, that's something my last boss and I never saw eye-to-eye on.
He thought that being required to do things on your phone for work should just be accepted at face value, whereas I saw it as that there should be alternatives in place and/or compensation for being required to use my private device for work.
rockstarsball@reddit
wait until he reads about actual cybersecurity best practices
prog-no-sys@reddit
such as?? Now you've got me curious
zSprawl@reddit
Routine surprise colonoscopies.
dansedemorte@reddit
Never use a personal phone for work. Its just not worth the hassle.
easier2say@reddit
I'm dying to see that reaction so much
alexwhit80@reddit
We had a user want company email on their personal phone but didn’t want to install the Authenticator app or enroll the phone on office 365. “I don’t want you spying on my phone”
4thehalibit@reddit
🤣🤣🤣
VexingRaven@reddit
They aren't wrong, though... Google feels pretty much the same way about it and wrong a whole blog post about it doesn't help at all: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html
dansedemorte@reddit
Well tons of companies still require changing passwords every 30-60 days. Even though the guy from NIST who wrote the initial document of this said thats now a bad practice, and he said it like 10+ years ago now.
3DigitIQ@reddit
It's only a bad practice if you have the other NIST requirements in effect though. A never changing password of Welcome01! is still a massive security risk.
VexingRaven@reddit
Yes and we are the ones who should be changing that, just like we're the ones who need to rethink whether traditional phishing simulations are actually helping, or simply harming the relationship between IT and business for no real benefit.
dansedemorte@reddit
yeah, all of that is far above my region and pay grade. but i'm in a more unique IT environment than most posters here...or so it seems.
and i'm pretty sure those things have been mentioned in the big IT meetings in the past.
YetAnotherGeneralist@reddit
I'm skeptical. They didn't exactly present much data, and if they did, I'd assume what I always assume: the data will tell you anything if you torture it enough.
Phishing simulations are generally faster and cheaper than "architectural defenses" by a mile. I expect they will remain the status quo until something of comparable value to the org is available.
There's also still the bottom 10% making up 90% of issues who will never report even a phishing drill or even recognize an actual phish attempt to even remember how to report them, let alone bother to. The root cause doesn't seem to me to be addressed any better with a drill than a test.
Lastly, how is informing users of a failure to report a phishing drill email any better for morale than informing them they failed a phishing test? At least I think that's how it's supposed to go here. I may not be understanding correctly.
sugmybenis@reddit
i think it's the same point of fire drills being that yes you have to know what it sounds like and how to evacuate but if you had fire drills randomly every two to three weeks is anyone getting anything out of it except for knowbe4
MyUshanka@reddit
This should be higher up. It's made me reconsider all of our KnowBe4 drills.
airinato@reddit
IDK, it might not stop the dumbasses, but it sure as shit tells me who is most likely to be compromised easily and can we plan accordingly.
micktorious@reddit
Without company wide policy change, how do you "plan accordingly" without showing that you are just singling people out?
airinato@reddit
Regular login audits, geo restrictions, forwarding restrictions, MFA enforcement.
micktorious@reddit
Just on those specific people you choose or everyone? Seems like that kind of policy might bring up more issues when they talk about it and others say they don't have that issue.
airinato@reddit
Conditional access policies will let you do per account setups. My company is international but there are people that will never leave the states so just have separate groups.
I audit logins frequently for status 'sucessful' from out of normal areas.
And if you care about users opinions on security policy, this might not be the field for you.
micktorious@reddit
Yeah, I care about those concerns getting to higher ups when it hits the wrong people and creates a work stoppage.
airinato@reddit
You aren't ready for the big leagues kid.
micktorious@reddit
Lol ok buddy, best of luck to you. I am voicing my concerns and you're talking down to me. Hope that works well for you in the "big leagues".
airinato@reddit
I'm just being serious, in IT we set policy, in your scenario there should have already been planning and implementation stages.
It matters fuck all what anyone has to say about policy outside if IT, we do best practice and enforce rules. You need the balls to tell executive's when they are wrong.
VexingRaven@reddit
Ahahaha good one.
IT policy means nothing without the buy-in of upper management.
micktorious@reddit
I've worked with C-suite and Presidents of Fortune 500 and 100 companies, they also appreciate being heard and having certain levels of trust where everyone is respecting each other and working together.
You showed me very little respect even if you disagreed with me.
Ssakaa@reddit
Additionally "in IT we set policy"... is entirely dependent on having the backing of those execs to a) give the authority to do that, and b) actually stand behind it when someone wants to pick a fight on it. The "too fucking bad" mentality they demonstrate here... I just have to assume they don't actually interact with the people that make it so they can have that attitude.
wholeblackpeppercorn@reddit
Lmao what the hell is the big leagues?
dansedemorte@reddit
CEOs and sales people would be on the short list for activ cchecking.
VexingRaven@reddit
This sounds like the sort of thing you should apply to everyone.
az_computer_tech@reddit
The actual training isn't terrible either. It's a little repetitive IMO; we were required to complete training once a year or once a semester IIRC, whether we passed or failed the phishing tests.
djetaine@reddit
I have a once a year test that goes to everyone and then I only send to the people that failed. It gets smaller every time.
ThatBCHGuy@reddit
100%
tdhuck@reddit
I side with the employee on this one, those tests don't do anything. They frustrate the users that would never get phished and the users that get phished most of the time nothing happens to them.
Where I work, the company continues to dish out phishing training the more often people fail these tests. The issue I see is that the same people seem to fail these tests....the non savvy users that click everything because they don't know how to use a computer.
We don't have a three strikes policy. I don't want to see people lose their job, but I also think that something needs to happen if you continue to click on links and provide your credentials to the 'fake' site.
ElectroSpore@reddit
When finance and exec teams stop falling for CEO NAME CEO.NAME2.@gmail.com sent to their personal emails outside our protections then we will stop training them.
tdhuck@reddit
That certainly proves and confirms that training does nothing.
ElectroSpore@reddit
Actually they started reporting these to us. So no the training works perfectly, and needs to keep being done for NEW staff.
mrheh@reddit
If using a computer is a mediatory part of you job, failing these tests shows you are not qualified for the job. I think 3-5 times a year should be enough to fire them.
tdhuck@reddit
Agree, I also think if you pass the test, they should extend the gap between tests. Rewards the ones that pass and continue to test (punish) the ones that fail.
JudgeCastle@reddit
He’s gonna blow a gasket when he realizes there are companies who sole purpose is to do this. I hope that’s his first email at his new org.
SeanSiren@reddit
He is gonna be like "I have seen this before"
ScreamOfVengeance@reddit
My new employer sent me so many tests and non-tests that were even more phishy that on the third day I wrote a filter for the tests.
BloodFeastMan@reddit
Or, just maybe, his new company trains their associates as adults, instead of getting hard over shiny objects like knowb4
apathyzeal@reddit
Even if they dont, this is likely the type of person to smell conspiracy in everything and will find something to bite back against. People like this are toxic and there's always at least one.
badaz06@reddit
Hide the stapler now!
xftwitch@reddit
This guy is in for a long life of disappointment when he discovers this is industry standard now.
jnwatson@reddit
No it isn't. If the security of your corporate infrastructure depends on a user not clicking on a link, you're already fucked.
tonycandance@reddit
Exactly. Idk what many in this thread are saying but these emails should be caught and discarded before they even get to the user. Period end of.
Phreakiture@reddit
Defense in depth is a "yes and" approach to security. Yes, you do this, like most every company I've worked for in the last decade, and you do other things as well.
jnwatson@reddit
Mine doesn't, and we spend more on infosec than the budgets of many countries.
Phreakiture@reddit
Well, I assume you have some manner of employee education in place, though, yeah?
filledwithgonorrhea@reddit
Tell me you’ve never been in security without telling me you’ve never been in security.
But sure, let’s not train users on the most common attack vector by a MASSIVE margin.
Hot-Profession4091@reddit
The person who wrote that email didn’t say not to educate and train, he said that phishing your own employees is a poor way to do it.
And he’s right.
botrawruwu@reddit
If you think you're safe from phishing attacks because your corporate infrastructure is safe against dodgy links, you're already fucked. The amount of information you can exfil from dumb users that can be used against you in future attacks is massive.
azurite--@reddit
All it takes is one zero day embedded in a link or attached document and all of those security measures could be for naught.
Also social engineering is also used to try to get people to send money to bank accounts, so while there might not be any infrastructure attack, people can still be tricked.
Reelix@reddit
So..... Almost all of them?
You'd be surprised what a link can do.
GimmeSomeSugar@reddit
I note he did not mention any of the 'better ways'.
aggresive_cupcake@reddit
Here: https://www.research-collection.ethz.ch/handle/20.500.11850/588856
blue_canyon21@reddit
They never do.
Negative-Web8619@reddit
Totally reasonable to expect 10 better ways explained and with studies proving effectiveness.
Reelix@reddit
Or just one
tonycandance@reddit
I mean he’s not wrong. I’d be fucking annoyed if I was getting phishing emails from my own company. I’d be blaming IT (me) for even allowing it through the firewall.
sgt_bad_phart@reddit
I have zero tolerance for staff that bitch about simulated phishing and cybersecurity training. Look people, this is a reality of the modern world we find ourselves in, burying our heads in the sand will only lead to disaster.
That being said, how does your company handle simulation failures. This guy says punishment, but if he's never fallen for one, how the hell does he know.
When our agency started doing simulations an email went out to all staff with the rationale for why we were doing it, that nobody should be feeling ashamed for falling for one, and it's all about learning. I've only had one or two people ever complain but after I explain it to them, they were understanding.
stratospaly@reddit
The best ticket I have ever gotten was just 2 words... "Shits Fucked!" That's it. No other information.
ARobertNotABob@reddit
https://i.imgur.com/A5k81DW.jpg
Thorfrethr@reddit
The shortest i have seen was error. But in Swedish so it was only the word fel.
RedDidItAndYouKnowIt@reddit
So the fel orcs in wow are just error orcs. Interesting.
dasirrine@reddit
I imagine "fel" is like "mal" in Latin -- it covers a lot of ground, like evil, bad, broken, error, etc.
phannybawz@reddit
My favourite ticket while working in a ship management company in "Glasgow" was from a guy on a ship who asked if we would open up outbound ports for him to be able to play WoW while at sea. He even gave us the list of ports and asked that we don't tell the captain or chief eng.
Instantly denied.... not because it was a technical issue...... it wouldn't be. I just felt sorry for the fellow WoW players who would be lumped with this laggy high latency (sat comms is shit btw!) player in their dungeon group.
RedDidItAndYouKnowIt@reddit
That is fantastic. He had dedication and balls to ask that.
dRaidon@reddit
I mean, you're not wrong...
Cupelix14@reddit
Hah, I've gotten one like that before. "Our internet is fucked". The shortest ever one though was one that just said "Help", no description, no screenshot or anything, just "Help".
AngriestCrusader@reddit
I, too, have received the strangely comical "help" ticket before!
gangaskan@reddit
We all have 😂
GamingZeus_@reddit
Reminds me of one that I had, where the header was "can I have help" Then the body said "thank you" no other information. Poor lady must have been heartbroken when I said "no"
AngriestCrusader@reddit
"Please elaborate."
