Had a clash with executive over my phishing test methods

[-]

Kanibalector@reddit

Damn, worst I've ever done was send people an email saying that our internal testing has identified them as an amazing asset to the company and that they'll no longer be subjected to security testing. All they gotta do is confirm by clicking on this one little link.

Reply

[-]

NoPossibility4178@reddit

People saying you can't learn from being punished but I did learn (on like my 3rd time), I always clicked the link and wrote something like "haha very funny guys" on the input boxes... they didn't think it was funny in response.

Reply

[-]

The_Original_Conman@reddit

Yes, same. :)

Reply

[-]

Bright_Arm8782@reddit

Very crafty indeed, well played.

Reply

[-]

Ur-Best-Friend@reddit

That's fucking hilarious.

Reply

[-]

Deweyoxberg@reddit

Oh this is devious.

Reply

[-]

Skyshaper@reddit

That is adorable

Reply

[-]

rootofallworlds@reddit

Now that one I love!

Reply

[-]

PlayStationPlayer714@reddit

LOL

Reply

[-]

Alert-Lavishness9279@reddit

The methodology is technically sound, and real threat actors use emotional lures like that. The tension here isn't legal, it's organizational trust. If your CTO is blindsided by a test, that's a communication gap worth closing. On the tooling side, KnowBe4 handles progressive difficulty well, but Riot layers in a continuous karma score per employee so you're not just measuring click rates, you're tracking behavior drift over time. Might give you more defensible data when executives push back.

Reply

[-]

Fairlife_WholeMilk@reddit

>I don't care about my employees. Bro you're lucky this didn't cost you your job. And if you care about your network having a good relationship with your employees is KEY. If they hate the security team then they're just going to ignore you or possibly even be malicious on purpose. YOU have to get them on your side. This was idiotic by you to say the least.

Reply

[-]

bafben10@reddit

You already have a great point. You don't need to misquote OP in an attempt to make it better.

Reply

[-]

Fairlife_WholeMilk@reddit

I mean I wouldn't say I misquoted OP by any means. If you think adding >as much as I care about protecting my network To finish off the sentence changes anything then maybe you can say I misquoted OP. But personally I'm going to say anyone who puts packets over me doesn't care about me.

Reply

[-]

bafben10@reddit

>To finish off the sentence changes anything then maybe you can say I misquoted OP. But personally I'm going to say anyone who puts protecting packets over me doesn't care about me. Exactly. Again, you already have a great point. You don't need to misquote OP in an attempt to make it better.

Reply

[-]

kuahara@reddit

If he doesn't send out an acknowledgement and apology, I wouldn't assume he hasn't lost his job and just doesn't know it yet. It's definitely not helping his long-term stability at that org.

Reply

[-]

SharpDressedBeard@reddit

They should at least get a written notice for this. It's beyond the pale.

Reply

[-]

Fairlife_WholeMilk@reddit

Reading the replies they definitely have a massive ego so I think apologizing might be hard for them

Reply

[-]

Jaereth@reddit

> YOU have to get them on your side. A futile and useless endeavor. Have you ever actually worked with end users lol?

Reply

[-]

Fairlife_WholeMilk@reddit

Everyday. Literally had a guy send me an email saying "Thank you for training me so well!" Yesterday after I had a discussion with him about phishing emails.

Reply

[-]

Puzzled-Formal-7957@reddit

Yeah? What do you want to bet he would miserably fail the test the OP sent out? Holding their hand only goes so far. Sometimes you have to hit them in the face with a proverbial brick in order to let the reality of the security compromised situation they might be in.

Reply

[-]

Jaereth@reddit

I mean yeah, there's good people there's bad people. I just don't consider trying to "win the locker room" and get users on my side to be something to dedicate a whole lot of effort to. I feel like in any security context if you have "rules and shit" 50% of people aren't going to like you right off the bat. I had a guy have a meltdown at my desk the other day because we have the NIST password standards enforced and he couldn't make his password something like tree123

Reply

[-]

isthisbad_3182@reddit

I always tailor the tests to the types of phishing emails we are receiving. Do your real phishing emails appear "internal"? You could create phishing emails that spoof the domain and are incredibly complicated and get very high failure rates, but not sure what that solves.

Reply

[-]

AH_Josh@reddit (OP)

We had a real credential link from a real threat actor using "failure to update tax information will result in an IRS investigation" from "Internal HR". No amount of testing with free uber vouchers will ever prepare them for that.

Reply

[-]

Ruevein@reddit

Ours do. We have a few in our stable like that including some i copy pasted from real phishing emails we have received. The thing is, users should know their internal email addresses for HR, IT. For example, we don't use HR@domain anything from that, is 100% not real and my users know it. in fact tax related ones are the only set that has never caught a user because they will scrutinize that one. usually comes back as "I knew it was fake cause why would i attach my company email to my taxes?"

Reply

[-]

ButcheringTV@reddit

Interesting point about taxes. Our current campaign is tax related. But to be honest, I am shocked at how many people use their work email for personal things. Lol

Reply

[-]

Ruevein@reddit

that is fair. we had a user that was upset they couldn't keep useing their previous companies email when they came onboard and they had to change the email for all their social media etc. i'm like, Dude, gmail is free....

Reply

[-]

ButcheringTV@reddit

Oh my lord lol that's a new one. I haven't had that yet 😂

Reply

[-]

subpardave@reddit

That's not exactly an unusual template, at all

Reply

[-]

pashky868@reddit

That's gonna make you famous in the company for all the wrong reasons.

Reply

[-]

vintagerust@reddit

At the same time these are real fishing examples, I wish I remembered the details but there was a story that they had been after an executive in a company for months couldn't get him to click couldn't get him to enter passwords real outside bad actors. There happens to be a shooting at his son's school they send something along the lines of injured students report he clicks and enters instantly. Horrendously shitty but we're dealing with people who would blackmail of food bank, your org needs to survive. OP is mimicking real life behavior of hackers.

Reply

[-]

Asheraddo@reddit

Interesting story but I don’t understand what he enters for the school report? Work passwords? Bank passwords? Why? And why is the school report sent to work e-mail?

Reply

[-]

vintagerust@reddit

People aren't logical in the moment, they may enter every password they use for anything, that is if they even have more than one.

Reply

[-]

DSMRick@reddit

Some people are of the opinion that just clicking a link is a suffiecient failure. For my work, if you click a link you get an immediate "how dare you" page, no info request.

Reply

[-]

renzok@reddit

Bad actors only have to be lucky once

Reply

[-]

Ur-Best-Friend@reddit

>Horrendously shitty but we're dealing with people who would blackmail of food bank, your org needs to survive. OP is mimicking real life behavior of hackers. Ah of course. While we're at it, may I interest you in my self defense course? We apply the same methods you're advocating here - we beat our students until they need to be hospitalized in every lesson, when we're not just straight up stabbing them that is. Do you see how fast this argument falls apart? Yes, you need to train your employees in a way that will prepare them for real life examples. No, you don't need to basically subject them to torture to do so. You just need to train them to internalize the idea that emails with incredibly urgent subjects are something they need to be cautious of, because many scams exploit the fact that we tend to drop our guard in situations like these. You don't have to do it with the most aggressive, traumatizing example you can think of.

Reply

[-]

bylebog@reddit

Wife's job sent fake HR term notices. One time.

Reply

[-]

Absolute_Bob@reddit

Those scenarios need to be covered as training material, not simulation material. When your phishing email could literally cause someone to have a mental or emotional breakdown you are no longer the good guy.

Reply

[-]

Bradddtheimpaler@reddit

And it’s still a very bad idea. Mention stuff like that in awareness training, but doing it to them is going to create way too much acrimony. Nobody will learn a lesson from this, they’ll learn to tune IT out. They’ll complain. IT will get less trust from other business units and more scrutiny. Stuff like this will create enough bad feelings in the org that people might even purposefully undercut IT on things.

Reply

[-]

daedalusprospect@reddit

Thats when you tell them: "Ok, But due to client requirements, I'll have to let your client know we can no longer meet their MSA requirements as obligated in the contract."

Reply

[-]

anpr_hunter@reddit

I agree, with the big asterisk that this merits a conversation. Employees need to know what we (inside and outside of IT) are up against. We live in an age where people are getting scammed by AI voices of loved ones in distress. It’s fucking awful, and the people behind it deserve to watch each of their loved ones succumb to ALS. I say this without a trace of hyperbole; these people are monsters. Still: How do we, the good guys, train our staff to be vigilant against it. Theres a middle ground no doubt.

Reply

[-]

FarmboyJustice@reddit

>...the people behind it deserve to watch each of their loved ones succumb to ALS. The problem is, the people behind it don't have loved ones, they're sociopaths, they have no ability to feel empathy, guilt, or regret. That's why they're able to do such terrible things with glee and excitement.

Reply

[-]

ccsrpsw@reddit

.... their post history is interesting too - I really have no idea how they got the "VP Cybersecurity" at all (and hiding the profile doesnt make it hidden) - they also get super defensive when people point that out in other subs!

Reply

[-]

BlueHatBrit@reddit

Some companies seem to handout VP titles to everyone with a couple years experience. JP Morgan do that iirc, could be one of those situations.

Reply

[-]

TFABAnon09@reddit

Yeah it's a weird American thing. Company I worked for opened a base in the states and I had to go over to run some workshops and set up some bits n bobs. The office was full the brim with masses of mid-twenties brain dead idiots, and every 3rd seat was VP of some bollocks or another.

Reply

[-]

Turdulator@reddit

Companies use it to try and entice people to accept job offers when they don’t want to pay them more. Personally that’s how I originally made the leap into management. I got myself a job with a bullshit manager title but no direct reports… and then for my next job I was able to get a real manager job where I actually manage people, all because I had “management experience”.

Reply

[-]

jbourne71@reddit

Banks/finance love VP titles for anyone beyond entry level

Reply

[-]

hafhdrn@reddit

Like that guy who recently (in the past few weeks) was talking about recruitment from the perspective of a 'director'. Turns out the company only had 50 people.

Reply

[-]

Joestac@reddit

From unemployed and almost living with their parents to VP. Real Cinderella story here. https://www.reddit.com/r/ITCareerQuestions/comments/1cwgonn/been_out_of_a_job_since_march_1st_according_to/

Reply

[-]

doggxyo@reddit

jeez where do i sign up

Reply

[-]

jgerrish@reddit

Where do you sign up to see responses like this for the rest of your life? I'd be asking the opposite question instead. Because if you are a decent security engineer, and this is your story, the only way you can manage the criticism is with a network of emotional support. A network that wasn't AS NECESSARY before. But how do you explain to that network that they have created a self-perputating system where those networks are needed, even if the weren't in the first place. That for some organizations it creates an incentive to treat others like shit? I'd be asking the opposite question, because saying NO to that social network and being believed is so much extra work.

Reply

[-]

TFABAnon09@reddit

I've heard Claude is great for creative writing assignments...

Reply

[-]

Bogus1989@reddit

I mean, ive just watched two people do this. Not VP...but not be able to find a job. for nearly a year...and then finally getting one.....I monitored these 2 people personally, just to make sure they werent the problem.

Reply

[-]

TickleMyBurger@reddit

Let alone they run line 1 and.. line 3? What? Line 1a/b makes sense but in no world would the same leader managing controls be the authority on control testing. This whole story has some stank on it.

Reply

[-]

Reeces_Pieces@reddit

"Fellow redditors. I have taken the time to stalk OPs profile. You won't believe the reults." This shit is so cringe it makes me want to projectile vomit.

Reply

[-]

ccsrpsw@reddit

"Keep overusing that word. It's already completely meaningless. Lmao" Seriously dude its not hard to see a hidden profile - and when people make up stupid stupid stories of course people wander off to look at their post history to see what else they've come up with. I can see why you keep yours hidden with some of your recent comments.

Reply

[-]

steak_and_icecream@reddit

It's just him and the CTO in a two man startup.

Reply

[-]

Eggslaws@reddit

Probably a cosplayer!

Reply

[-]

REALSDEALS@reddit

Jeremy Dewitte here

Reply

[-]

dathar@reddit

Hey don't lump us cosplayers with them. I need a break when I'm not working. Little bit of woodworking, making props and dressing up goes a long ways for sanity.

Reply

[-]

commissar0617@reddit

Or AI

Reply

[-]

dustojnikhummer@reddit

Maybe this post itself is a phishing test lol

Reply

[-]

jdptechnc@reddit

VP CyberSecurity/Helpdesk Analyst

Reply

[-]

Honolulu-Blues@reddit

"It's a mouthful, but there was an org change, me and my fellow coworker 2 years ago were the only two security folks in the entire organization, and my boss (at the time VP of Cybersecurity) got promoted up to EVP, while me and my fellow director got pushed up to VPs, and we both bolstered our departments with a decent headcount."

Reply

[-]

guzzijason@reddit

My first thought while reading this was, “why is a VP doing any of this?” They should be working on things like high-level policy, strategy, and compliance. A VP shouldn’t be the one actually sending phishing tests out. Major red flags here. And yeah, if I ever got a phishing test that made me think for even a second that a loved one was in a horrible accident, whoever was responsible would find my hands around their fucking throat.

Reply

[-]

Jaereth@reddit

> and hiding the profile doesnt make it hidden How do you still see? I used to just search that user and a space and it would bring back every comment/submission even if private. Doesn't seem to work like that anymore.

Reply

[-]

Furdiburd10@reddit

you search their name on reddit and sort by newest. Reddit blocked like a month ago searches on a private account but not searching for the account on reddit

Reply

[-]

Icolan@reddit

https://redditghost.pages.dev

Reply

[-]

PurplePickle3@reddit

Google “username site:Reddit.com”

Reply

[-]

Puzzled-Formal-7957@reddit

Nah. The reason is right and the methodology is right. Scammers aren't using kid gloves anymore. Long past are the days of MAKE MONEY FAST. We are now in the era of AI voice calling grandma at 3am begging to be bailed out of jail with gift cards. The sooner staff (and execs) accept this and takes some lumps along with the harsher training - the sooner they will be smarter and better prepared for it in all walks & aspects of life - at home, at work and everywhere in between.

Reply

[-]

Frothyleet@reddit

>So, I am coming to you guys to ask, did I really cross the line? Or is this phishing test well within morally white areas. I stood my ground but find myself second guessing. So, for one, the CTO gets to tell you where the line is. This isn't a stand your ground situation. You aren't being asked to like, disable MFA for everyone, or do something dangerous. For two, yes, he's right: * Phish testing has limited usefulness in the first place. Studies have shown that 'gotcha' testing has little to no actual impact on phish resistance * If you aren't running these campaigns by the business, you are doing it wrong. You shouldn't be on an island. You need corp buy in * Your specific example? Yes, that was pretty shitty. Even for everyone who instantly recognized a phishing attempt, they are going to have a moment of panic from the content. Some people might be going through traumatic experiences. Some people might have family members at risk. Yes, a threat actor might try the same thing, but this "test" isn't going to inoculate people against it. * Having an adversarial relationship with your users is going to make your actual security worse in the long run. They will not respect you, your advice, or your training. They will turn to shadow IT more readily because they don't want to interact with you.

Reply

[-]

derpaderpy2@reddit

V well said.

Reply

[-]

Problem_Salty@reddit

Cybersecurity is focusing on the wrong things hoping they will change employee behaviors. The executive called out a line because what he likely saw and heard were a mountain of complaints from employees who hate being tricked and punished. Psychology has never said that punished behaviors will extinguish or stop. It has proven that rewarded behaviors ARE repeated (BF Skinner - Operant Conditioning). Stop tricking staff members as u/Frothyleet pointed out has been proven not to work. Find a tool that rewards good behaviors, leads to engagement, eliminates lines from being crossed and builds a culture of see something say something. ONLY by rewarding good behaviors will you change behaviors and be viewed as empowering your staff at your company. Before getting upset check out these papers showing that Gotcha Phish testing you've been running do not work: [https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work](https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work) [https://arxiv.org/pdf/2112.07498.pdf](https://arxiv.org/pdf/2112.07498.pdf) [https://www.wsj.com/tech/cybersecurity/phishing-tests-the-bane-of-work-life-are-getting-meaner-76f30173](https://www.wsj.com/tech/cybersecurity/phishing-tests-the-bane-of-work-life-are-getting-meaner-76f30173) Good luck! I hope this thread changes a few approaches to rewards, positive reinforcement, and gamification. There are vendors out there doing things this way - HoxHunt, CyberHoot are two that come to mind. As Cybersecurity matures as an industry, more and more will follow this approach.,

Reply

[-]

FrivolousMe@reddit

What's an example of a tool that rewards good behaviors?

Reply

[-]

Happy_Harry@reddit

If you have the budget, you could do something like give a $5 gift card to everyone who successfully reports your phishing email as spam. The attack simulation training report that M365 generates includes a column listing everyone who reported the email.

Reply

[-]

Wimzer@reddit

Even a web page saying "Good job! This was a phishing test" goes a long way.

Reply

[-]

Ctaylor10hockey@reddit

have you found the end users enjoy the gamification and have more or higher compliance because of it? @Intelligentcomment

Reply

[-]

IntelligentComment@reddit

Absolutely. The reason is because staff associate emotions to any interactions with you. If you provide them fun engagement, they 'feel' happy towards you, give them a dopamine hit they will come back. Rather than the opposite which most other SAT vendors use which is based on 'fear' from being issued training and 'ill catch you then have HR punish you'. We have gone from having (before cyberhoot) users complaining about doing training which is in their minds "homework" to now users enjoying the modules that come in. They learn something, it takes 5 mins, they get a certificate and can compete with colleagues on a (deidentified) ladder. All of these psychological things add up. For our users the gamification aspect has really clicked with staff who play/grew up with video games and the competitive nature of scores and winning. SAT becomes a challenge and a game, because staff are guided + rewarded rather than punishment and homework. It's funny because it's trying to tackle the same goal of training staff, but if you just shift things from a different perspective you get a better outcome. It reminds me of when World of Warcraft changed the login reward system from rested XP to daily login rewards, like just changing netagive reinforcement to positive reinforcement.

Reply

[-]

IntelligentComment@reddit

Cyberhoot does this and we use it. Simulated phishing is done in browser rather than their inbox so staff are guided through a simulated phishing exercise. They are upskilled not punished. Staff are rewarded with certification which is a free upskill on their resume, and it's gamified so they can challenge each other in their scores. We've had some pretty competitive people try to one up each other on the internal ladder which is really good to see. Cyberhoot does have attack based phishing also if you want it, and it's really good however most staff actually just prefer the in browser as it's less "gotcha, busted!" and more of like a security guard teaching people how to secure their homes and how thieves try to break in.

Reply

[-]

DrStalker@reddit

Phishing testing works. Provided your goal is complying with security guidelines that say "conduct regular phishing testing" so you don't have to argue with an auditor that doesn't care what the research shows; if you're not doing it then it's a failed control on the audit.

Reply

[-]

conspicuousxcapybara@reddit

Those are truly great sources lol. I award you the non-FIFA price in redditor media / scientific literacy. Do you have an opinion on rewarding employees (every time) they click the button to report suspicious emails?

Reply

[-]

Problem_Salty@reddit

Yes. You need to reward them for reporting even the false alert emails they thought were phishing but turned out not to be. Reporting the the good behavior to encourage every time whether right or wrong. If right, collect that data and raffle a free lunch for them. If reported wrongly, take an opportunity to explain whether they went awry - but not publicly, privately. You've identified a weak link that might appreciate learning. Reward them for engaging. Reward engagement. Reward completing assignments. Reward the good behaviors you want to see more of. Make the rewards small and affordable, even public recognition of people at 100% compliance on assignments helps.

Reply

[-]

bageloid@reddit

This, we get people to do their security training by raffling off Starbucks gift cards to people who complete it(run weekly).

Reply

[-]

Problem_Salty@reddit

Rewards are okay. But Gamification is better and IT IS free. Anonymous leaderboards work wonders on getting leadership to do their training assignments. They see OMG - I'm last in the company cause I've never done my training, and their competitive spirit kicks in. No amount of StarBucks gift cards will get them to train... so there are multiple ways to encourage participation. Leadership is critical to succeeding long-term. They need to be engaged, supportive, and part of the solution instead of being part of the problem.

Reply

[-]

bageloid@reddit

You would be surprised what people will do for a Starbucks gift card.

Reply

[-]

Problem_Salty@reddit

I have been surprised in the past for sure! They play a role in motivating some people, gamification for others, but in my reading of psychology, positive always beats out negative in changing behaviors in outcomes. I love the dialogue here... I sense a turning point in the industry... maybe I'm wrong, but I hope I'm right!

Reply

[-]

Frothyleet@reddit

Thanks for dropping the citations I was too lazy to go dig up :)

Reply

[-]

Schnitzel725@reddit

What confuses me is that his post mentions before this current job, he was a "white hat red teamer". Which means he should've already had it drilled into his head to not run phishing assessments that cause emotional distress or negatively impact the target user.