Wendals87@reddit
"working as intended"
Call closed
BrokenZen@reddit
I have users that email into our ticket system. Email subject was "URGENT". That was it. Nothing else, and only their signature in the message body.
After I waddled my ass down there and asked her what the deal was, she said "we were told if an issue was 'Urgent' that we put that in the subject line."
Touche.
metalwolf112002@reddit
I tend to ignore "urgent" tickets unless they are actually VIPs. I've worked with enough users that think their outlook taking an additional 30 seconds to load is more important than whatever issue anyone else has.
I had one user who would add a bunch of red flag emoji to the subject for every single ticket, even if it was as simple as "my password expires in 7 days, how do I fix this?"
I wanted to remind them of the story of the boy who cried wolf, but they had enough high up friends that particular conversation could be troublesome.
SirEDCaLot@reddit
Ticket status updated: WONTFIX.
Agree shit is fucked. IT does not command the resources to unfuck all shit, only small localized pockets of shit. If you wish such a service please open a new ticket and identify which specific pocket of shit you need unfucked and we will attempt to unfuck it for you.
wells68@reddit
Truly lol reading this one. Love the humility!
Shoesquirrel@reddit
My last gig had a sort of code word for a specific type of error in our ancient accounting software. I’d somewhat routinely get tickets that said “Help! Unfuck me!” I’d log into the DB, fix the issue and close the ticket.
ArchitectAces@reddit
There is a dev that has an entertaining talk called “The Worst Programming Language” he programmed messages like this in his program also
dansedemorte@reddit
I had a co-worker write a "the system's out to get me" ticket before. The system WAS messed up though so yeah.
zorinlynx@reddit
My long-running favorite was about a long-standing process. I even saved a copy of it in my personal collection:
(names obviously removed but each reply separated with --)
X-Request-Date: Wed Dec 9 10:26:21 2009 (1260372381) Subject: process on goliath
--
Hi,
Goliath has had a load factor over 1 for ages now, and this seems to be due to a very long-running process owned by Jeremy XXXXXX:
XXXXX@goliath:~ 272% ps -aux USER PID %CPU %MEM SZ RSS TT S START TIME COMMAND xxxxxx 25213 50.0 0.2 984 496 ? O Jul 07 222400:34 ./test
I e-mailed him about it on Monday (see my forwarded mail) but he has not replied yet.
If this process is not important, maybe it should be terminated? It would be nice to hear from Jeremy about it...
Thanks, yyyyy
--
In tight loop with no syscalls..
Killed.
E
--
maybe he was trying to solve the halting problem.
--
this request makes me so very very happy
--
"We have a new Cray supercomputer that is so fast, it can execute an infinite loop in three seconds."
--
Trying to solve the halting problem on Goliath is like trying to win the Indy 500 with a Geo Metro. There are better tools for the job. ;)
--
Talesfromthesysadmin@reddit
I got one similar but it was a voicemail that said “shits broke”
sick2880@reddit
That looks like my ticket notes.
Shits F'd
Un-F'd it
Shit working.
RedHal@reddit
Huh, mine are similar but usually involve the phrase "Layer 8 Problem."
Rekish_@reddit
I had one once that ONLY said Python.
Vast-Avocado-6321@reddit
We had a C-Suite submit a ticket asking us if he could fire some bullets through his laptop. He owns the company now.
HotKarl_Marx@reddit
Yes. Which model would you like me to order as your replacement?
electricheat@reddit
Everybody knows shit's fucked
(fuck human beings, fuck humanity)
steverikli@reddit
I can appreciate the brevity, I suppose.
Bow_Ties_Are_Cool@reddit
My favourite was three words: "Skypey no worky"
jadraxx@reddit
I have a few clients I can see emailing me that. And honestly after I got done laughing my ass off I'd call them immediately because they're good people and shits probably fucked lmao.
ThePodd222@reddit
Love it! This is the ticket most of our users fantasise about raising.
TheDarkerNights@reddit
Back when I was working for a school district, I got something to the effect of
SirEDCaLot@reddit
Dear sir-
Phishing tests are not designed to lower morale, but they ARE designed to create mistrust. Not mistrust of coworkers, but mistrust of email as a concept, regardless of who it claims to come from. When you receive an email asking for money or for a login to something, we WANT you to be untrusting and asking 'is this actually my coworker? Do they really need this access? Is this file legit?' It's only through mistrust of email (which is by definition an insecure medium) that we can improve our security.
Phishing campaigns are actually considered a best practice in an enterprise environment. Please see this article from IANS research for an explanation.
Quite frankly we have no idea how many hack attacks have been thwarted, because the ones targeted by this training are the ones that someone would silently delete or send to junk mail without clicking it. Most of those don't get reported. It's like telling a kid to look both ways before crossing the street- we have no idea how many accidents that saves, but we know it's good training for the kid.
whythehellnote@reddit
Ahh, the TSA approach. Or the Tiger repelling rock.
SirEDCaLot@reddit
Apples to oranges.
How many kids don't get hit by cars because their parents told them to look both ways before crossing the street? We have no idea, and there's no way to tell.
How many terrorist plots stopped by TSA? There IS a way to tell because you can simply count the number of terrorists arrested or bombs detected.
Ctaylor10hockey@reddit
While I agree with you that Phishing tests may create mistrust, they don't always succeed in lowering click rates. This study: https://arxiv.org/pdf/2112.07498 of 14000 users over 15 months had many conclusions that suggest fake email phishing does not work. In fact their second conclusion stated: "Second, some of our results contradict prior literature and common industry practices. Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing." FWIW... use Positive Reinforcement training to encourage good behaviors before apply negative reinforcement morale busting negative reinforcement (if at all).
dasirrine@reddit
I mean, s/he kinda has a point. I don't care for the deception angle of phishing testing/training either. But it's like the nasty taste of an antidote.
BasicallyFake@reddit
Hes not wrong, but hes also wrong
cvc75@reddit
He's not wrong that "a business practice that lowers morale and creates mistrust" isn't best practice, but I just can't follow his train of thought why phishing tests lower morale and create mistrust?
Maybe if IT punishes or publicly shames people that fall for the tests or something, but that's just a problem of that IT department and not of phishing tests in general.
BasicallyFake@reddit
it's because users think IT is trying to "trick" them into failing as opposed to actually training them or testing that the training is working. Public or Private, people tend to lean into "tricked" rather than the fact they were not paying close attention to what they were doing. We dont share results with management until it becomes repetitive or the user refuses to go through any additional training we assigned. We try to keep it private but, in the end, people just perceive that IT is out to get them with all of this security stuff.
Darwinmate@reddit
These tests do not train users. They're a test of their abilities to detect phishing emails. They're usually poorly executed as well.
I have never seen good training given on detecting phishing emails or suspicious websites at my org.
If you want to train your users, then train them.
EIijah@reddit
I agree, I always hate when they go out, and they can often be straight up mean.. “Flowers for you” on valentines or “Christmas bonus”
Just playing with some peoples emotions…
D0nM3ga@reddit
I've seen campaigns where they used really poorly choosen email subjects like this in an attempt to get more failures so they "could justify the investment in the training material" (KnowBe4 yearly subscription) to management. Phish testing is a great tool that is often then misused to get pre-chosen results that fit the management narrative.
vialentvia@reddit
So I'm good if I'm using it as almost exclusively as a metric for the effectiveness of my training? Well, and for metrics to leadership, admittedly.
I agree that i think some of them are unfair. So i dont use some of them.
vialentvia@reddit
In some places, they think IT is out to get them anyway. They think we read their email, look at their files, and watch what they're browsing.
Truth is, we don't have time to do that even when they call our attention to it.
Since ramping up their training and other outreach initiatives, i think for us, they're finally starting to be careful about real phishing, and i can now use the campaigns as a metric for what/how to train them.
It's a culture problem, and it requires good rapport with your users, in my opinion.
SuspiciouslyMoist@reddit
I was in an infosec working group with a bunch of people from around my organisation a few months ago. There was widespread hatred of the phishing tests. A particular problem was that they often use an emotive subject (redundancies, paid leave issues, personal problems) to get people to click. They felt that this was distressing to people, especially when there was a real threat of redundancies during COVID. It also felt like we were trying to trick them. They said that the testing was condescending, and showed that the organisation didn't trust them and had little faith in their intelligence or abilities.
All fair points, but
We know we're a target - we've had spear-phishing campaigns directed against specific parts of the organisation - and we know we have a bunch of click-happy idiots. Meanwhile, they think we're being mean and trying to trick them with nasty emails. Infosec, consistently with 50% of their staff positions unfilled because we pay peanuts, are just holding their breath and hoping we don't fall victim to a ransomware attack.
ilbicelli@reddit
Do you send fake thieves or fake robbers in your company for training purpose, without telling that is test? Do you set real fire for testing fire hazard systems?
RubberBootsInMotion@reddit
I mean, yes, those are all real things that happen.
Consider that when a fire suppression system is designed, the engineering company will absolutely setup test facilities and light them in fire to make sure it works. Unfortunately, when it comes to information security the people in a company might as well be part of the system itself.
In other words, Bob from accounting is part of the building, so we have to set him on fire sometimes.
Kaexii@reddit
That's how you test the engineering of systems, not how you train people in proper response.
Actual fires for the sprinkler systems. Second Tuesday fire drills for employees.
One example: instead of sending fake phishing emails, a company sends "hello, this is to test that everyone's 'report phish' button is working. Please report this email as phishing or contact the IT department for help." It gets people comfortable with the process and it's not aggressive. (Obviously paired with other training).
Karmaisthedevil@reddit
Fire drills are random where I work. I don't see why you wouldn't have them be random...
Kaexii@reddit
Biggest reason I can think of is because people do not learn well when they are scared. The point of a fire drill is getting used to dropping everything and leaving via the designated exit path.
Next biggest reason I can think of is people assuming it's just another drill when it's not.
Rick Rescorla comes to mind.
Karmaisthedevil@reddit
If people think it's a drill, they shouldn't be scared. If they think it's a drill, they will calmly leave the building, which is how an evacuation is supposed to go.
Also if it's not random, then people who don't work Tuesdays will never get to do a fire drill, etc.
RubberBootsInMotion@reddit
Actual scammers won't hesitate to be "aggressive" though. How do you propose companies adequately prepare employees then? Any training course gets ignored by most people, as would a "friendly" email like you mentioned. When it comes down to it, corporations don't care about your feelings, they will absolutely prioritize saving money over your comfort.
Kaexii@reddit
The "aggression" isn't the tone of the email, it's the act of "tricking" employees. They don't like it, as this post very clearly demonstrates.
The fake phishing emails are also known to be ineffective at preventing actual phishing. https://arxiv.org/pdf/2112.07498 Key finding: "Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing."
You ask, "How do you propose companies adequately prepare employees then?" Like I said, the "this is a phishing test. Please use the button" emails combined with actual training. You send those out monthly or so and help peoples become familiar and comfortable with the idea. I'm not sure what you mean by saying a training course gets ignored. Mandatory trainings are a thing. A company can compel its employees to take said training. Choose something interactive rather than a click-through or video. Combine that with actual discussion on the topic outside the annual training. How that is implemented depends on the organization but could be participation in cyber security awareness month, periodic memos about it, meeting item, having team leads discuss it with their teams, etc.
There's not a perfect answer, but we know that the "industry standard" is at best ineffectual and at worse is opening up greater risk.
jmk5151@reddit
buddy you think people read those training/reminder emails?
Kaexii@reddit
I know that we can track who clicks "report phish" and follow up with people who don't. Just like we can track who hasn't completed a training by the deadline.
And, no, not a simulation like you're implying, but thanks for being deliberately obtuse. Interactive trainings as opposed to videos that aren't given attention. Something where the employees know they're in a training module. Some that I've seen include segments like a screen with a phishing email where the employee clicks the parts of the email that should register as suspicious (like a word indicating urgency) or role-reversal/role play. Anything where the training isn't just "click 'next' until it's done."
People in this industry keep fighting so hard for fake-phish-good... why? It's not personal. No one said you are ineffective. This singular tactic is ineffective. The science backs that up. Why are we holding so tightly to this thing none of us invented. Do you have a great deal of money invested in the Fake Phish Economy?
jmk5151@reddit
buddy I'm trying to avoid my users getting phished. we try all types of training, but I'm also aware of how ineffective corporate training is. we all take it every year and it's simply a click through exercise. sure you can point to one study that says phishing campaigns are not good, but I'll stick to any and all methods that reduce risk and point out to me users who will click on anything, because I can raise their risk profile and provide additional counter measures.
you've also yet to demonstrate that your preferred method of training is actually effective either? plus phishing campaigns are quick on both sides, content can be updated regulary, and don't require the overhead of an LMS plus logging in and chasing after stragglers.
serious question, have you ever developed and administered corporate training?
cvc75@reddit
Also for example crash tests. You could trust an engineer or a computer who tells you how safe the passengers are in a car they designed, but you'll want to verify it nonetheless.
ilbicelli@reddit
Example. Scamming Bob from accounting, then calling him in the Boss office, telling him he because it was phished he has to take some hours course, to me is an act of violence. Have you ever been scammed? How did you feel?
SuspiciouslyMoist@reddit
The way it works with us, it's not "fail one and straight to see the boss". Users have to click on a simulated phishing link six times before they get an automated email directing them to an online training session and quiz around email security.
Six times. And we have all the usual features like a big banner saying "This came from outside your organisation".
RubberBootsInMotion@reddit
It's the same as putting someone on a 'Performance Improvement Plan' or telling them they aren't getting a raise or whatever. Some aspects of having a big boy job just suck.
SuspiciouslyMoist@reddit
Flippant answer: pen testing is a thing, yes.
More seriously, if you look at our risk register cyber risk (particularly ransomware etc.) is our biggest risk by a long way. Physical vulnerabilites are a risk, but fire and theft are (hopefully) well-controlled by proven systems and there are far more hostile actors able to access us over the network than can be bothered to try and come and break into our premises.
Ahnteis@reddit
Physical pen testers don't usually let anyone know except leadership.
vialentvia@reddit
Yep. Real emails use HR extensively. Our HR explicitly prohibits our use of email templates involving them. They have all their contact info posted publicly on the website, btw. The rest of the directory is on intranet.
Just added it to the risk register and moved on.
Kinglink@reddit
I'll agree with them a bit. Though I understand why you might do that. On the other hand I think a "Take this survey for a 100 dollar gift card" would produce similar results.
thoggins@reddit
The point of the test is to see whether the employees have absorbed the training. In an ideal world nobody gets tricked, that would be fantastic. Actual phishing is what's trying to trick the user.
Now, it has to be said that most infosec training I've seen sucks ass and it's therefore unsurprising that it's not effective and many users do fall for the tests.
Before anyone asks: if I knew how to design good infosec training that didn't both suck at educating and make people feel like they were wasting a ton of their time on bullshit, I'd be making a lot more money than I am.
jmk5151@reddit
not sure there is anything more ineffective than corporate training. everyone is just trying to plow through it to get on with their day, and they aren't going to remember it in 6 months. with phishing simulations you at least get a fighting chance if you use a good system.
rootpl@reddit
Ah yes, the good old:
If we get hacked: "what are we paying you for?!"
If we don't get hacked: "why are we even paying you?!"
FantsE@reddit
https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html?m=1
tadj@reddit
Thanks for the link, very interesting read.
Hot-Profession4091@reddit
Why doesn’t this have hundreds of fucking upvotes?
jmk5151@reddit
because Google has way more sophisticated users than a mining or ag company.
FantsE@reddit
Because I gave just a link, late in a thread, that links to Google. I got a triple whammy. Decided to link it anyways for the few that will read it.
nanonoise@reddit
I ran into an old work colleague recently, he mentioned the new international owners of the business threaten them with termination if they don't complete the monthly cybersecurity training.
ComeAndGetYourPug@reddit
A Past job made us take online training if we failed the phishing tests.
There was one lady that failed the phishing test 14 times in a row and therefore had to complete the exact same training 14 times in 4 years.
I never asked her because I wasn't supposed to have seen that particular spreadsheet, but I can't imagine that was a positive experience for her.
Cacafuego@reddit
Isn't "create mistrust" the whole goal?
cvc75@reddit
You're right, you want people not to trust emails blindly, but I think the employee rather meant mistrust in their own IT department because "they're out to get him"
Kinglink@reddit
Because he falls for them and mistrusts himself after it.
Which he probably should.
WilfredGrundlesnatch@reddit
Creating mistrust is the goal. We want our users to be a bit suspicious of every email that comes in and ask themselves "Could this be a hacker?"
studiosupport@reddit
I worked for Cisco briefly and they did this. They had TVs all over the office and if you clicked on a phishing link, it'd put your name and picture up on the TV.
fnordhole@reddit
Pretty much this.
I loathe the phishing tests. I loathe the morons who enter the tickets to modify the DNS records and O365 settings so that they will get through.
At the end of the day, though these often only get through with an assist from IT, they are most often not an IT function. They're the security team or HR or some other group, usually clueless themselves and the worst offenders for falling for phishing.
So, the ticket may be misdirected.
But the caller, though his ticket will do nothing, is not wrong that such tests have questionable justification. Setting up cowowkers for failure leads to distrust, disengagement, and animosity.
Why not leave it as it was, and let everybody laugh at the people who fall for real phishing emails..?
Nik_Tesla@reddit
I kind of loathe phishing testing as well. Our email filter is pretty good (not perfect of course), and we obviously have to set the phishing tests to be allowed through.
What that means is, 99% of all phishing emails an employee receives, are fake, from us. All we've really done is educate them that a phishing email is more than likely an internal test, and opening it will just get them a light scolding that they will just ignore. As opposed to say... an event that could breach security and cost the company a huge amount of money.
I don't know the right answer to this problem (maybe just less frequent phishing tests), but if you have a fire alarm drill once a week, they're not going to think it's an actual emergency when there is actually a fire.
dansedemorte@reddit
At my work you cant even mark a mail as phish without opening the mail...becuae the phosh button is buried under a context menu that only appears whenyou open a mail.
Nik_Tesla@reddit
The phishing tests that fail you for simply opening an email drive me insane. I thought things like that stopped working since security updates introduced in like, Exchange 2008. Hell even clicking a link should be fine. If they actually put in their credentials or give any info, obviously fail them, but punishing them for investigating? That is dumb to me.
dansedemorte@reddit
for us opening the mail does not fail you because the phish button is buried in a context menu that only appears if you open or preview the mail... :-(
flummox1234@reddit
If there is a pattern you can teach people, there is a pattern you can automate against. Pushing it to the end user is just more lawyer driven development, i.e. CYA ... but "you were trained".
pomyh@reddit
actual fires are not as frequent as actual phishing emails
tesseract4@reddit
The alternative is teaching the employees the same lesson through repeated breaches. That hardly seems like a better option, even if some people get butthurt over a phishing test. IMO, anyone bitching about phishing tests is just salty because they failed.
SRSchiavone@reddit
Nah man, deleting the file server after someone fails a phishing test is the best way to force awareness
tesseract4@reddit
Clearly
flummox1234@reddit
here here. IMO it also sets people up to just ignore all emails because there is so much noise to signal, which can be even more detrimental. IMO it would be much nicer to better spam protection than just shift the responsibility to the end user through phishing training.
pomyh@reddit
who is going to laugh when the entire company gets compromised?
Commercial-Fun2767@reddit
I once extinguished a fryer fire with a wet towel, during a test. The same day we did fake incidents. We had to take note of the situation and take actions. Put out small fires. Check that there was no one missing.
I was going to say that fake phishing campaigns were similar… but a better comparison would be the Fire Drill episode of The Office.
I know the big advantage of IT is that it’s dematerialised and therefore we can do what we want easily. But maybe the right way of doing this would be to simulate attacks whit no surprise, during a normal training. Cyber risks are not as dangerous for the people safety but still.
Tymanthius@reddit
Some things you can only teach by 'real world' example.
I believe this is one of them.
D0nM3ga@reddit
It's interesting because as IT professionals we are so used to this idea, and it makes total sense to us as we understand the entire threat landscape. But I can understand how from the outside, this could feel like a very hostile/mistrusting/impolite thing to have happen. Adults are much more prone to embarrassment from public failure, and the perceived ridicule from management for a failure they intentionally placed in your way would definitely set off the embarrassment signal for most people. Then people react angrily once they are embarrassed, and get frustrated as they feel they have been deceived.
It is interesting because the thought of an employer doing something similar to phishing tests with any other facite of business just seems strange to me.
mattmccord@reddit
Probably an unpopular opinion here, but i believe phishing tests train people to recognize phishing tests and not much else.
nascentt@reddit
Our sec team would reward people that detected the campaigns with cookies, so we essentially just trained people how to detect phishing campaigns.
Eventually, we had people checking the email headers for knowbe4 and their competitor and then auto forwarding it to the whole company with "heads up, phishing campaign"
What's funny is the sec team did nothing to stop this or prevent it, so the phishes would come out and before they'd reached a big enough number of staff the warning had auto sent round the whole company so everyone was ready for their cookie.
Breezel123@reddit
We have an ongoing company wide teams post where people post screenshots of phishing emails they have received. It is one of the most often retrieved old posts and a great resource for any new team members. Last Phishing test in our company of roughly 180 people, only one person fell for it and entered her credentials and honestly I thought she had a valid reason to do so (I picked a tough to spot one) and immediately contacted me afterwards. Another 6 or so clicked on the link. They all did their training and I'm sure the next simulation will go over without anyone falling for it.
littlelorax@reddit
Idk, I kinda like this idea. Lots of psychological research points to positive reinforcement being more effective.
So what if everyone gets a cookie? I only care that they all learn the lesson!