Reply

[-]

ManyInterests@reddit

Yeah. I'm calling BS on OP. Also, as someone who has worked in this field, I've never heard anyone describe themselves as a "white hat red teamer". It's redundant and kind of cringe. [At the end of 2020](https://www.reddit.com/r/AirForce/comments/jgxykl/which_tuition_assistance_for_cert_training/), OP didn't even have so much as a net+ or sec+ cert. Somehow in less than 6 years, they got training/education, entered the field, became a "white hat red teamer", and eventually acquired management ranks to make it to VP at a company large enough to have its own legal department?

Reply

[-]

kjeserud@reddit

> Yeah. I'm calling BS on OP. Of course it's BS. [May 2024 OP didn't even have a job](https://www.reddit.com/r/ITCareerQuestions/comments/1cwgonn/been_out_of_a_job_since_march_1st_according_to/). But has now been a "white hat red teamer" and gotten a VP position in a company that hires "100s of people every few months"? Pure BS.

Reply

[-]

gjpeters@reddit

I am as conflicted as I once was as a child.

Reply

[-]

Jaereth@reddit

> Studies have shown that 'gotcha' testing has little to no actual impact on phish resistance Alone. We have users who will now call/chat and ask "Is this Email legit?" I'll look at it with them and ask them to remember their training and if it has any of the "red flags" and usually they can then spot them. It at least makes some people stop and think sometimes. Also I would think "little to no actual impact" would be wildly inaccurate looking at a line graph of from when we first started testing to now it's a steady decline for the first few years then levels out. But we're looking at like 20% reduction overall so?

Reply

[-]

Problem_Salty@reddit

I could not agree more with the comments here by u/Jaereth Look, we all know in this thread (I hope) that the consequences of clicking links can be catastrophic. No-one is arguing the risks or danger. But what we are divided on is how to get the best outcome. Science is behind NOT punishing employees with Fake Email phishing because it leads to apathy, giving up, resentment, and people afraid to admit mistakes (like when they click something on accident and won't fess up until shit's encrypted). Let me give an analogy: Do you train a dog with Treats or a Shock collar? Shocking dogs just leads to them shrinking away to a dark corner or worse maliciousness bubbles up at the injustice. Give a dog treats and they'll bring the leash to you for their next dog park excursion. People are the same. If you reward their GOOD behaviors, they'll internalize and repeat those behaviors. Carefully checking the sender on a typo-squatted domain used in an in browser simulation is rewarded with positive reinforcement buys you so much more than failing someone in the above mentioned phishing example. The people you reward for looking so very carefully at domain names will be 10x better at discovering even your most devious of fake email final exams. I do believe there is a place to measure knowledge with "Gotcha" emails once a year or twice. But don't use it to teach. Final statement: we need better outcomes. To get the outcomes we want, we need an approach that's proven to work. Psychology and Educators know you reward small pieces of engagement from students to create life-long learners. It's high time we do the same in cyber literacy training.

Reply

[-]

derpaderpy2@reddit

Ever had a family member in a dire emergency? I assume not, because fucking with that feeling is not really cool, despite the cold-ass logic.

Reply

[-]

wiggie2gone@reddit

Yeah, our phishing tests are vetted in an admin meeting before any release for these exact scenarios. You want people to learn not to despise you.

Reply

[-]

ButcheringTV@reddit

Literally ours go through my manager, and the CIO lol. We don't even allow them to show as internal.

Reply

[-]

iB83gbRo@reddit

>It was designed to be HR reaching out because a family member was seriously injured. Holy shit. You didn't just cross the line, you demolished it...

Reply

[-]

ButcheringTV@reddit

This is a huge red flag. We NEVER under any circumstances make the phishing emails look like they've come from us/internal. That's a big no no. Let alone something as emotionally manipulating as this.

Reply

[-]

PlatJC@reddit

I always find it odd when people go into technical detail for a common IT topic, on a subreddit full of IT professionals. Like why are you explaining phishing and where you whitelisted the domain to us as if we wouldn’t know? It’s like commenting on a chefs subreddit that you used a knife to cut the cucumber. What company has a VP for cybersecurity too, and then also a CTO. Why have you mentioned SLAs which hold no relevance to your story? What’s a “VM” finding? Some serious larping here.

Reply

[-]

ButcheringTV@reddit

Yeah something isn't adding up here. Also I can't imagine our CIO (or in OPs case, "VP") getting on reddit asking for opinions on whether they fucked up or not lmao

Reply

[-]

jeo123@reddit

Way over the line. I get your mentality, but at that point as an employee, I'd honestly say I don't care about your phishing losses. I'd counter you should have secured your network better and prevented them from being able to spoof internal for example. If that phishing email got into your network like you built it, your first response isn't to attack the people who picked the link, it's a profuse apology on your end that it was allowed in the network in the first place. If this is a really big risk, HR should have a well noted and documented policy of how to approach people. Annual compliance training needs to cover this (HR will never email about family emergencies and will always call you on your company phone for example. You build that and maybe you can get away with this. But that's all on your company's IT and HR department as failures in my book if this did actually get through. The users were just the final gate keeper after a series of failures. But the reason you crossed the line, is think about what you did. You sent something that couldn't be verified internally immediately(when does HR ever respond immediately), yet had a personal immediate impact. They have an injured relative in a hospital. You know what I would do? **ABSOLUTELY NOT EMAIL HR AND WAIT POTENTIALLY HOURS FOR A RESPONSE!** I'm reaching out to my family members. First text is to my wife, check on her, make sure the kids are safe. Expand text messages to my mom. Next thing you know my entire extended family is worrying about who's in the hospital and no one can track it down. They don't have access to find your hidden typo in the domain. You now just threw **my** family into a crisis for your phishing test. And yeah, at the end, you'll point out the typo in the domain or something else. But if I think my kid is in the hospital, I'm not worrying about typos in emails. As an employee, your phishing test be damned. I'm clicking phishing links out of spite after being put through something like that. Don't like it, fix your filter. Could I be fired for it? Probably. But you just made this a numbers game, and they won't fire all the employees who clicked the link, they'll fire the IT guy who designed the test.

Reply

[-]

ButcheringTV@reddit

I love this. You nailed it. I wish I had an award to give.

Reply

[-]

estefanamigohermano@reddit

This is probably the best answer right here.

Reply

[-]

Bruce_Vilanch@reddit

I thought phishing training was good until I started doing it. It desensitizes users and erodes trust between them and IT/management. Plus, rewarding them (like with gift cards) for doing their job is a cultural faux pas. A better use of time and money is to harden your external exposure by investing in better tools, monitoring, alerting, transport rules, etc.

Reply

[-]

ButcheringTV@reddit

Phishing training is very effective if done properly. Not like OP. Most staff I deal with have a laugh about it, even when they fail. It's a joyous but educating moment. The trust is there because I didn't screw with their emotions, but they're still learning. It's not hard..

Reply

[-]

AggravatingAmount438@reddit

Yep, over the line. While the goal is to imitate an attacker, you are not an attacker. Do not do things that actually would cause a panic in people and cause them to start calling everybody they know to try to find out who got hurt. At my last job, our entire cybersec team almost got canned for a phishing test. After years of demanding raises and being told it's not in the budget while reaching record profits, the cybersec team decided it would be a good test to pretend to be HR with our strongly-asked for raises attached in a link to review. Literally everybody clicked the link. Then when we found out that it came from OUR OWN COMPANY? It literally would've been better if it was an attacker. Because for our own company to have performed that test was evidence that they were fucking laughing at us as we struggled just to afford a place a to sleep. Yea, it's a fucking weak point. You don't need to test that. You don't need to desensitize the employees from emergencies or poke fun at them. One of the top reasons to stop phishing tests is when they create a culture of fear, which is exactly what that test you just did is doing. You're going to cause employees to become scared to check their mail, which in turn will lower trust in the company for allowing them to be treated that way.

Reply

[-]

ButcheringTV@reddit

Also they didn't even imitate an attacker. They made it look completely internal, from HR. So stupid. We're straight up not allowed to make them look like they're internal emails. Not only because it's pointless, but it's manipulative and really fucks with the trust your staff have for you.

Reply

[-]

samdu@reddit

One per quarter?!? We run that stuff constantly. We change things up once a year.

Reply

[-]

matteosisson@reddit

Anytime your argument includes not caring about employees, you have lost the plot and are clearly wrong.People will lose respect for you and your cause.

Reply

[-]

blckshdw@reddit

They are not “your” employees. They are people that work at the same place you do. The word is co-worker The tone of your post is definitely off, just because it was “legal” doesn’t make it “right”. How would you react if one of “your” employees texted you “your spouse is dead, got into a car accident dropping off lunch for you” just to say “ha ha fool you. Control your emotions bro”. That’s what you did. You literally said you went out of your way to make it look as legit as possible, even so far as making it an internal email. Your intent was not education. You wanted the “most important thing” - your precious metric

Reply

[-]

ButcheringTV@reddit

We're straight up not allowed to make them look internal lol. Otherwise it comes across as manipulative, and also it's kinda pointless. Unless someone's already in your system (you got bigger issues then), chances are any malicious emails will come from external senders.

Reply

[-]

stromm@reddit

Why is it YOUR job to send the phishing email? Seriously, you are a VP. That’s not your job.

Reply

[-]

AH_Josh@reddit (OP)

Tiny ass company. Everyone above supervisor is like 50 people. My "SOC" is two analysts that dont even spend half their week in our EDR.

Reply

[-]

TallBoy_Ryan@reddit

Tiny ass company that hires “hundreds of people every couple of months.” Sure man.

Reply

[-]

AH_Josh@reddit (OP)

Because the turnover is so bad. End users are not my friend. The mishandle PCI data all the time either maliciously or unintended. Either way they get the boot if they fuck up PCI data.

Reply

[-]

ButcheringTV@reddit

Maybe the turnover is bad because you're not training staff properly, but rather just emotionally manipulating and scaremongering.

Reply

[-]

FujosRiseUp@reddit

Sounds like their Cysec team PCI training program could use some work...

Reply

[-]

Weed_Wiz@reddit

How did you become a VP? If I were you, I would have MAJOR imposter syndrome. An email from HR about an injured family member wouldn't even happen. A threat actor isn't even that stupid.

Reply

[-]

ButcheringTV@reddit

I know how, they didn't lol.

Reply

[-]

ButcheringTV@reddit

If this is even real, absolutely you crossed the line. This is wild. We don't even make the emails show as internal, let alone personal like this. Absolutely crazy. I'd lose my job. Also why would you pretend to be the organization y'all work for? That literally defeats the purpose. Now you're just going to have people questioning even legitimate emails. There is a reason most phishing sim platforms provide you with custom domains to use. I don't believe you're the VP. There is no way. I'm a cyber security analyst, and have been for two years now. Going by your post history, the math ain't mathing.

Reply

[-]

BasicallyFake@reddit

There is a difference between trying to trick people vs trying to educate people.

Reply

[-]

Rich-Parfait-6439@reddit

I oversee similar responsibilities within my financial institution and encounter many of the same challenges. Identifying these issues can be difficult at times. In my approach, I generally do not treat individual click incidents—unless they involve repeat offenders—as disciplinary matters. Instead, I view them as opportunities for education and awareness. Given that malicious actors continue to evolve and improve their tactics, it is critical that we keep our employees vigilant and actively engaged—especially encouraging them to ask questions when something seems unclear or suspicious. I also regularly send communications on behalf of departments such as HR or executive leadership, including the CEO, so they understand how easily messages can appear legitimate when in all reality they are fake. I generally give them a request that doesn't sound like the person or something like that.

Reply

[-]

GlobusIsAnnoying@reddit

jfc you crossed the line lol. Reading this post was tough

Reply

[-]

HEONTHETOILET@reddit

lol never let me down, r/sysadmin

Reply

[-]

CaucasianHumus@reddit

Over the line. Never use family in phishing tests especially when someone is hurt, you have no idea what's going on at home, they could have a dying relative and that could send then spiraling then straight to an HR case for hostile work environment.

Reply

[-]

AH_Josh@reddit (OP)

Well, at least in my head, the other alternative is they get the exact same message, but it's from a legitimate threat actor. So instead of just some training and talks with HR, they have a bad day, and now an entire VLAN gets hit, or admin credentials get leaked. I see absolutely no reason to not train for the real world. It makes no sense. It's like having a behind the wheel course for driving licenses being on a closed course with no traffic in an empty parking lot. Again, APTs and serious threat actors won't hold back either.

Reply

[-]

PCLOAD_LETTER@reddit

Yeah, but I don't want my security guards firing off "desk pops" to keep everyone alert.

Reply

[-]

Sintek@reddit

You also dont want the school and office to do fire alarm tests because you might get scared as well? A security guard can test their gun at a shooting range.. it is not necessary to do that at work.

Reply

[-]

sarge21@reddit

>You also dont want the school and office to do fire alarm tests because you might get scared as well? Nobody said this, and they're not equivalent. >A security guard can test their gun at a shooting range.. it is not necessary to do that at work. That's not what they said.

Reply

[-]

Sintek@reddit

I was making a point. Just as nobody said anything about a security guard making pop shots...

Reply

[-]

sarge21@reddit

Their point was relevant to the discussion and yours wasn't.

Reply

[-]

Fitz_2112b@reddit

You may not be wrong, but that doesn't preclude you from being an asshole

Reply

[-]

AH_Josh@reddit (OP)

I have no quarells with being precieved as an asshole. Its not my job to be nice to repeat offenders of phishing, rogue IT, and internal threat scammers.

Reply

[-]

Fitz_2112b@reddit

No, but it apparently is your job to follow the direction of your CIO\CTO. Maybe consider doing that as that person seems have a least a little bit of common sense.

Reply

[-]

AlecTheDalek@reddit

And it's also ok to run into the office and start firing blanks from a pistol to see if staff paid attention to active shooter training? Lucky that you don't care about being seen as an arsehole. You are traumatising people because "muh network security"

Reply

[-]

subpardave@reddit

This is going to be severely career limiting. The BOFH is satire for a reason.

Reply

[-]

subpardave@reddit

Worth considering - in your threat picture, are nation states, serious APTs realistic threats? Are they going to go to the effort or is your adversary likely to be lower effort? Only your org can assess this, so not making any judgement. If it's the latter and you do face credible threats of that type then you do need policy and buy in to give you the room to manuver and use that kind of phishing. Otherwise, an email pretending to be from the school Dave from finance sends his kids to saying there has been a shooting/accident/fire may be effective, but it is also going to absolutely enrage end users and utterly corrode relationships with your user base.

Reply

[-]

almost_s0ber@reddit

I've seen a few of your replies and you are sticking to your guns for better or worse. The same train of thought is in your original post and you keep justifying to yourself that you didn't do anything wrongful. As others have said you crossed the line. You aren't seeing both sides to this which is evident based on your replies. If I were in your shoes I would do damage control. Tell your VP you see the error in your ways. I would send an all users email as well.

Reply

[-]

nekoliten@reddit

You must have misread, he is the VP.

Reply

[-]

florence_pug@reddit

You should seek another career.

Reply

[-]

Tangential_Diversion@reddit

Professional pentester here: you're not an APT and neither am I. There is a professional "don't be a dick" line that you crossed. I can easily up my compromise rates if I adopted the same tactics as real threats. I don't know because the name of the game is *collaboration*. By doing something like this, you immediately turn something that could have been a collaborative learning exercise into an antagonistic one. Now, you've lost the trust of your own users and your long term security posture can suffer from it. Or to put it simply: you'd get a formal warning if you did this once while working under me, and immediately fired if you ever did it a second time

Reply

[-]

DonaldMerwinElbert@reddit

Appeal to other base emotions like greed or vanity, don't terrify people with what they hold most precious as a coldly calculated routine for your job. People *will* dislike you, a lot. This will not help your mission.

Reply

[-]

special_rub69@reddit

You did the right thing. People are snowflakes. If a real threat actor would breach your security and cause millions in losses then the executives would come running to you screaming why you didn't prevent it. But remember get everything in writing so no one can say that you didn't do your job.

Reply

[-]

DonaldMerwinElbert@reddit

If my employer thought it was alright to purposely make me fear for my loved ones for a test, I'd quit on the spot. Maybe you'll get a business free of "snowflakes" - more likely, people will develop an adversarial relationship to your department and the employer.

Reply

[-]

Tessian@reddit

The ROI on this is fucked up and that's what you two are missing. Did this specific campaign actually help reduce risk at the business? Unlikely, at least not compared to a "normal" campaign. Did this specific campaign do untold damage to your reputation/credibility/brand in your business that will make it much harder for you to do your job effectively over the long term? You bet your ass it will. Did the benefit outweigh the risk? No, not even close. You burned a bridge to prove a point. No one's going to remember what that point was - they'll just remember you burned a bridge.

Reply

[-]

Fairlife_WholeMilk@reddit

You clearly have your mind made up and no intention of having any other opinion... which is horrible for this field but also why did you even make the post?

Reply

[-]

anonymousITCoward@reddit

>I see absolutely no reason to not train for the real world In the military, and most law enforcement agencies trainees will feel what it's like to be tased, pepper sprayed (OC or CS), and hit with their batons... If they want to qualify for a bean bag, they sometimes feel a reduced load... the NEVER.... EVER... get to feel what their duty weapons feel like to be used against them... In your example of being on a closed coarse for driving lessons, they do no not crash the cars to demonstrate the effectiveness of the restraint systems. Assuming you're talking about basic driving, they do not simulate black ice, heavy rains, or railroad crossings either. They will set up the coarse to safely emulate normal driving conditions to acclimate the new driver to what it's like being behind the wheel of a car. While I agree with you, well your sentiment, using a family member to elicit a fail on a phishing test is going a bit far... I mention it in my phishing remediation classes, but never actually send one..

Reply

[-]

Quinnlos@reddit

You can do this level of real world training with informational sessions & general employee newsletters. I get the attempt at simulating urgency and prompting the user to remain level-headed, but as others have said you genuinely don't know what's going on at home for most folks. What if this email prior to even being reported on by a user just prompts them into an anxious episode or some level of actual physical response? You're now liable over something you wanted to train folks on that you could've taken a different route

Reply

[-]

n0p_sled@reddit

You don't need to use a scenario that could cause emotional distress in order to create a teachable moment. In the same way I wouldn't go and smash up a server in order to make a point about formal restore testing.

Reply

[-]

CaucasianHumus@reddit

I truly do understand your thought process but sometimes you have to take the logic and emotion, and figure out which is worth more to your testing. Logically real world training is smart, however emotionally this crossed so many boundaries it is not good. Yes threat actors won't hold back, but you are not a threat actor, you are the security team on your users side, and with that test you became the "threat actor" not a trainer. This would have been way smarter as training session meeting than an actual phishing test, so they know its not real and does not charge them thinking family is dying.

Reply

[-]

ProgrammingAce@reddit

Those aren't the only two options though. You mentioned that you had to shut off a bunch of security protections for these phishing messages to even get through your system. So really, these types of attacks would have been caught, or you should spend time building out tooling that will catch them. Because what you did is make a bunch of people feel anxious and scared, and now probably angry. At you, and at the company for letting you do that to them. There is no reason you should ever tell your coworkers that a family member is in the hospital when it isn't true. It would be inappropriate to walk over to their desk and say that to them, it's inappropriate to email that to them as well. Remember, this isn't a hypothetical, it's not some remote attacker who phished them. You phished them, you did this to them, you made them feel this way. Hallmark doesn't make a card that says "Sorry I made you think your dad died in order to protect my network resources".

Reply

[-]

Nickarav@reddit

I personally love your test. If you used real names and events that seemed real, I can see why a director might feel it’s crossing the line, because a test like that can damage productivity and cause confusion with staff. That said, so would a real life phishing email of that threat level. I feel like if that same test was done once or twice a year as a “maximum-threat” special-phishing test with director approval, it’d be golden. People need to start seeing how detailed and personalized phishing attempts can be now with AI. Hopefully you and your director can get on the same page and find the right balance of getting that point across without inflicting what he’s seeing as pandemonium and confusion.

Reply

[-]

sadmep@reddit

If you've done your job training them with your tests, then they should know better when a threat actor uses a tactic like you did in this instance. The difference that you're not seeing is that no one is expecting the threat actor to have any kind of conscience about the consequences of their actions, but people ARE expecting you to not act with the same callous disregard as a criminal. There's a line there, you crossed it.

Reply

[-]

Sintek@reddit

Ok.. I will take note.. when I want to scam it is best to use this tactic because people are to afraid to test against it.

Reply

[-]

feelingoodwednesday@reddit

Yeah for real. Most of these replies are a bit absurd. Like yeah I wouldn't use this one frequently, but like a once a year phish test where you pull on people's emotions to distract them is absolutely valid imo. Not everything in real life is gift card scams and fake password resets. The most effective scams where people lose large sums of money are the injured family member, fake kidnapping, imminent jail time, etc. You dont want people to freak out in their daily jobs sure, but you could even preface it with an HR reminder a couple weeks earlier "This is a reminder that HR will never contact you via email for emergency situations. We will meet you in person or via video meeting."