Tymanthius@reddit
That's not all bad tho. They are checking things.
brusiddit@reddit
Fuck... that sucks. Don't know if people really like cookies, or are just that disengaged from their company.
It's like putting your fitbit on paintshaker to get your steps up.
nascentt@reddit
Funny you should mention that... They actually did a competition with pedometers/step counting.
Your prediction isn't far off. Although instead of paint shakers I recall that they just resorted to shaking them manually, not as resourceful.
Not_A_Van@reddit
It's pattern recognition. They will recognize the phishing tests, that's the entire point. It ingrains the pattern of 'Hey, this is that really annoying test I've seen 20+ times' and then (hopefully) a bell will go off in their head.
It's meant to be spotted. Humans are good at pattern recognition instinctively, so that's what we do
EIijah@reddit
I kind of disagree and this is mostly anecdotal but where I work we’ve had quite a few sophisticated phishing attempts come through and the users always credit the training (we use ninjio) as to how they recognised something was off - I’ve never had one person credit the tests we send out, often I get sent legitimate emails asking “is this another test”
Not_A_Van@reddit
I get that. I see the tests more like advertising. Everyone always says 'pfft advertising doesn't work on me, I never went to go buy something right after I saw an ad!' - which is entirely not the point of ads. Brand recognition. Say you ask 'what do you want to go eat', guarantee you some of those places listed are going to have advertisements you see quite regularly, they stick in your mind.
Tests do the same, it does make them double take and ask themselves 'is this legitimate'. No phishing test is going to look exactly like a real sophisticated attempt, but it will make them look twice because that's ingrained in their brain.
tesseract4@reddit
Unless they can differentiate between the tests and the real thing, isn't that the whole point? If they can, then you need more representative tests.
Any_Fee5399@reddit
If all you are doing is phishing tests, then yeah. Phishing tests should, however, be used to reinforce annual training as well as give practice for users to use whatever tool your company has in place to report them.
Just-a-waffle_@reddit
The annual training doesn’t actually give much value, people just click through
The phishing test emails are the only REAL training, there’s no real consequences but one failure sticks in their mind and makes them skeptical of all emails
briangraper@reddit
If your phishing test are realistic, then that's a good thing. Because the attacks are going to look just like the tests.
If your phishing attacks are too easy, then yeah they're worthless.
bjorn1978_2@reddit
They have come in so often at my company that I checked out the white paper from the phishing company. Then built a filter in outlook that just deals with them.
But the really anoying part is that quite a few is made to look like they are sent from one of my coworkers. And only him. It is a sort of wolf-wolf thing. So everything he actually sends is checked up and down sideways just to make sure that my filter has not slipped up.
UBNC@reddit
End customers would somehow get our support email in their mailing lists. This meant lot’s of weird email forwards including porn. Best bit it was a lot of work to make them disappear, so you would always assign the best once to coworkers.
EntertainmentFar4602@reddit
Good riddance. This person sounds like the morale vacuum to any team. To get this worked up and negative on phishing emails… can’t imagine what other normal work activities would be “demoralizing” for this person.
Environmental_Pin95@reddit
If you kept sending fake emails testing employees then I would trace the emails then block you.
AnalogJones@reddit
That attitude is going to make this person careless enough to fail when a real ransomeware vehicle arrives.
GloomySwitch6297@reddit
yet, 25% of employees are constantly failing before xmas that HR is sending them amazon gift card.
short-sighted frustrated "look at me, I won't fall for your phishing campaings" twat
Maggsymoo@reddit
you should send a phishing test out to the company again, perporting to be his leaving card / collection pot . make sure he gets a copy
Freakazoid_82@reddit
Not sure why you think it is funny. His complain is actually legit and critic should be taken seriously. Especially the punishment part seems pretty whack to me. If this testing really leads to punishment, then this is just disgusting.
zmbie_killer@reddit
This could be your last chance OP. You need to reply and congratulate him on the new job and slip a phishing link in there.
grumpyfan@reddit
Hopefully also has a mandatory Safety/Security Training refresher for anyone who fails one of these. It would really grind his gears if he failed the phish test and had to re-take the training in his last 3 days.
Stuck-In-Blender@reddit
At this point I think he would magically get sick.
cryonova@reddit
Toss a Lemme buy you "Coffee" in there
leaflock7@reddit
many companies do this, and it is fine.
Where they fail I think is presenting to the users the results and make them understand what and why. going through some crap training once per year on not clicking XYZ is ok on showing what not to click.
but ho many are actually sending a Great job!! 99,8% did not get the bait. or something like that. almost none
kikn79@reddit (OP)
I put forth a suggestion that once per quarter we put everyone's name that hasn't failed a test, and had completed all training in a timely manner, into a drawing for a gift card.
leaflock7@reddit
that is not a bad idea.
although depending on the company I would guess most people are number oriented so a statistics report might be more easily digested by those
KingPurple_Smurf@reddit
Director litterally called, told me he fucked up 😂 He had locked himself out of his Pc.
ZippySLC@reddit
While I don't like his passive aggressive tone I do kind of agree with what he's saying. I think there are more positive ways to try to educate users than trying to trick and shame them.
Dude didn't need to make a ticket about it on his way out though. Seems like he's salty about the company in general and wants to take it out on the helpdesk. It sounds like he'll be fun to offboard.
IntelligentComment@reddit
Yeah, cyberhoot security awareness training does exactly this.
Their training is through positive reinforcement, phish testing is guided in browser every month in a simulated phishing exercise rather than catching them with a scam email randomly.
We use it, i've mentioned it countless times. All our clients/staff actually DO their training and enjoy it, which is kinda nuts considering most users HATE doing "homework". But yeah, it works.
I_AM_NOT_A_WOMBAT@reddit
The result doesn't have to be shame, though. Sure, if OP's company puts people who fail onto a wall of shame and makes them wear a dunce cap to the company retreat with spouses, I get it, but considering the potential harm done, I see no issue with a quiet sit down with someone who can go over some horror stories from companies where someone fell for a scam after someone gets tricked. Scammers are getting better, and once they start widely using AI to /s/(do the needful)/(take care of this ASAP) and correct their obvious spelling errors, people are going to start falling for this shit in droves.
I fell for an email scam on my birthday about 30 years ago and I learned a very valuable lesson about how clever and lucky scammers can get. I'm all for setting people up for success, but scammers are going to test them anyway. Might as well teach people critical thinking when it comes to emails and other forms of outside contact.
rschulze@reddit
Yeah, we would never shame anyone for clicking on our simulated phishing emails. I also openly communicate that they aren't for testing (or trying to trick) employees, they are a tool to measure if the infosec team is doing a good job (educating employees on how to detect phishing emails).
We also use a bunch of different email templates during the same campaign, to see if certain type of emails are more/less likely to be clicked on so we can tailor upcoming trainings to whatever employees are currently more susceptible for.
MrWizard1979@reddit
Your username is relevant, considering Wombat Security was a company that sent out phishing tests.
IT-Jedi-Master@reddit
I agree with some of the remarks - it sucks that we live in an age where the greatest communication, social, and knowledge medium is also so riddled with risk......but isn't that the bad that comes with the good? Before social media and broadband, we still had virus attacks that employees unwittingly introduced to computers and networks. The same requirement existed then that exists now, just more so today - training.
Yes, test based is required. It's absolutely necessary. But its also not standalone. Effective training should be positive reinforcement, recurring, but brief and targeted, and across all risk types, not just phishing. In truth, I think more than one training platform is the best approach because none are perfect.
Think I'm crazy? In a world where broadcast TV has been losing to streaming services - multiple services... Why Netflix and Hulu? Because one by itself isn't enough.
I've been using CyberHoot with clients. They do have video training and attack based email simulation phishing which I also use. But they also have a positive reinforcement based phishing training (part of the platform or licensed standalone as HootPhish) which presents the learner with a sample email and trains them to examine the same 7 message characteristics in every message (the sample has legit or suspicious content the learner must determine). "Failing" a training just presents them with another, so in the end, they always pass, and they always have to mark the same 7 components as safe or dangerous, the repetition training them to examine every email the same way. It's more effective training model, but still uses attack email simulation to validate the training and for compliance with insurance and other requirements.
Yeah it sucks we have to do it. Sucks we have to do a lot of things, but that's the digital world we live in. Spending 15k on a new HVAC sucks too, but it beats living without heat or AC.
eicednefrerdushdne@reddit
Nah, shame and termination are the only things users fear. I treasure the users who actually attempt to learn and cooperate, and I'll give them significantly more leeway for obvious errors. The others... well, I'll continue calling out their continual refusal to try
ZippySLC@reddit
Not once in my 28 years of working in this field, in multiple industries and in various orgs large to small, have I ever seen a user get term'd for anything like this. That includes finance people clicking on malware links. From an email in their spam folder. Ugh.
I totally give people who try to learn more leeway. I'm happy when they come and ask me to check out an email that they think looks suspicious.
IT fostering a culture of fear is just terrible for the organization (and field) as a whole.
eicednefrerdushdne@reddit
I didn't suggest termination as a good response to failing phishing training. Just that it's one of the only things users fear.
Phishing training isn't fostering a culture of fear. It's no different than a test for anything else. Fail, and you get more training. Repeatedly demonstrate lack of proficiency, and you have to find another role.
Lack of consequences for incompetence encourages incompetence. I agree that reinforcing good behavior is better, but in my experience, most users aren't amenable to learning what constitutes good behavior.
Captain__Pedantic@reddit
I agree that's not the intent, but that doesn't necessarily stop the userbase from feeling that way. Like most things on /r/sysadmin, it's going to depend on management & communication.
kikn79@reddit (OP)
Our leadership takes cyber security seriously. If our users don't complete training, their internet access is turned off. If they cannot do their job they need to do training or they are let go.
Multiple phishing failures will affect your annual review.
CriticalDog@reddit
A few years ago I worked at a company that handled a lot of financial information. They also had a full restaurant style kitchen and dining room (we would offer luncheons and whatnot to clients on various topics).
After we implemented the Knowbe4 Phishing training, the CEO said very plainly that those who failed a Phishing test were required to make a breakfast for the company (which was only like, 30 people, so not a huge deal).
Of course, he also said that anyone that failed 3 times would be fired.
The only person to be tricked more than 3 times in the time I was there was his good buddy who he had given a job for no reason that we could discern. He was not fired. lol
Kumorigoe@reddit
Are there "more positive ways"? Absolutely, and they should be a part of the training alongside tests.
Cyber-risk insurance carriers (at least ours) requires not only testing, but disclosure of failure rates. In the legal world, many clients require phish testing alongside traditional security awareness training.
Phishing is the single biggest threat to organizations. End users, like it or not, are the last line of defense for threats that gleefully bypass firewalls and endpoint and spam filters.
noOneCaresOnTheWeb@reddit
Take your business processes out of email and they aren't quite the same threat anymore.
Kumorigoe@reddit
Possible? Maybe.