Reply

[-]

Bradddtheimpaler@reddit

No chance. You need people’s buy-in for effective security. You can’t muscle users into behaving how you’d like. You need them to care about security. That’s the only outcome that will actually benefit the org long term. If you do shit this extreme, people will not buy in to your initiatives. They will not care about the training. They won’t follow your procedures, and if you don’t still help them, they’ll complain to their bosses, who probably also have a lot of negative feelings about your department too. Theyll tune out or skip all your trainings. It’s a disaster. *Mention* the extreme ways attackers will conduct phishing attempts in your training. Include extreme examples to show, absolutely. That is all a very good idea, but using something like this for an assessment is disastrous for the department within the business.

Reply

[-]

feelingoodwednesday@reddit

If thats the case you're already starting off wrong. You need total C level buy in prior to any sort of rollout like this. If users then decide "not to buy in" then they get fired. Its absolutely mandatory you do the training, and if you continuously click on phishing links you become a liability to the company. People dont get a choice to opt out of cybersecurity, you opt in or you find a new job. We've had users aggressively push back on certain initiatives, but guess what, when you're 3 out of 1000, you're in the wrong and your manager would rather let you go than force you to comply when you refuse.

Reply

[-]

Bradddtheimpaler@reddit

Yep. That’s why it’s important to keep things balanced so that the people who behave like that are 3/1000, because if you piss off enough of the people the C suite listens to, that number is going to be a lot higher than 3. If it’s half the company, they aren’t going to be willing to cut them all loose. I agree you need the buy-in beforehand, but buy-in isn’t a permanent thing. It’s hard to get and easy to lose, especially with an assessment this obviously and far over the line. They don’t even have to give up on the concept. They could always just contract KnowBe4 and trim up that cybersecurity department a few hairs.

Reply

[-]

Sintek@reddit

The phish test that broke our network admin was an internal email from our payee provider url (looked very close using a zero instead of and O type thing) that said management has denied your recent pay raise due to issues with tax forms not being filed with correct information and to click on the button to bring you to the form to file out and submit it before 3 days or you will have to wait until next Quarter to reciev the pay raise. An all time high of people filled in that form with all their info including ssn address birth etc...

Reply

[-]

AH_Josh@reddit (OP)

This is definitely a once a year test. Half of admin accounts clicked it. There needs to be serious coaching. I wouldn't have found out if I didn't run this test how vulnerable our IT admins are.

Reply

[-]

malwareguy@reddit

I prefer phishing emails that there has been a school shooting or explosion, and please enter their childs name and your contact phone number to confirm if they're on the list of deceased. Almost 100% click rate on folks that have kids. Or better yet a phishing email to male sounding names from a hospital trying to contact them about the assault of their wife / daughter. Or a phishing email from the police to female sounding names trying to contact them about their husbands arrest / child pr0n charges. Add a little osint data or cross reference against HR data / insurance data to ensure proper targeting, they're married, have a daughter, etc. Pulling social media photos of a loved one and using AI to massage said photo into highly realistic kidnap / torture photos and sending that along with a link to enter their corp email / password if they want to see their loved one alive again is also super effective. If you're not absolutely psychology torturing your users to force clicks, you're not doing enough. You need to make them fear clicking anything. You want them quivering under their desk every time they hear the new mail sound. Remember PTSD ensures security. Also if your org is large enough you can single handedly affect the stock price of companies that sell antacids, so there is real investment opportunity there.

Reply

[-]

Jaereth@reddit

> The most effective scams where people lose large sums of money are the injured family member, fake kidnapping, imminent jail time, etc. The number 1 thing that's going to make a *trained* employee blow a phishing scenario and click is "urgency to act" built into the scenario and that makes them not check for red flags first. That's why it's included in almost all the cheezy scams. Saying there's some kind of emergency like this is a great way to do it because you're not *telling* them in writing that they need to act immediately and making them remember their training - but it's built into the scenario you're trying to spin so they likely will anyway. Training against these kind of things is absolutely valid. I've seen it used before.

Reply

[-]

DisplacerBeastMode@reddit

Disagree completely. Nothing should be off the table. Phishing emails come in all forms. It's basic IT security knowledge that it's common for actual phishing emails to use urgent language like a family member is ill, or your car is about to be impounded, etc...

Reply

[-]

SpeechMuted@reddit

Active shooters use real bullets. Using live ammo or even blanks is not justified by that, nor does "it's what the bad guys would do" justify it here.

Reply

[-]

Jaereth@reddit

Man we had shooter training once and our HR Director was seriously considering doing a role playing thing and I said if we do that I want to be the bad guy and she was ok with it lol. I was gonna smoke, swear the whole time, whole 9 yards lol. Someone must have talked some sense into them.

Reply

[-]

ProgrammingAce@reddit

In 2026 your security model can't rely on "users won't click bad links". You know they'll fall for phishing emails, so build an infrastructure that's resilient to those attacks. Telling your coworkers their family members are in the hospital is never appropriate. You can't dress up as a mobster and walk around the office threatening to hit coworkers with a baseball bat if they don't give you their password. You can protect your network without causing harm and distress to employees.

Reply

[-]

Fairlife_WholeMilk@reddit

This. And all freaking them out is going to do is cause more false positive phish reports. Whereas you could have just appropriately trained them to begin with and avoided this whole thing then focused on actually protecting your network

Reply

[-]

Tessian@reddit

I have users "complain" to me when I send a Fedex/UPS phishing email and they clicked on it because said delivery truck just drove past their house!

Reply

[-]

Bradddtheimpaler@reddit

Yes, except if they complain about the FedEx phishing simulation to a third party, they’ll look stupid. If they complain about the medical emergency for a family member phishing simulation, your IT department will look like a bunch of malicious trolls.

Reply

[-]

CaucasianHumus@reddit

Haha they won't ever stop complaining about the whisking, just there are better ways to go about the test itself. We had one a few weeks ago about white castle 5$ off coupon in a country that does not have white castles. Quite a few actually clicked it..

Reply

[-]

Jaereth@reddit

Well yeah they were excited thinking they were going to get a white castle!

Reply

[-]

Jaereth@reddit

I've had a few users actually flip shit they were even receiving a phishing test at all. The whole "I don't have time for this - stop sending them" type. I eventually had to just reply with our corporate IT directors contact info like "We need to test to stay compliant. If you think you need an exemption you'll need to take it up with head office". You get a little mandatory training if you fail ours too and the "Exec" level employees have already been exempted from the training because word got around if you just insist you didn't actually click anything and stand your ground you won't be made to do it. So guess what? Now every single time it happens they absolutely didn't click it no way...

Reply

[-]

ncc74656m@reddit

Ok, but those are two completely different things. I have users complain because they're caught in obvious phishes and they think it makes them look bad, which it does, because they are. But easy or hard, there's a difference when it comes to family and significant money (e.g. COVID stipends, etc.).

Reply

[-]

Tessian@reddit

You're right, that's the point I was trying to make.

Reply

[-]

npaladin2000@reddit

The whole point of a phishing attempt is to get the user emotional enough where they don't do the normal sensible checks that they're supposed to do. They're TRYING to cause emotional distress, ptsd, and panic attacks. Part of training emails is to train them to keep checking, even under those conditions. The most successful phishing scams involve family members for just those reasons.

Reply

[-]

AH_Josh@reddit (OP)

Most people agree SERE is an important training for military. They fully torture you at SERE. SERE was the most valuable training in my military career because of how real it was.

Reply

[-]

SnooCamera@reddit

*(background: Worked IT since the 80s, have dual technical/professional master's degrees in information assurance and management, my undergrad degree is in Liberal Arts, so I try to join my soft skills with my technical ones.)* You cross the line, IMO: IT, and IT security is a brand. You want people to turn to IT when in doubt or when in need. You damaged that brand. We all know that human failure is the weakest link in security, but one of your most valuable assets is also an employee who feels safe enough to come to you and say, hey, I clicked something and now I'm feeling weird about it. Yet, if an employee feels tricked or mocked, or resentful about you using some personal tragedy, they will not see you as a safe space, a protector, but as just another adversary. They will hide things you need to see to avoid shame. Plus, you don't know what people are going through in their lives. This could reach a very personal level for some. What if their child is off at war right now? Their spouse is on a long trip? The goal of phishing simulations is to calibrate suspicion, not to induce some fight-or-flight response. When the brain is in some high state of emotional distress, learning simply shuts down. You turned a lesion about digital hygiene into a test of human biology. We don't subject people to real car crashes to teach people to wear seatbelts. We don't use surprise real fires to teach office workers fire drills. In short, using a family emergency as bait is technically effective at getting people to click, but strategically disastrous in teaching what you want to teach. You might get a 38% click rate, but you’ve traded the **trust** of your workforce for a metric. When you use trauma-based social engineering, you aren't training your users to be vigilant; you’re training them to hate the security team. You are training them to tell you want you want to hear, not listen to what you are trying to say. In a real crisis, you need those 'young 20-somethings' to be your eyes and ears on the ground. If they don't trust you, they won't report the real threats, and your network will be *less* safe because of it.

Reply

[-]

Manitcor@reddit

Really feel like the existence of this kind of testing proves IT has the wrong policies in place. You have an intranet, and the infra to do this, why the heck are you allowing emails with links and SGML derivatives in the content at all? Pretty pictures and hot links are for your authorized intranet with oauth and TLS on it. Maybe, just maybe, we don't need to give every employee an account that can broadcast to the world under the company's name. Maybe that is something that requires special roles and the training to go with them.

Reply

[-]

FujosRiseUp@reddit

Yeah if this email was in a powerpoint training I could see it being somewhat justifiable because it's in a vacuum. Actual email to actual people? You've got to be sick in the head to be completely honest.

Reply

[-]

FujosRiseUp@reddit

\> Again, I don't care about my employees \> Skip to couple weeks ago. I sent out a phishing e-mail. It was designed to be HR reaching out because a family member was seriously injured. Click the link to get the hospital info and contact info. Oh my god. If I was the CTO this would be a final warning scenario, if not immediate termination. You CANNOT do that to the organization or people. You are weakening your own security by causing employees to not respect you or your opinion. You have created adversaries, not allies. You need allies and spokespeople out there but you cannot escape your ego to do that. Your job is to protect the ORGANIZATION, not the network, not your subnet, but the organization. Security doesn't stop at keyboard. If you want to make serious phishing templates, just use what your organization receives and automatically blocks, or templates from previous incidents that were successful against your organization.

Reply

[-]

DSMRick@reddit

Way over the line. You don't harm your users, including giving them a scare about the health and safety of their loved ones. I am deeply concerned you had to ask this.