Likely? Not in a hundred years...
asedlfkh20h38fhl2k3f@reddit
I think the point is that it all sucks - not only does it suck that (some) cyber insurance requires it, but cyber insurance itself sucks. The fact that we've reached a point where the fancy easy tech is less convenient than it used to be because it's so easily exploitable. In the grand scheme of things that's the suck. Say what you want about "industry standard" and "but we gotta", it still sucks and it would be nice if we could use the internet without having to waste so much of everyone's time. The point is that more time is wasted in 2024 than was wasted in 2010. The statement "but you gotta" is an entirely different subject.
steveholt480@reddit
And we'll never be done battening down the hatches. We will escalate this war forever. And no matter how many locks we put on the door, Karen in refunds will still let them in. Kinda feels moot.
Kumorigoe@reddit
And it will be exploited, because there's money to be made in doing so.
TL;DR, people are bastards.
xxPunchyxx@reddit
This is industry standard for a reason. Nobody is trying to trick anybody. We educate users on the dangers of phishing, then we test them. The goal is to identify weaknesses and remediate them through further training. If we don't identify the weakness beforehand, it only takes one error for our entire network to go down in flames. It's best to identify that error yourself before it becomes a problem. Personally, I go as far as to say that if you don't understand that you should probably leave any role that has to do with security in your organization.
ZippySLC@reddit
This isn't an industry standard. Our cyber insurers don't require this. Our auditors don't require this.
A user who has passed a phishing test doesn't guarantee that they won't click on a suspicious attachment or click on a link that brings them to a website that tricks them into entering their credentials. There are multiple layers of security involved before the email gets to the user. There should be yearly training on IT security (our auditors and cyber insurers do require this).
A user passing a phishing test once doesn't mean that they will pass the next time. And that time may actually be what brings the network down in flames.
briangraper@reddit
True, but if you catch them and retrain them until they pass test after test, then they will have a much higher chance of noticing actual attack.
It's simple improvement through repetition. Just like learning to box. If you get punched in the face enough, you learn to move your head and dodge.
This isn't rocket surgery. It's just a program of regimented testing and training.
ZippySLC@reddit
Right, so I can see that there is some value in doing it. I'm sure that it can be done in a productive way that doesn't foster enmity between the business units and IT. It can also be done in a way that was triggering enough for OP's end user to lash out about it. And if one person was this mad you can be sure that there are others.
I see a lot of people in our field seem to relish a kind of adversarial relationship with their end users and to me it always feels like it comes from a desire for power.
briangraper@reddit
Yeah, but the “shame” that these people feel…it’s all up in their heads.
We don’t post their names up on the Wall of Sheep, like would happen at DefCon. If they fail a test, then they get an automated email with a link to a 17 minute remedial training that they have 3 weeks to complete. Nobody gets involved unless they don’t do their trainings.
Half of the “phishing tests” this guy is mad about are probably actual phishing attempts against him. Not everything is a drill.
Anyway, for this guy I’d bet it’s not really about the phishing test. Just like in a failing marriage it’s not about the dish left in the sink. There’s usually something much bigger going on.
OppositeFisherman89@reddit
It's a NIST standard, so we consider it an industry standard
tesseract4@reddit
Who's shaming anyone? Fucking hell. It's an educational message. People get so butthurt over the stupidest shit.
ZippySLC@reddit
They sure do.
SuspiciouslyMoist@reddit
You need to educate the users but you also need to see if the education is working.
The testing we use has actually helped our infosec people to change their approach to phishing education. They could see that things improved (although we're still pretty bad compared to the industry average).
ITGuyThrow07@reddit
Sure, there are more positive ways, but they're not as effective. No wants to do stuff like this, but there's no choice. The risk is too high.
Stryker_88@reddit
Karen is in for a surprise at her next job.
aggresive_cupcake@reddit
He‘s right. Phishing exercisers are useless. Studies have shown this and even show that people exposed to constant phishing tests are more likely to fail for them: „Phishing in Organizations: Findings from a Large-Scale and Long-Term Study“
It also impacts the trust of the employees if a company does stuff like goDaddy.
You should invest in technical solutions, relying on humans isn‘t enough. If someone targets an attack against your company using phishing, they will succeed.
shayminlover492@reddit
Enough people have already commented and i am new into the field, but yeah, let this guy leave. It will do your company a favor.
GinormousHippo458@reddit
Poor guy just needs a job where it's ok to just ignore email entirely, and just use real time comes, like slack, etc...
supershinythings@reddit
My company did these.
Fortunately the phishing emails have to get through the company’s internal filter. To do that they add a special header and tell the mail server to automatically admit mail with that particular header.
My email client has the ability to filter on arbitrary strings in the header. So I setup that filter and directed all the messages into a folder. At random times I’d see newly caught phish. I’d let my coworkers know the scamps were phishing in our pool, and sent out directions to implement the filter.
For the next five years, they never changed their immunity header so my phishing filter remained effective against corporate IT security phishes. They were often a waste of my time, especially at the end of the day when I’m trying to get home. I am so glad the filter took that time-wasting BS off my plate.
can-opener-in-a-can@reddit
This could’ve been a particular one of my users.
hebrew12@reddit
“K”
hidperf@reddit
We had a user call the help desk repeatedly until someone picked up. Just to tell us in an angry huff that the phishing tests were too realistic.
I was impressed and also flattered.
Snowdeo720@reddit
Just wait until the submitter gets their first phishing exercise at their next organization.
I would pay to see the reaction they have.
laz10@reddit
I'm with him
Thecardinal74@reddit
I mean, he's not wrong.
I don't know what the better way is, but there's gotta be a better way than treating adults like school children
residentchiefnz@reddit
Positive reinforcement - i.e if you successfully mark the phish email as spam, you will recieve a $5 cafe voucher/go in the draw to win a $200 prepaid visa?
JackTheDefenestrator@reddit
"Thanks for the input Shorty!
If the alleged 'grownups and coworkers' weren't clicking on actual phishing email links with alarming regularity, maybe we could stop trying to educate them you absolute pine cone"
splatm15@reddit
Pine cone. Lol.
residentchiefnz@reddit
Well cockwomble would have resulted in a visit from HR...
fucksickos@reddit
IKR. We don’t do it because we’re bored and had nothing else better to do. People complain that they’re too obvious all the time but if that was the case you motherfuckers wouldn’t be clicking them. So clearly we need these tests and trainings because if you’re tricked by a free pizza hut pizza link then you’re gonna be tricked by hr@company.com asking you to update your payroll info.
JackTheDefenestrator@reddit
YOUR MANAGER HAS GIVEN YOU A FREE IPHONE
whoShitMyPants408@reddit
Hey! Pine cones are cool!
CharcoalGreyWolf@reddit
Because unlike this soon to be gone employee, they serve a useful purpose and repopulate the world with something beautiful?
whoShitMyPants408@reddit
Uhh. Sure, I guess. Things don't have to be useful to be cool. Just look at roller coasters.
BardKnockLife@reddit
The best one I ever got was at 2 in the morning that read: “Can someone help? My wife is receiving my personal emails.”
jimlahey420@reddit
The only time we've been hit by ransomware was because some big wig clicked a link from a legit phishing email after literally 3 months earlier denying our request to implement phishing tests/knowbe4. It couldn't have been more embarrassing for this guy.
We got our knowbe4 after that and have had it ever since.
I don't believe for a second that it doesn't have at least some positive affect. This person OP posted about is just a grumpy curmudgeon so good riddance.
Resident-Artichoke85@reddit
I get Teams reminders from my boss about all the mandatory training emails I don't open. "Sorry, I don't open mass-mailed items with topics that are not about my job function to avoid phishing. What is the sender name, subject, and date I need to search for?" I only open emails from my team and up the supervisor chain or projects I'm actively assigned. Otherwise, it just gets ignored. I've also never been phished.
tune345@reddit
lol
NoodlezTheZombie@reddit
Add his personal email into the mix.
homelaberator@reddit
Yeah, if you are punishing people for failing phishing tests, that's definitely not best practice. Needs a lot more carrot than stick. This is behaviour change in general. People should be feeling good about passing. Gameify that shit. If they are failing, you need to look at the quality of the training.
flummox1234@reddit
Hate to be that guy but if there is a pattern you can train people about, then there is a pattern you can automate against.
Pushing it to the end user is just more lawyer driven development, i.e. CYA ... but "you were trained".
ilove-squirrels@reddit
HA!!!!!!! I swear this person posted on Reddit about this. They were all kinds of bent out of shape over the emails. A whole bunch of us tried our best to help them understand the why and how of things, but they would have none of it. They said they were leaving the company over it; guess they meant it. lol
Absolute gold.
kikn79@reddit (OP)
I'd love to see that post of you can find it.
dokidokisushiuwu@reddit
I got a phishing test email that said there was an altercation in the parking lot between two employees and they've both been terminated, click here for details. I've never clicked a link faster in my life.
dansedemorte@reddit
As an SA, my personal option nipn is that they do more harm than good.
My company already auto boocks most images and rewrites urls.
The image block is fine but the url re-writes makes it harder to verify linkscsince a bunch of extra "safe links" verbiage added.
Phising test fatigue is definitely an issue.
Acadia1337@reddit
I feel like I kind of agree with him.
anetworkproblem@reddit
Actually it is the best way to teach. I bet this is an old fart.
qejfjfiemd@reddit
Haha fucking boomers
badaz06@reddit
I had a user complain that he had to click his mouse button twice now, instead of once like he used to have to do. I mean, RANTING. This after reading a story about my ancestors in the 1700's, where one of the women had to fight off a bear that came through their roof..and all she had was a frying pan. I had to mute myself because I was chuckling the entire rant.
__Arden__@reddit
The data and my experience says otherwise. You have to use good phishing templates and proper training. We also have a phishing alert button that real phishing attempts can be reported to IT. Since putting this in place, my users do much better at recognizing and reporting ACTUAL phishing as well as very clever tests by 3rd party auditors.
nope_nic_tesla@reddit
Did you just click on a random comment to reply to?
bathroomdisaster@reddit
Best I had was spell check turned ‘internet’ to ‘interest’
“I find myself losing interest when sat at my desk throughout the day. This is becoming a concern”
1randomzebra@reddit
People complain and folks have different opinions on effectiveness of these campaigns. In my environment, more people communicate suspicious e-mail (business and personal) to IT, click throughs on campaigns have decreased and there is more awareness. So maybe the tests are not ideal and people complain, but they do appear to change behavior in a way that protects us a little more......
Talesfromthesysadmin@reddit
Someone is bearish on knowb4…
tomxp411@reddit
True... but I'm nearly as frustrated as he is by these "tests".
While I've never legitimately fallen for one, I have been known to simply delete obvious tests unread, and somehow my security score goes down because I didn't report the phishing attempt.
The worst part is when the company sends out internal emails that almost perfectly mirror the phishing messages, and we don't have a clear way to distinguish the legit mail from the phishing attempts. I honestly feel like the anti-phishing training is teaching people how to compose emails... by copying the training messages, including all the things we're told are red flags.
While I don't think I'd write it quite as enthusiastically as this guy, I do think that continuing anti-phishing training past a certain point is actually harmful to productivity, and it certainly erodes trust in internal communications.
lewiswulski1@reddit
If I got that ticket I'd be sending them a personalised phishing test. No congratulations or fail message afterwards.