Reply

[-]

dblgsndhyte@reddit

A lot depends on how you treat and what you do to the people who fell for it, how much of a ding it is on their career prospects with your company.

Reply

[-]

Any-o-Mouse@reddit

This could have Literally caused a heart attack, a panic attack, and/or aggravated Caretaker Fatigue Syndrome (this is a real thing recognizing by the American Medical Association among others https://www.ama-assn.org/sites/ama-assn.org/files/corp/media-browser/public/public-health/caregiver-burnout-guide.pdf ) Doesn't matter if it was fake, the initial reaction is all it takes to spike adrenaline into the danger zone. Evolution selected for react first verify later. Those who didn't, didn't survive. As an employee I would seriously consider quitting even a very good job if I got that email despite figuring out it was a phishing test - especially if I found out the person responsible wasn't fired for it. Let me clarify my background because it is very relevant to my answer. Why I understand how serious phishing attacks can be: I understand all too well how prevalent & dangerous phishing attacks are. I work in IT. I have spent several years screening emails reported as phishing emails as part of my job role. I worked at an org that was hit with a major cyber security attack via email before most orgs even had dedicated cybersecurity departments & no one outside IT departments had even even heard of the phrase "phishing". But that was most the beginning... we then a higher up of a department had the genius idea to blab to the press that our IT department & email protections sucked - trying to throw us under the bus (even though it was literally someone in their department that clicked the phishing email that caused it + we detected it very quickly & were able to recover within less than 1 day - ransomeware). As a result we got Slammed with phishing attacks for Years after but with a Lot of work we were able to ramp up user awareness and find some of the first AI detection tools & kept our network safe despite 3 different zero day targeted attacks in addition to the barrage of spear phishing campaigns that included a number of attackers literally calling to try to collect data to help their targeted attacks. I have also been an IT manager and I know that mistakes and lapses in judgement can happen. However you also need to weigh the impacts to other employees morale (especially as it relates to retaining good employees) into your decisions.

Reply

[-]

Evening-Page-9737@reddit

It's threads like this that really show the split between the admins that understand their job but also how to be humans, and the ones that really missed the humanity training component of life. Obviously this COULD be a real threat vector and users should be aware of them, but only a moron would do that and then be *surprised* when people come back to them saying that was a shitty thing to do. You could have structured this like a training module to go out that walks them through more challenging phish vectors like this, but no instead you threw them into the fire and are playing the "but policy" card knowing full well you could have done this differently.

Reply

[-]

Single-Virus4935@reddit

Phishing tests are proven to be ineffective. A big banner EXTERNAL with a clear warning for phishing and forward to SIRT is much more effective and is only a couple of config lines

Reply

[-]

ilyas-inthe-cloud@reddit

i used to run red team engagements and honestly the most effective phishing tests i ever did were the ones that looked boring. fake IT ticket from the internal helpdesk address asking you to reset your expiring credentials. no gift cards, no urgency, just routine stuff that looks exactly like the 200 other emails you got that week. those landed at like 60% click rate vs maybe 15% on the flashy ones. exec pushback usually comes down to optics. they dont want their teams feeling tricked or embarrassed. framing it as here is what a real attack looks like and here is how we respond instead of gotcha made the difference for me. the technique matters less than the tone imo

Reply

[-]

star_gazer2112@reddit

He must have failed lol

Reply

[-]

CeC-P@reddit

Guys, we have to call the Russians and Chinese and tell them they're not allowed to send phishing emails about family injuries anymore. Management said it's not fair. Btw y'all said it was unfair when I posted about sending out a "your PTO has been denied" right before Thanksgiving lol.

Reply

[-]

kerosene31@reddit

Whether you are "right or wrong" isn't really the issue. You are right in that the bad guys will do anything. That isn't really the issue. Honestly, take the note from the CTO and move on. What matters is picking your battles. You've almost certainly made an enemy of the CTO and probably a bunch of other people. It might not be "your" network much longer.

Reply

[-]

NextConfidence3384@reddit

You did your job and you did it great ! I wish more senior execs would think like you

Reply

[-]

Stinkles-v2@reddit

This entire thread has been enlightening. Even among so-called professionals all I would have to do is put a family emergency into the phishing attempt and I could be raking in millions.

Reply

[-]

homingconcretedonkey@reddit

I'm not sure why I'm the first to say, it, the biggest failure you have made is that there are no real world phishing attacks that do that which basically means you are essentially taunting your colleagues because they are not perfect at detecting phishing emails, something even experts are not 100% at. If you actually understood phishing, you would realise that someone in your position and inside knowledge can always create phishing emails that are completely unfair, you shouldn't abuse this fact.

Reply

[-]

MrPotagyl@reddit

I'd partly disagree with that, because the overwhelming majority of what we see is unfocused, spamming thousands or millions of email addresses with a generic message. The more dangerous stuff is the targeted attack on an individual company or employee where everything is in play - you don't see that in the wild because you wouldn't, you haven't been targeted. But, I agree that clicking links does not indicate that someone fell for it and shouldn't be dangerous, and also that even very experienced cybersecurity experts can be fooled up to a point, remedial training isn't going to make a difference.

Reply

[-]

homingconcretedonkey@reddit

If everything is in play from a sophisticated targeted attack then the training isn't related to the contents of the email or if you click the link, because thats always going to work. The plan for that sort of attack is eliminating or reducing the damage of the successful attack.

Reply

[-]

MrPotagyl@reddit

Well a targeted attack still can't come from inside your network unless something else is already compromised. You're training people to spot where did the email originate, check the url that it takes you to (although there are a number of unicode substitutions that make that unreliable) and to not give out certain info (passwords) even when asked by a colleague. The point is not all "phishing" attacks look like the badly spelled stuff in your junk folder at home.

Reply

[-]

Current_Anybody8325@reddit

This would have been an immediate termination or unpaid suspension, at minimum, in our organization.

Reply

[-]

SharpDressedBeard@reddit

You 100% crossed a line with that. I'd probably get written up for that if not fired.

Reply

[-]

opinionsOnPears@reddit

Did the CTO click the link?

Reply

[-]

orbing@reddit

Absolutely ZERO soft skill if you are e-mailing staff that their family got injured. Tisms like you that make IT bad rep.

Reply

[-]

LeTrolleur@reddit

Demolishing any bridges you had with staff at your company isn't a great way to get them on your side and to encourage them to think more thoughtfully about the company and keeping it safe. Yes outside actors may want to illicit an emotional response, but for a second put yourself in the shoes of someone whose husband is currently staying in hospital with an illness, and how this could cause real panic and a host of other emotions to an employee who is already in a sensitive place mentally. If you were working for me and didn't ask for specific permission to run this type of test (so that I could tell you absolutely not), I'd sack you immediately.

Reply

[-]

Xelopheris@reddit

Legally, nothing wrong. Culturally, something very wrong. Remember that you aren't protecting **your** network. You are protecting the businesses network. And if the people running the business are telling you something is off limits, then it's off limits.

Reply

[-]

kozak_@reddit

We had security send a Phish right before Christmas that said something to the affect of "congrats on a great year, here's a Christmas gift card".

Reply

[-]

Advanced_Vehicle_636@reddit

We had a VP who actually bought everyone in his department Amazon gift cards and had them e-delivered to their work inboxes. With no warning to anyone. Didn't inform other VPs, not one on his team, SOC, nadda. Sent them to all of his L1 service desk people who promptly reported it to us (SOC). That was a hoot.

Reply

[-]

LoveCyberSecs@reddit

"You're right! This was a phishing attempt. Good job!" ... pockets gift card..

Reply

[-]

hkusp45css@reddit

Which matches around 20 percent of the true positive phishing emails caught by our tools aroud thast time of year. Do I empathise with the hypothetical employee who was disappointed? Absolutely. How disappointed would that employee to discover they no longer had a job after a catastrophic hack that was unrecoverable in enough time to save the business? Those are the stakes we're talking about. Last year nearly 10 percent of SMBs with confirmed ransomware strikes shuttered their doors within 6 months.

Reply

[-]

SevaraB@reddit

Congrats. Your training goes out the window as soon as they switch tactics and all you’re left with is pissed off employees. Treat the cause, not the symptom. People should be cautious of ANY outside email, not just whatever the phishers’ current campaign of the week is.

Reply

[-]

Mike_Raven@reddit

Do you have the source for that statistic?

Reply

[-]

Jaereth@reddit

This is my opinion too. Train on what threat actors are actually doing. Not non-offensive Emails they aren't actually using.

Reply

[-]

NoPossibility4178@reddit

We do actually get gift cards every year, but they physical, they'd probably get a whole bunch of people if they sent that test at the right time...

Reply

[-]

Jaereth@reddit

haha I made a bunch of custom ones for our org in KnowBe4 for fun when we got the platform. I made one that comes from CompanyPrizeCommittee@company.com and says "Congratulations! You've won a CompanyName MYSTERY BOX!!!" and have a big image of a wrapped present to click to claim your prize. 5 clicks so far :D

Reply

[-]

anomalous_cowherd@reddit

I agree, for general wide-range testing I wouldn't go where OP went. If it goes past that to a repeat offender who has been fully trained and told f the severity then a more directed more tricksy phish can be used, but even then I would get HR and likely the CTO to approve it as failing *that* one could lead to dismissal.

Reply

[-]

airmantharp@reddit

I could see this for some *highly sensitive positions that aren’t also highly segregated for reasons*, or perhaps for military and law enforcement, but asking your average corporate drone to think through the emotional hook without some being deeply and legitimately upset is too much lol

Reply

[-]

anomalous_cowherd@reddit

I agree. It's always going to be difficult because fundamentally you are proving to people how gullible they are and nobody likes that. But snatching away a bonus they thought they'd got, or playing on threats to their families, is definitely going to get people much more upset than that.

Reply

[-]

dustojnikhummer@reddit

> aren't protecting your network I wouldn't be so sure about that. Yes, legally it is owned by the company but if he is responsible for it people will say *your* network, not *our* network.

Reply

[-]

the-berik@reddit

Hard disagree. When he doesn't do it, and such an event happens, they will blame him that he didn't use these scenarios in his tests, while they are obvious the most 'gullible' way to trick someone. They should be pissed that apparently it's acceptable for HR to send an email about an urgent situation, instead of calling you directly. You're paid to do your job, which in the end is to protect shareholder value. Seriously, which organization deems it normal HR sends you an email when your relative has ended up in the hospital? That should be five missed calles from HR before you receive such an email.

Reply

[-]

Mulielo@reddit

Beyond all that, my question is what company makes you give your HR department contact info to your loved ones to use in case of emergency??? I would never expect my HR department to know about a family illness or anything family related honestly, unless I tell them. Critical thinking skills are important for everyone. The only thing I might have done differently is asked HR to send an email out after the test to remind everyone that thats not something they would do.

Reply

[-]

Ninjabeaver212@reddit

All it takes is 30 seconds to look over the email and ask yourself why would HR be emailing me that a family member died? In what company would HR even contact you if a family member died let alone over email. Attackers want that emotional response so you'll click that link or open that attachment without even thinking. Phishing is still the #1 Cybersecurity threat to businesses and should not be treated like fun and games. Every single breach I've experienced in my career can be traced right back to phishing. If stuff like this is causing users to just phish everything you're not doing your job correctly.

Reply

[-]

Xelopheris@reddit

I'm not saying this kind of test isn't possible. But it isn't something that IT Security fires off without consultation from other groups. Something like this likely needs buy in from the CHRO because it is potentially panic inducing. > You're paid to do your job, which in the end is to protect shareholder value. Creating panic in the workplace is not a great way to help create shareholder value.

Reply

[-]

Jaereth@reddit

>Creating panic in the workplace is not a great way to help create shareholder value. This whole logic falls apart though because threat actors have no problem using tactics like this. I've seen it several times. How's that going to go for shareholder value?

Reply

[-]

zmeelotmeelmid@reddit

Yeah personally I just kidnap the persons family and hold them in an old fishing boat and tape ear clippings to envelopes to make sure my networks secure. Real life problems and all of that legal said I’m fine

Reply

[-]

Jaereth@reddit

So there's not a *cybersecurity* way to refute this, we have to go with spy movie stuff?

Reply

[-]

screampuff@reddit

whoosh. There are other methods to accomplish the same thing that don't induce panic.

Reply

[-]

kozak_@reddit

Apparently he ran it last legal?

Reply

[-]

Sharobob@reddit

Run it past HR and your C level too when you make such an emotionally charged test. Don't just say "I care about my network more than employees so I do what I want" which is what this OP has said.

Reply

[-]

screampuff@reddit

Do people not meet with their reporting manager on a weekly/bi-weekly basis. I give a heads up of everything I'm dong.

Reply

[-]

pds12345@reddit

Similarly, Ive seen phish tests about raises or bonus'. Another great way to improve moral.

Reply

[-]

Sharobob@reddit

Yeah you better have real raises and bonuses coming after that test, goddamn

Reply

[-]

bemenaker@reddit

Apparently you failed to read where OP did run it past HR and LEGAL

Reply

[-]

listur65@reddit

Not HR just legal. I'm guessing HR would have shut this down.

Reply

[-]

ThellraAK@reddit

Per our conversation on XX I will no longer include YYY in testing. CC their boss and BCC your personal email.

Reply

[-]

Freakin_A@reddit

Now he has done it, has raised the risks, and is being told not to do that in the future.

Reply

[-]

DrMacintosh01@reddit

The executive sweet of a typical business is not qualified to dictate how things should go down in IT. Sure the executives can put limits down, but those same executives will fire IT when shit hits the fan when the incident could have been entirely prevented if IT was allowed to do their job.

Reply

[-]

Too-Uncreative@reddit

And does creating hostility and distrust between IT and everyone else allow IT to do their job? The executives absolutely can tell IT how they interact with other departments and what isn’t acceptable. Notice OP isn’t being told they can’t do phishing tests, just that the subject of this last one crossed the line and to be more considerate in the future.

Reply

[-]

DrMacintosh01@reddit

Call me crazy, but people should not view their IT department as their friends. Yeah they fix the printers when they break, but that also have to protect the company from attacks that can literally end the business and cause everyone to lose their jobs. I think a power dynamic like that will naturally result in jaded tensions between IT and all other departments.

Reply

[-]

Too-Uncreative@reddit

You don’t have to be friends, but you should at least be colleagues and be professional with each other. Not having that is what leads to shadow IT solutions and users ignoring training.

Reply

[-]

screampuff@reddit

Exactly, I work as an EA and a lot of IT people like to ignore the whole concept of buy in and mutual understanding and how that impacts actual business goals. It's easier to just plug your ears, call the police and point out that others are wrong even if it means worse outcomes.

Reply

[-]

Sharobob@reddit

Ok but there's a difference between "we won't pay for that feature because we don't value information security" and "yo can you please not cause a giant panic convincing our employees their loved ones are dead"

Reply

[-]

DrMacintosh01@reddit

Say OP was told they couldn’t perform this test so they didn’t. Say a few weeks later a real attacker used a similar tactic instead and succeeded causing untold damage to the company. Would the Executives feel that IT did everything they could to protect the company, or would they still blame IT?

Reply

[-]

Bradddtheimpaler@reddit

You could better train people to respond to a mass shooting by having a dozen armed men smash through the windows in the office, aim at the employees, and firing blanks. Why not throw a few flashbangs too? You *could* do that, but does that sound like a good idea to you?

Reply

[-]

TheRealPitabred@reddit

I think they were just wanting OP to possibly choose a different subject, could still be somewhat emotionally charged like an emergency company meeting or benefits issue, but just personal panic.

Reply

[-]

DrMacintosh01@reddit

Personal panic won’t be properly simulated without making the training material personal.

Reply

[-]

TheRealPitabred@reddit

That's why I suggested something with HR or benefits, may be suggesting that insurance coverage has lapsed or you have a big charge you need to deal with. Not every training scenario has to be with live ammunition, the vast majority are not and should not be.

Reply

[-]

Bradddtheimpaler@reddit

This is very severely overlooking managing the department’s relationship to the rest of the company. If I was a user who got this my reaction wouldn’t be, “oh, you guys! You got me!” It would be, “you know what, fuck those pricks.” Good luck getting my buy-in on new initiatives after that. Good luck getting me to follow your processes the way you want me to after that. I’d be willing to throw you under the bus about anything and everything after that. Better hope I don’t have any influence on your budget, or hiring and firing decisions either. Matter of fact, maybe I will hear out that consultant about outsourcing more of our IT operations.

Reply

[-]

DrMacintosh01@reddit

If you’re part of managment, you have every right to shoot yourselves in the foot.

Reply

[-]

Croissant70@reddit

OP is the one shooting himself in the foot by literally alienating his internal customer for marginal gain on a hypothetical. The business isn’t in a better position at the end of this.

Reply

[-]

ncc74656m@reddit

As someone in the position of not being allowed to do my job right now, I feel you on this. Unfortunately, most C-Suite folks don't have a whole lot of sense of their own boundaries. Even working for an NFP that is most beholden to its Board, and then to our donors and clients with whose data I am entrusted, the execs still feel that they can dictate what is "convenient" for them, instead of recognizing that I'm meant to do a job, and they're literally just here to gladhand donors and get their money.

Reply

[-]

Vesalii@reddit

I disagree. His figures show that this company needs some serious training and testing. And a CTO isn't someone well versed in IT and in phishing. Their opinion holds zero merit.

Reply

[-]

Sea-Aardvark-756@reddit

Their opinion holds a lot of merit, and thinking you need to scare people into believing their family is in trouble to get accurate phish test data is foolish. That is neither a common tactic nor necessarily going to prove anything useful. We already know some people get caught by phish tests, and intuitively know a higher percentage will probably be caught by a better designed test with higher stakes and a time-sensitive nature. We don't actually need to run that test to go from 30% phished to 38% phished to know the team members need training. And IT needs a good reputation with team members to be effective, this sociopathic testing method alienates them and makes them less likely to want to work with IT and honest if they get got in the future by a real phish. This is setting up for failure to get a higher number with no positive impact. Number go up, usefulness go down.

Reply

[-]

Redacted_Reason@reddit

With all that being said, you never answered the question "so what now?" Cool, we're going to say it's off limits for testing. But what are we going to do to fill the gap? OP is right, attackers will absolutely send something like that. Same thing with birthdays. Same thing with holiday bonuses. Same thing with after work activity invites. What are we doing to fix that? Just hope nobody does a good phishing attack?

Reply

[-]

DaemosDaen@reddit

Someone once said this to me for a VERY similar situation as OP. I'll just repeat here, what I said then. (Note this was to a Police Office.) "Your right, it's not MY network, however it is my ass that gets ran up the flag pole when shit hits the fan. If you, the chief, the administrator, or even my director click that link, it's me they crucify on the 6-o-clock news. If you truly think I over-stepped, then, by all means, have the chief send an email up the proper channels and I will gladly adjust the tests." "Can't he just tell you..." "No, I need documentation so that when, not if, we get hacked, I can explain why we are not using <insert test here>. I didn't spend 2 years lobbying for these test just to give them up without a fight. I still haven't that message from the chief. I'll be honest, I don't even set up the tests, my coworker does.

Reply

[-]

reenact12321@reddit

I'm sure that I told you so email will be very handy and relevant when there's an outage and someone's testy with you. /s

Reply

[-]

Puzzled-Formal-7957@reddit

This is awesome. This is exactly how the conversation should go.

Reply

[-]

NickW1343@reddit

I feel the same way. I agree with OP that this is something a bad actor could use, but an exec told them to stop, so they need to stop. On a side note, imagine someone's family member is ill or elderly and told them there was an injury in the family. I'd feel silly after clicking the link and giving away info, but I'd be furious if I found out the countless 'what-ifs' in my head that all could derail my life were caused because someone at work decided that was the way to test security. I don't want to think about how my sister, parents, grandparent, or partner could've been horrifically injured, so much so that HR saw fit to inform me during working hours, since I'd assume it must be so severe I have to rush out to be with them their last moments. It hurts to think about grandma falling again.

Reply

[-]

sir_mrej@reddit

Eeeeh it's not as cut and dried as that

Reply

[-]

OneSeaworthiness7768@reddit

Well put. Too many IT guys think of their systems and processes as *theirs.* The job is to support the business.

Reply

[-]

habibexpress@reddit

This is the advice. Your approach is great. You’re doing everything correct and “perhaps by the book” but be understanding that there are other ways you can protect your network from them. Yes, the edge protection is the best and user education is important but this is why you have to prepare for a second layer of protection. I’m assuming you’re using a Zscaler kind of an appliance to protect/inspect traffic?

Reply

[-]

IFarmZombies@reddit

Holy shit what an unhinged phishing test to send out. Everyone is going to hate you

Reply

[-]

_menth0l@reddit

While back got is similar trouble for using earthquake in Turkey to urge people to click the link and help victims. My defense was that this is exactly what TA's do - exploit moments of emotional vulnerability and current world events and our employees must be aware of such risks. Somehow I managed to get it to be ok, but I was told that next time I wouldn't get out of it so easily. My advice would be to 'Fight Like You're the Third Monkey on The Ramp to Noah's Ark, and Brother It's Startin' to Rain'. As this will define your career- if they manage to put you in a box now, your job will become hell for you. Ps Off course i did it again :)

Reply

[-]

trentq@reddit

Big mistake. Huge.