If they fail, fake a scenario were cyber security tells them that the company had a major attack and it was traced back to them clicking on an email link and that the company is being held at ransom.
If they pass, send them an email saying it's standard practice in most businesses
MisterFives@reddit
A user sent me a ticket that said:
Every time I send an email from my phone it says 'sent from my iPhone' at the bottom. Is there any way to remove this? We already have email signatures.
Sent from my iPhone
TKInstinct@reddit
Someone wrote a Star Wars fan fic as a ticket, which made my dad and I remember four years later.
Smooth_Plate_9234@reddit
The funniest thing is that in his other job he will find this kind of messages and his mind will be left with
Independent_Yak_6273@reddit
little does he know.....
don't flatter yourself as these are automated... you don't really matter
BCIT_Richard@reddit
None of us really matters at the end of the day, there isn't a position that can't be filled once it's empty unless it's some ancient/dead, or dying tech like COBOL, or AS/400
Dal90@reddit
At this point, can we put "dying" COBOL in the same group as "any year now" Linux will take over the desktop, or IPv6 will be widely adopted by enterprise IT?
'Cause I've pretty much heard all three since I started corporate IT in 1995 and I'll be retiring before any of those come true.
BCIT_Richard@reddit
I mean fair, I work in a AS/400 environment that uses COBOL and isn't Finance. I know it's been dying for a while now, but it's also not being taught in school anymore either so does that count? lol
Kaexii@reddit
Apply this thought to any other subject not taught in school like how credit cards work, how to change a tire, or comprehensive sex ed.
amishbill@reddit
I like how they are certain about Best Practices in a field they’re probably not an SME on.
Coffee_Ops@reddit
I can sympathize a bit with dislike of those emails.
Imagine getting a finely crafted, intentionally sneaky phishing email test that will flag you if you dare click that link because of the typos and external domain...
And then you get an email from "HR@someExternalCompany.notSneaky.maillist.io" talking about the urgent need to log into your new HR portal via this temporary link and enter your credentials. And it's a valid email, and if you don't do it you get yelled at by HR.
wine_and_dying@reddit
Internal phishing is tantamount to tying employees shoes together to teach about trip hazards. Net loss activity which erodes the relationship between the business and security.
Long security career and can attest to no value outside of regulatory box checking.
BlackV@reddit
I mean they're not completely wrong though, realistically
eNomineZerum@reddit
I work alongside schools and the phishs I have seen people fall for... Yikes.
Legit seen phishes talking about "the superintendent is hiring a personal assistance for $1000/week. If you apply do not tell anyone, just enter your info into this Google Form". The Google Form then asks for EVERYTHING, including SSN, bank details, and a "preferred passwords for once your account is chosen, please include all passwords you commonly use so we may choose the most secure".
On was sent by a student who literally copy/pasted the staff/faculty emails from an email that was accidently sent to the student distro and actually got hits back. I was looped in and the answer to how many fell for it was "entirely too many, this is a shit show".
Heh, my neighbor asks why her district runs phishing campaigns...
SikhGamer@reddit
He is right.
Kinglink@reddit
Sounds like he's a guy who FALLS for every phishing attempt.
I've seen the phishing emails. Guess what? Every one I've clicked on was with great moral reservation, and it proved to me that I need to be more vigilant.
I guess this guy just prefered slides he could click through as fast as possible. Good riddance.
shadhzaman@reddit
Reminds me of my KB4 environment and users.
I have a slightly different (mostly same) viewpoint: most users aren't just straight up dumb or incompetent, they just don't care and/or have a superiority complex. Over my decade long IT work, I have gone from believing the "IT makes you see people are dumb with computers" to that viewpoint. Sometimes it manifests as not reading updates about a server down/vpn change and complaining about work stoppage, to sometimes arguing with you that they know better because at the back of their head you (IT) are some people who more or less did a vocational course while they were college/university certified experts. Be it arguing how "passwords don't work" to "deceitful emails are a crime". Basically how people not knowledgeable enough in Finance, but in other fields will try to swear by Crypto stuff.
Ctaylor10hockey@reddit
The industry uses Negative Reinforcement training with attack/fake email tests to tamp down back behaviors (I.e.: Clicking) when this employee and some of the comments seem to suggest Positive Reinforcement training (including Google's Blog) show we need to reward, reinforce Good behaviors (email inspection to identify indications of attack). That's the true holy grail of reducing phishing attack success. Punishing bad behaviors only is like putting shock collars on your employees - when they click or get to close to the edge of your invisible fence property, ZAP em really hard so they NEVER ever click. But without a Treat-based positive approach you're not teaching employees the proper behaviors to learn what IS safe to click on. I would go so far as to suggest you do the Positive First, and then perhaps down the road run a few negative reinforcement campaigns to validate people have learned the good skills they need to protect your company.
yer_muther@reddit
His life must be wonderful if this is the sort of thing he gets upset at.
capetownboy@reddit
IT Director here. He's correct—phishing tests may have had some initial impact, but they now primarily erode trust among top performers and critical thinkers within the organization. Their effectiveness in preventing future attacks is questionable, and education proves to be a far more effective approach. Unfortunately, you’ve adopted an 'us vs. them' mindset, so this may not make any sense to you.
thortgot@reddit
Top performers and critical thinkers aren't the target of that style of training. A one size fits all training policy is the issue.
Phishing training is generally much more lax than actual attackers. I've yet to see the company that will use fake termination notice attacks or "bank error in your favor" style attacks but I have seen them as actual attacks.
Collaborative education and representation of actual attacks your company sees should be the goal.
capetownboy@reddit
OK you definitely have a point. What you're saying is that effectiveness of phishing training hinges on how well the educational and testing methodology aligns with the needs, behaviors, and learning styles of the target audience.
We have to remember that Phishing training might sound like a noble cause — but the reality isn’t always so straightforward. In practice, these exercises can backfire, and there’s growing evidence that they sometimes do more harm than good. You see, when phishing tests are done wrong—say, without transparency or with an air of punishment—they can turn the security team into the villain instead of building trust. Employees start thinking, "Oh great, another fake email to trick me," rather than actually learning something useful. And if there’s a culture of naming-and-shaming or punishment when someone messes up, the result is less "I’m just going to keep my head down and avoid reporting anything." Studies have shown that heavy-handed training or secret phishing tests can create stress and resentment, reducing productivity and making people feel like they’re under surveillance.
drnick5@reddit
Why do I have a feeling that this user has failed the phishing test multiple times?
Habreno@reddit
Because you couldn't read the OP's top lines.
drnick5@reddit
I can't read or write...
RevLoveJoy@reddit
Anyone else feel like maybe he's got a couple solid points?
Zyntastic@reddit
Yup, me.
fucksickos@reddit
This is wildly unprofessional and petty lmao. I would forward this to HR
kikn79@reddit (OP)
Oh, he CC'd the HR director, his manager and director, and my director. Total scorched Earth.
WorldlinessUsual4528@reddit
I disagree that it helps. Our staff used to click on every. single. link. they ever got. Doesn't matter how stupid. We even Rick Rolled them one time. Now they're so scared, they don't respond to legit emails either. Win!
mikeyb1@reddit
Oh, to be a fly on the wall when his new employer runs their next phishing campaign.
stesha83@reddit
He’s right though, phishing your own users is counterproductive and does nothing but produce lovely charts for disengaged middle management
fucksickos@reddit
I’ve personally seen the knowbe4 trainings and phishing tests result in identified phishing attempts. Our users are much better off with these trainings and many of them tell me about how they catch these in their personal email all the time now that they can ID them. Maybe it’s not so necessary if you have a savvy user base but the average employee at my org is a 50 year old mom who just “doesn’t do computers”.
stesha83@reddit
My average user works in a field with industrial equipment, and we make them all do reliable cybersecurity mandatory training without baking a mistrust of the IT department into their day to day lives
fucksickos@reddit
Conditioning users to expect phishing attempts isn’t the same as IT trying to trick people because they’re mean. A lot of people interpret rules about mfa or not writing down passwords as IT mistrusting them. At the end of the day the job is protecting the org and complying with insurance regulation, if a user takes it personally then that’s between them and management.
MasterLigno@reddit
Close the ticket just before he leaves. "Problem solves itself today"
Ok_Evidence_1443@reddit
lol this is great.
Very similar too this as well. I send these out so often at my job it’s not even funny how many people respond.
hosalabad@reddit
Thank you for reminding us of your departure. We have scheduled a celebration in +4 days.
matt314159@reddit
LMAO he's really unburdening himself in his final days.
The private college where I work just started doing KnowBe4 campaigns this year, and there's been a couple of people who've responded negatively, but most people just don't care.
I'll say though, that we did generate mistrust; we started with the simulated phishing campaigns, and then later sent out an email with links to two mandatory KnowBe4 training sessions everybody needed to do. I had so many people report the training session email as possible phishing.
It seems it's mostly trained them not to click on any links, instead of how to actually spot a phishing email.
steveholt480@reddit
I report it every time. Company policy states I should only open it if I know the sender, know the content is save AND was expecting the email.
matt314159@reddit
You know, I'd rather that than have somebody click a real phishing link!
steveholt480@reddit
Yeah, I'm doing the thing they said to do. Usually someone will announce that its real after half of us report it and I'll complete the training then.
wrosecrans@reddit
I used to forward the phishing tests with a note saying, "If you need to get into my email to verify what happened, my password is 1234 and I am happy to click the 2FA prompt for whoever needs to get in."
IT was deeply confused that they technically had to mark me as having passed the security test because I sent them the phishing test email.
msalerno1965@reddit
For a counterpoint:
Let's go back to random drug tests. That'll improve morale too.
The comments here are so adversarial I wonder if some of you need a different career.
kikn79@reddit (OP)
We do that also. LOL
CarrotBusiness2380@reddit
Really? I've never worked anywhere where "random" wasn't in quotation marks.
kikn79@reddit (OP)
Everyone onsite has their name in a random generator. A few times a month, names are drawn (up to and including the CEO) for the random test.
briangraper@reddit
Try working for the DoD.
yomer333@reddit
Requiring password changes for users is an extra inconvenience for them, but I don't know that anyone would call it "adversarial".
For the people comfortable driving 120mph, the speed limits on the highway feel like unnecessary hand-holding, but those drivers will indirectly benefit from the dopes next to them not crashing into them because they aren't as good at driving.
fucksickos@reddit
If somebody falls for a phishing attempt it could easily result in the company going under and everyone losing their jobs. It happens. I think whatever mistrust occurs from phishing tests is well worth it. I don’t think you can say the same about random drug tests considering most places don’t do them anymore.
mercurygreen@reddit
It's not about morale, it's about justifying a budget line item.
Natural-Cow3028@reddit
I’m excited personally because I’m in my first IT job. Team of two so I’m the jr sys admin. I just got green light to create an information security plan and put it into place. I’m starting with user education on the basics. How to avoid phishing, tailgating, social engineering, texts etc. Then will create a campaign to test our users. Remediate whoever fails. My boss commended me on noticing this as a weak point as we currently don’t have anything at all in place for cyber security awareness/training. We are team of two and he hasn’t had competent help in years. His last good jr was a good 2.5/3 years ago. He hasn’t even took a vacation in six years until I started working here. He had no help and couldn’t trust those he did have to keep us going while he himself was gone. He has taken two week long vacations since I started. I’m hoping to go from this position to a soc analyst in couple years. I’ve gotten Google cyber security, completed soc 1 on trackhackme and now am working towards some certs with tcm. Hoping this plus creating and managing our security plan and policies will be enough to land me a job after 2-3 years.
BerkeleyFarmGirl@reddit
That's good, you got the order in shape:
Management Buy In
Education Education Education
Then the campaign
The campaign should start out with something pretty obvious that isn't super mean. You will ID your frequent flyers from that.
Apprehensive_Pin6787@reddit
Wait until mandatory fire drills. I cannot believe they tricked me into believing the building is burning down
notHooptieJ@reddit
... i mean.. he isnt wrong tho.
phishing tests don't train anyone on anything, they just tell you how fucked you are about to be.
Financial-Chemist360@reddit
What an asshat.
blue_canyon21@reddit
I think my best/funniest one still has to be:
Dry_Inspection_4583@reddit
Fair points though.
c0nvurs3@reddit
I get where he's coming from. Traditional phish testing has that, "We got ya. You're in trouble now tone." Trying to trick us into clicking on a link and then coming after us for it. Nevertheless, it's still required by cybersecurity insurance providers and good to cybersecurity train users. I did some quick research. KnowBe4, Phin, etc... all take this approach. I found one company, CyberHoot, who offer a different approach. Users are signed up for training and receive their "HootPhish". It's an email that says you have a new phish training. Uses then go to the site and are walked through an email and it's indicators, training them what to look for and conditioning users how to protect yourself from phish emails. It's all positive, with no I gotcha moment. Worth taking a look in my opinion.
random_character-@reddit
We introduced an outlook button to allow users to report suspected phishing to service desk with two clicks. Super simple.
The email to introduce the new feature was the top half of a really, really obvious phishing email, then abruptly stopped and it said something like "but if this sounds a little too good to be true it might be a phishing attempt"... "Here's how to report it" in large red text.
Shortly after sending, we had a woman on the phone complaining to my boss IN TEARS because she felt victimised by this deceptive tactic.
FML
IAdminTheLaw@reddit
I 1000% agree with him.
SAT has long gone past training and both the vendors and IT departments are totally focused on entrapment. It's ridiculous and shameful.
If you're relying on the user to protect data, as we all currently are, then you have failed. It is a technical issue and you are relying on the weakest link as the final barrier. Worst of all, rather than incentivizing success, you are punishing "failure". Shameful.
Bring the down votes, drones.
Slaker_Daily@reddit
Send him an email from HR, simply stating we are gathering feedback from employees about their experience with the IT department as part of our exit interview process. Then, add a link to the form, you know which one.
UMustBeNooHere@reddit
I always love how people try to tell IT how to do their job. You think this guy would accept someone from IT telling him how to do his? Hell no. But everyone thinks they can dictate policy to IT.
DK_Son@reddit
Dude is an idiot. Before I worked at one of my companies, they were taken for something like $20m or $50m or something like that. It was YUGE. Done through a phishing email that made its way through to accounts or some shite. The sender was masked as a familiar contact, so the person in the company had no hesitation in paying the invoice. Boom, phished. "Hey where'd that money go?". "To you". "Nope, we never received it". Nek minute. "Ahh fook".
I got this one that's a bit unrelated to your post, but could become related if it was actually something we did, or allowed. Some guy was having issues with whatever. A ticket made it to me where I asked him to run a command in CMD to fetch me some info. It didn't work because standard users don't have elevated privileges, and it was a command I hadn't needed to use before, so I wasn't sure if it would or wouldn't work. I was like ok cool, at least the elevation protection stuff works. So I was gonna send it back to EUC to get them to remote in and do it (all I can use to remote in to a user's machine is Teams, which blocks you out when admin stuff is run). EUC has remote tools that allow much more functionality.
But as we go through this, the user turns into a total dick. "Ahahahaha. SEE I COULD have helped you if you guys just gave me admin access since I am an advanced user. But now you have to waste time doing it all yourself. AHAHAHA.". I was like bruh, no one gets admin access on their standard account. AND. Your role doesn't require an admin account. Checkmate twice, you dingus. I should have reported him just to get his ass whooped by more people for being such a dick. But I was a little stunned that someone could be so rude and so dumb at the same time. Left it for a day or two then forgot about him completely, until right now. That was weeks ago. Imagine if all these "advanced users" had admin access on their normal accounts, OR they had admin accounts. Yeah. Would love to see the shit they install, or get their machines opened up to.
TwinkleTwinkie@reddit
Oh they're leaving? Disable that account.
Thats-Not-Rice@reddit
Had one of the captains of our fire service tell us that our phishing simulations were akin to "him punching a hole in a hose and then calling for an inspection".
It made us laugh. Firefighters have a dangerous job, and I respect them for the work that they do. But they are, collectively, the worst customers you will ever have.
The worst part is it wasn't until we started disabling mailboxes that the remedial security training got completed, and most of them had to re-do it several times because they just didn't give a shit.
RubixRube@reddit
Internal phishing and education campaigns have been consistently a requirement of the cybersecurity insurance several organizations I have been employed at for nearly the last decade.
We don't want to piss off our users, we honestly don't want to get the complaints. With that, I cannot trust that everybody is reading the documentation on how to catch a Phish we have posted on our wikis or provide in the onboarding packages. Given the interaction rate we have with phish, It would be fairly safe to say, most people are not.
PappaFrost@reddit
Complaining about industry-standard practices is the thing that lowers morale and creates mistrust among coworkers, LOL. It will be funny when he gets his next phishing test the first week at the new company.
vc3ozNzmL7upbSVZ@reddit
I don't disagree with them.
Awkward_Not_@reddit
Well, sorry bud. They're not hostile attempts to trick you, they're teaching you to recognize a phish. And congrats, you apparently know how to recognize them.
I know phishing training always gets a ton of shit and called useless but man, getting hit with a phish isn't a one-in-a-million occurrence. They happen every day in every company, whether you yourself get them or not. I think something like 20% of breaches started with a phish and someone clicking something they weren't supposed to from the last report I read? Don't quote me on that.
There's plenty of tooling and filters you can throw in to reduce the number of obvious phishing attempts, but some will always slip through and that end user is the last line of defense (aside from the obvious controls and hardening policies you should have in place that blocks macros, suspicious executables, installs, etc.).
And that last line of defense needs to understand it's not always "CLicK HER3 TO CLAiM UR PRIZE" that you'd expect anyone to have at least a hair of common sense to detect (which somehow people still don't).
It's fake docusign emails, fake encrypted emails, fake employee handbook reviews or notices of pay changes from an email that looks like it came from your HR but it has an l instead of a I in the address. Those "Click here to sign and approve your raise" emails are really cruel to see and demoralizing, but I quite literally had an actual phishing campaign use that exact method against my company, but our filter caught it. I still try not to use those templates for campaigns though cause that's still pretty fucked.
And hell, legit phishes even come from legit addresses and locations, like Dropbox and Microsoft. Just this year I had an incident where 2 users received an email from someone under one of our clients sharing a file from their sharepoint for download. Legit address, legit email, legit Microsoft. They've done business with this very person before too, but they were not expecting any files from them, there was no context to the file, and they've never shared/accessed documents through Microsoft with this person. Legit, but still suspicious.
One person recognized all those signs and reported it so we could check it out, the other signed in and tried to download it to their computer. Turns out the client had been compromised and tried to spread that malware to everyone beneath that person's address book. I then proceeded to see that exact method used on a weekly basis through SharePoint, OneDrive, OneNote, etc.
Another user received a "court document" for review on our legal team from a spoofed law firm. It led to a fake Microsoft sign-in page that was indistinguishable from a real one aside from the URL. The user kept trying to sign into it, but it kept telling them their password was wrong. So they forwarded it to their manager and asked if they could access it. Not even five minutes later and I'm getting hits from Entra that her account was getting signed into in like 8 different locations AND they even accepted the MFA push they got for them, so that was another piece of training that needed covering.
The morale bit can always be addressed though.
Personally, our failure trainings are literally a minute and a half long, like a reminder or touch-up outside of the full annual trainings, and the only thing public about it is having your manager notified if you refuse to do it or just notoriously fail every single one. Every quarter we do drawings for the top reporters and reward them, so we have a pretty high report rate and positive attitude towards it.
And depending on the simulation service you use, you could even adjust the frequency settings for campaigns off click frequency, so maybe constant clickers get them twice a month while low risk non-clickers get them once.
Or basing it off risk level from the user's position. Like the VP is more likely to receive legit phishing emails than the custodian, so they need to understand they have a higher risk level so there is higher prioritization in their training.
kenfury@reddit
When our superdome went down I got a message "too close for missiles, switching to guns" mind you Maverick was the name of the core system.
Followed by (hours later) "take my breath away".
joecool42069@reddit
resolved
hoeskioeh@reddit
Find his new work mail, send phishing tests there, too.
Zenith2012@reddit
The best ticket, we'll, post it note I've ever received was a teacher who's pen for the interactive screen wasn't working, his note read...
"My penis broken"
Yes, he forgot to put finger spaces when writing it out and very much read like that, absolutely made my day when I told him he should see a doctor, then showed him his post it again lol.
the_iron_pepper@reddit
Every enterprise I've ever worked for that's had a security team have run phishing campaigns
Dravelok@reddit
He had 3 days left and knew it was a test. With 3 days left I'da clicked on that link and smiled the whole time doing it. :P
xboxhobo@reddit
I don't try to sell the benefits of anything. Either it's mandated by management or it's not. I'm not here to be a salesperson, I'm here to enforce the standards set by the business I work for.
fucksickos@reddit
Had someone yell at me a few weeks ago for telling them that if they write their password down in front of me then I have to say something. “It’s so ridiculous that you expect us to remember all these passwords” blah blah blah. Like lady I’m flattered that you think I’m important enough to make the rules around here but I just work here too.
On top of that, if you misplace that password and we’re breached, who do you think has to deal with the shit show, late nights and paperwork afterwards? So yeah if you’re putting me in that position of course I’m not letting it slide.
Flat-Beginning-4520@reddit
it's always weird when they complain about these. it's worse when they complain about the five spam emails they get per week. just delete that shit and move on with your life.
KalashniKorv@reddit
I received a ticket once. A client had an open wifi at the community center. You just needed to click connect on a hotspot page kind of way and they had the support mail if there was a problem to connect.
The ticket stated:
"Please support. I'm horny and I need you to allow porn on this wifi" - sent at 01:12 a Wednesday night.
With name, mail and phone number.
We laughed the whole day at that. No... We didn't allow any porn.
fucksickos@reddit
Nu-Hir@reddit
But they were horny!
kmsigma@reddit
I purposely failed the last phishing test at my previous company with only 6 days to go. I knew I had 30 days to complete the follow up "lesson," so I just clicked the phish and enjoyed the rest of my day.
jake04-20@reddit
Someone accused me of personally singling them out by sending them simulated phishing emails. Like bitch we have 500 employees, this is fully automated. Do you really think I'm hand-picking phishing emails to send to you specifically? The world doesn't revolve around you.
Zestyclose_Fix_6493@reddit
He is going to know what to do when the next company CEO emails him to go get those gift cards he requested through this link and he clicks it.
You click it
mercurygreen@reddit
Everyone who does them says that phishing tests work - except they never show receipts.
The only time I've been hit was when I was having a back-and-forth with HR about something pretty serious, and they sent one out from a fake HR. I sent something fairly nasty to the director of the department using the words "harassment" and a few choice terms where I used a thesaurus. Not a single word of profanity. I got a "We're sorry but we have to do this..." response, but they NEVER sent a fake HR message to me again.
I feel for the guy. They're a stupid waste of time and resources. It would be better if they increased the tech on incoming mail side.
bananaphonepajamas@reddit
In my experience they work by allowing the people who click on them to be fired and therefore less of a risk to the company more than by training people not to click on them.
They also allow us to be covered by cyber insurance.
mercurygreen@reddit
Interesting - our cyber insurance doesn't require this. I haven't heard of a company that uses this as an exclusive reason to fire someone they weren't looking to terminate already.
(Not sarcastic - I'm serious about all points)
bananaphonepajamas@reddit
I think it's only happened twice here. The first time they failed 3 tests then fell for a real one. The second they failed three tests and then were gone because they didn't want a repeat.
And yeah we have a requirement for that among other things. I'm not sure if there's a success rate that's required, but I believe we need to do at least one every six months. It's not particularly disruptive, but it's there.
Valdaraak@reddit
They're tests for a reason, not training. You're testing your education practices. If you're just sending tests and no other education, you won't see results. If you're doing education courses as well, you'll see a reduction over time. We did. Went from a third of the company clicking phishing tests to one or two every now and then.
You gotta have to way to test if your education is actually working. There's not really a way to do that other than sending phishing tests.
mercurygreen@reddit
Okay, so show the analysis that THIS testing with training has any positive effect on security. Show me ANYTHING that says this, as an element of security, adds any value! Or would an annual five minute training video BY ITSELF have more benefit?
wivaca@reddit
I think this staff member has misinterpreted the point. You can't manage what you don't measure. These test messages actually aren't the educational part of the human firewall, they're the penetration test.
Like others, I wish them good luck not having this happen at their next job. If they're lucky, they're retiring. While they won't have to put up with the phishing tests, they may get a chance to have a new career in identity theft cleanup.
slashinhobo1@reddit
Got something similar where we monitor abnormalities for m365. Reached out to the user to make sure they were the ones that made the changes. Was sent a passive agressive email that it wasn't my job to monotor and had no right to do so. It was indeed my job and a potential cybersecurity issue. Notified management, and nothing happened.
Ikarus3426@reddit
Isn't Gamefreak, creators of Pokemon, experiencing a huge leak right now because someone fell for one of those phishing links?
DiseaseDeathDecay@reddit
That's kind of the point....
People are too trusting. You have to trick them to show them that a) they can be tricked and b) people will try to trick them.
SkirMernet@reddit
Phishing tests are stupidly IMO and I’m not gonna pretend otherwise.
Nezothowa@reddit
They do this to avoid liability. “See, we train our employees. It’s not our fault!”
That’s the sole purpose of it.
SkirMernet@reddit
It’s not productive, whereas actual phishing recognition training would be so much better and more effective.
ciabattabing16@reddit
Every job I've had, they happened to warn me ahead of time in the meetings before it was deployed, for various unnecessary situational awareness reasons. Oh the Citrix guy needs to know because remote users will ...get an email....
Regardless, every time, every SINGLE time that I've been warned, I quite literally walk out of the meeting, back to my desk, receive said phish test, and immediately fail it. Like the worlds dumbest person. And the second I fail it, I go DAMNIT as I then remember the test is coming. It's been like ten or twenty times over the years it's ridiculous.
NowThatHappened@reddit
Well, he suggests that you're sending more than one? how many are you sending?
kikn79@reddit (OP)
One per month.
We also do training modules once a month.
NowThatHappened@reddit
ok, to me that is excessive, and probably counter productive as intimated in this chaps email (which is awesome), in my opinion. Too many an they'll become complacent thinking that they are all tests and it doesn't really matter, but too few and you'll miss the odd doughnut. Never send the same email to everyone, its pointless, craft specific email's to specific users based on their department, coworkers, and role. Just imo, take what you will.
itdumbass@reddit
"this email looked sketchy, so I pasted the link into VirusTotal to check..."
"Congratulations, you failed a KnowBe4 test, and must report for further training!"
HellDuke@reddit
I guess he got jaded by some bad experiences? Not sure if I got ignored because I am IT and most in the security team know me, but I tripped several flags in a sandbox environment to check out what I thought was a real phishing attack to figure out how it worked and what it tried to do, only to my disappointment to find "If this were a real phishing attack your password would have been stolen". Never got any disciplinary action or training. Though it might be because the security team knew I don't need it, I actually never heard anyone else getting into trouble over it where I work, just the "Keep an eye for these things" page whenever the phishing test site was opened (the links had unique IDs so they certainly were tracking who failed)
Baalrogg@reddit
His entire ticket reads just like a Reddit post. He’s probably venting about this somewhere on the site right now.
DivineDart@reddit
Have fun with it at the next place bruh
NerdyNThick@reddit
"I know more than the experts in a field I'm not in"
"I have already decided what my opinion is, and there is no evidence that can change my mind."
They sound like a flat earther trying to claim that aluminum will subliminate (he used this term several times when he meant sublimation) instantly in the vacuum of space. The lunar lander was made (in part) from aluminum, therefore moon landing was faked, because the lander would have instantly subliminated.
Thanks Kyle, you're the most frustrating and entertaining conspiracy nut.
For the one of you who cares; he got his "evidence" from some random AI chat bot and therefore it is 100% accurate... /s of course.
adelynn01@reddit
Boomer behavior
CAPICINC@reddit
3 days left? THREE MORE PHISHING TESTS!
Twice a day!
Barachan_Isles@reddit
Situation: You have multiple adversarial relationships in your work environment. Perhaps your boss, perhaps a coworker or two, a client who keeps harassing you about something. You're stressed out, on edge and then the one department you don't want to ever deal with unless you have a problem, IT, sends you a fake gotcha phishing email.
If you misclick, you know you're gonna end up on a report and perhaps that manager you can never please gets another bit of something to bitch at you for on the next meeting.
You don't fall for it, but goddamn it, is anyone at this company on my side? Even IT is trying to fuck me over in this place.
I try to imagine myself in their shoes and understand possible avenues of their pain. We aren't the only ones with problems.
3Cogs@reddit
My work puts users who spot the phish attempt into a monthly prize draw.
natefrogg1@reddit
I was hoping that they would list out some better ways
Proggoddess@reddit
I found an article quoting a Google Security blog with alternative methods. I wouldn't say they are substitutes. In my opinion, the methods would be used together, and the simulated phishing tests could be performed less frequently.
https://www.pcmag.com/news/google-stop-trying-to-trick-employees-with-fake-phishing-emails
thortgot@reddit
Phishing credentials is only one of the attack surfaces that training handles.
A much more effective technique for a group like Google (where a technical attack isn't going to work) is to simply impersonate a vendor with a fake invoice technique.
No PDF attacks, no attempt to gather information, just a falsified invoice with payment directions similar to but different than a legitimate vendor.
bjc1960@reddit
reminds me -mid month- time for a sim.....
FlipMyWigBaby@reddit
Vektor0@reddit
This guy probably has social anxiety manifesting as an intense fear of humiliation. He probably never fails a test because he meticulously checks every email -- not because he's mindful of security, but because he's severely anxious about the potential embarrassment from failing. Thus, ironically and counter to what he believes, his anxiety is helping protect the company.
For his sake though, maybe someone should help him understand that no one freaking cares if he fails a test every once in a while (even we techs do sometimes). No one's wasting their time and energy pointing and laughing at all the "dumb" users with average success rates.
Therapy and medication might help him too.
mercurygreen@reddit
Wow! So he never fails the tests so he MUST have a serious mental issue.
No wonder people hate these these. He literally could not win with you!
Vektor0@reddit
No; he wrote an angry rant several pages long expressing personal offense to a trivial part of his job that most everyone else deals with without an issue, and therefore he might have a mental issue.
223454@reddit
Maybe he has a shitty manager or office culture that's always trying to "get" you, so he sees IT as doing the same thing. Just a devil's advocate guess.
supadoggie@reddit
https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExdTI5YjVqcjN2cmptODU2YmN1NWYyY21kNm1sY3pvcnR6cWdzd21hcSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/cO39srN2EUIRaVqaVq/giphy.gif
Chunkycarl@reddit
I mean the dude sounds like the first person to, if he got caught in a real phishing attempt, immediately blame IT for a lack of training and awareness. Be happy he is someone else’s problem
OtherMiniarts@reddit
In his defense, it is poor practice if the phishing training isn't paired with proactive mandatory training. People who are good at spotting the emails but unfamiliar with your tools might just let the email sit in the inbox instead of using you SEG/Add-In's "report email" button
LForbesIam@reddit
This is funny. I love the fake out ones especially considering how many people fall for it.
whoShitMyPants408@reddit
This is perfect for r/SelfAwareWolves
mvbighead@reddit
Dear Jackwagon,
Your ticket has been deleted.
Regards,
IT
TheAlienBlob@reddit
I would be on his side if people really paid attention without being punished. The County tried every type of education on this and finally had to get nasty when we were constantly hit by viruses because of these idiots. The superior attitude of the email makes me so happy to be out of the business. I was really getting to a point with these idiots.
Vikkunen@reddit
"Thank you for the feedback, and congratulations on the new gig."
centpourcentuno@reddit
Bye!
What always gets me about these characters is that they insinuate that IT gets a kick/benefits from what they call an inconvenience
I am here for the paycheck too ..so I do my job!
apathyzeal@reddit
Job hunting myself right now. Thank you for reminding me what I am getting back into.
AZdesertpir8@reddit
I just classify them as spam/junk mail..
Agreeable-Piccolo-22@reddit
Today have received several obvious phishing mails (targeted). Forwarded them to our IR team, and, being familiar with them came for clarification. The looked through forwarded emails and laughed: ‘Our boss’ new idea’. As he wasn’t in place, put pushpin on his seat and rised a ticket ‘RCE in chair’.
guzzijason@reddit
Girth-Wind-Fire@reddit
Dude sounds like he would handle a speeding ticket really well.
Zealousideal-Many682@reddit
This poor fella. I'm not sure what it would be like to live in his mind...
BlueHatBrit@reddit
His next manager doesn't know what's about to hit.
deefop@reddit
If you don't put "lmao whatever dork" in your close notes, you're a wimp