Reply

[-]

persiusone@reddit

I suppose it depends. I see both sides of the issue here but am leaning towards agreeing it could have crossed the line. There are many ways to engage users emotionally without letting them think a family member is seriously injured or ill. You’re right, that threat actors may not be less cruel in their tactics. They are also right to consider the wellbeing of the employees, and their morale. I probably wouldn’t want to work at a place that constantly plays with my psychological welfare, but know there is a balance. In this case (without knowing more than you’ve provided), lines were probably crossed.

Reply

[-]

Affectionate_Exit430@reddit

you did nothing wrong .As you said,you prepare for the worst case scenario with the worst case test.If is not breaking any law ,it expose the problem exactly where it can come.Emotions .you CTO should do some learning process on how cybersecurity work ,else get a write down mail where do you ask exactly where is the line from HR and CTO ,so when the business will be destroyed by similar phishing attempt ,they are responsabile for no preparation against it.

Reply

[-]

AverageDummy2@reddit

LOL this reminds me of the time Dwight set the office on fire to teach everyone about fire safety

Reply

[-]

Putrid-Holiday-3671@reddit

S5E14. For those interested.

Reply

[-]

homoscotian@reddit

This is honestly the perfect example of why this was a bad choice lol Imagine Stanley got that email and his heart went berserk

Reply

[-]

AverageDummy2@reddit

LOL Stanley's poor heart! Now he has to worry about the IT guys

Reply

[-]

blueskyn01se@reddit

Today, smoking is gonna save lives 🚬😏

Reply

[-]

frenswithgeese@reddit

It was a fire DRILL, it wasn't a real fire, he said that at the end right before Stanley had a heart attack LOL

Reply

[-]

IAmOgdensHammer@reddit

Dude that's psychotic

Reply

[-]

GiggleyDuff@reddit

There are other ways you can do high urgency

Reply

[-]

SirDerpingtonTheSlow@reddit

You have had a wild not-suspicious-at-all timeline: * 07-19-2023 - You're a Systems Administrator with 8 years experience working on Windows boxes. * 12-08-2023 - Now you're working networking issues * 05-31-2024 - Unemployed * 12-28-2024 - VP of Cybersecurity * 03-17-2025 - Air National Guardsman. Now you have 5.5 years in Cybersecurity/Networking all of a sudden. Highest level cybersecurity analyst at your job, but report to the VP of CS. * 04-08-2025 - Struggling with basic networking questions * 07-09-2025 - In college for networking degree * 09-13-2025 - Just graduated with a BS in Network Engineering * 04-23-2026 - Back to being VP of Cybersecurity all of a sudden Interesting.

Reply

[-]

not-geek-enough@reddit

Ran an entire report log on this person 😂 love it

Reply

[-]

InfamousStrategy9539@reddit

He’s hidden his posts 😆

Reply

[-]

Reeces_Pieces@reddit

The end result you want is for users to ask you about something suspicious before they go clicking links. You need to be likeable for them to feel comfortable enough to interact with you and ask you things. This example makes you less likeable, and less likely that they will interact with you. I'd keep tests more realiatic. Things they'd definitely see in the wild, like fake docusigns and invoices.

Reply

[-]

andrew_joy@reddit

More than once a quarter is taking the piss , that's mental. "And my most important metric is keeping my network safe." Wrong , your job is to keep things as secure as practical with the resources available without too much impact on the business.

Reply

[-]

FireFitKiwi@reddit

Will Wheaton rule applies. Don't be a dick. You don't need to cause emotional damage to prove a point, and honestly in this day and age you should be aware of zero touch exploits and lookalike scams that beat most savvy users. Get something like checkpoint harmony and stop them cold.

Reply

[-]

SikhGamer@reddit

Yes. You are. We had something like this at work. Worker had just had triplets, it was near Christmas, a fake salary increase email was sent. Legally, fine. Culturally, it is insensitive and fucking insane. You are in the wrong. Stop being a knob. If you did that where I worked, I would 100% complain to HR and get the union involved.

Reply

[-]

cozza1313@reddit

Yea that’s definitely crossing a line, hackers might not give a shit but have some morals, honestly after that I wouldn’t be surprised if your users start clicking on more links out of spite.

Reply

[-]

Mr_Sneb@reddit

Nah I think your trying to hard, I've ran phishing tests before, just standard boiler plate stuff is enough, people have a right to not be subjected to alarming stuff intentionally at work.

Reply

[-]

TFABAnon09@reddit

I'll take things that didn't happen for $500 please Alex...

Reply

[-]

mrtuna@reddit

Wait, you did a phishing email to make it look like HR was mailing your colleagues, saying THEIR family member was seriously injured? The recipients family member? And you're wondering why people are unhappy?

Reply

[-]

eri-@reddit

We had this the other day , user a "sent a mail" to another user b regarding user a's booking of an airbnb. The mail very explicitely invited user b to "join user a in the hottub" User a was not amused :-) Guy instantly freaked out and demanded we seize all impersonation phishing immediately. We had a good laugh over it, when your phishing platform inadvertently makes your end user look like a horny little twat, who are we to intervene

Reply

[-]

turbofired@reddit

yeah imo you fucked up, you crossed the line. where is the line for you? do you send phishing emails purportedly from the CEO?

Reply

[-]

justmeKMc@reddit

I got one “from” our CEO two weeks ago (showing as in internal email) - and immediately thought “phishing email” because I don’t usually speak with the CEO on a daily basis. Is this not common sense? But also, why should he not be allowed to use any means necessary just like a scammer/hacker do every day? I work for a medical company and think it’s the company’s duty to make the phishing emails as real as possible to protect the patients info from actually getting stolen. Plus think of the consequences - his email caught people off guard and made them worried for a min, but had it been real the entire network/company is at risk if they gain access.

Reply

[-]

turbofired@reddit

if you use emotional tugs you make the users angry at you for what they see as a reasonable thing. they love their family. they don't love their company. you are replaceable as fuck and so is everybody else and they all know it. so if you use a phishing email bated with their sick loved one, and then penalize them for caring, you fucked up.

Reply

[-]

justmeKMc@reddit

Wow yeah never would I even think to be angry about something like this - it’s my job to not click on random shit while I’m at work to protect the company and my patients info and it’s their job to portray real life scenarios … idk I would never think to get angry about it or go anywhere but straight to IT if I had an issue either. Also when you say penalize it’s not like they’re getting fined or fired. The worst I’ve seen my company do for not catching a phishing email is assign an online training course & short test. So basically more training for those that need it.

Reply

[-]

Ok_Wasabi8793@reddit

Nah. That’s too far. I wouldn’t say work has given you a bonus or any other potential emergency. Use a standard phishing service, they don’t put out shit like that. Also are you helping your users? External tags etc. ?

Reply

[-]

shadhzaman@reddit

Im pretty sure the "VP" claims are bogus. OP was likely an overzealous IS security person who picked that template and the actual VP and CTO told him to watch it, and they kinda figured others would side with the CTO and VP that OP didn't have the authority so they added the VP part to bolster their claim. You can further see the signs with "I just care about my network" comments because nobody who's that dense has ever climbed much of the managerial ladder, let alone a VP. And yeah, people like these are the bane of good IT practices. There is a line where you are just pushing so much restrictions on your people that you are actually making shadow IT grow. I've known some in my field who are so ridiculously focused on their part of the infrastructure they completely miss why that infrastructure was needed in the first place.

Reply

[-]

goutsport@reddit

do u wear filas?

Reply

[-]

AntisocialTomcat@reddit

As a CTO, I would crucify you for doing this behind my back, potentially asking the CEO for permission to skin you alive. As a human being, I would ask for your immediate dismissal because telling people their loved ones are in danger when they are not is absolutely unforgivable. You probably meant well but forgot to think at some point, which results in me, and I would bet the whole company, thinking that you’re a disgusting human being devoid of any moral compass.

Reply

[-]

justmeKMc@reddit

Would this be before or after your own crucifixion? Just guessing your company wouldn’t lov curious because I think if your companies network is breached due to ineffective training regarding phishing emails you deemed the appropriat would hurt your employees feelings and your own personal stance on what is unforgivable and disgusting - as if hackers/scammers give a shit … they use tactics like this all day every day. Maybe you should focus on skinning them alive. Also, I’m sorry about whatever happened I to you to make this strike such a coed.

Reply

[-]

eddielee817@reddit

I have a feeling this never happened and it's just his attempt at rage baiting us....and it worked!!!! 😆

Reply

[-]

Short-Legs-Long-Neck@reddit

I dont think phish testing and training is aligned with zero trust. No matter how much training, you still have to assume breach. Unless training meaningfully reduce the incidents, how is it worth it? In my experience, the same people click every single time. There is no training them. The idea you can training end users to use the tiny amount of data in the email client to determine a safe email is unrealistic.

Reply

[-]

Deweyoxberg@reddit

As a demo/training material/live phish experience in a planned setting? Yes. As a mimic in someone's inbox unannounced, of something much more serious and deeply personally upsetting? Iffy at best. Grey area but danger close to too far. That you would simulate HR, and then simulate something deeply personal? Look I get it, you're trying to do the right thing, but this was too far.

Reply

[-]

SVSDuke@reddit

Jax wins, fatality! ![gif](giphy|3lIgOk4Gjfptu)

Reply

[-]

Medical-Ask7149@reddit

Where you work? Now we know what attack works. Good job at protecting your company. I bet we can piece together your history and find it out.

Reply

[-]

heapsp@reddit

One time my company security person got in a lot of trouble sending a phishing test about a surprise bonus for the company, because it drove moral way down when everyone realized it wasn't real. LOL

Reply

[-]

renolar@reddit

Do you test your workplace evacuation procedures by running though the office screaming “ACTIVE SHOOTER IN THE BUILDING RUN FOR LIVES” and then announce later it was “just a drill”, and act dumbfounded when people are upset at you later?

Reply

[-]

cwolf-softball@reddit

I find it absolutely hilarious that you claim to be a VP and want opinions from random redditors

Reply

[-]

Jacksharkben@reddit

I was going to make a email about layoffs and a "leaked list" and something with like 85% downsizing. But I thought that might be to harsh.

Reply

[-]

Red_Wolf_2@reddit

Did you cross the line? Possibly... That said, the real lesson for end users here is that there is NO LINE a genuine attacker will not cross. They will try anything to achieve their goals because they are not restrained by such pesky things as legality or ethics. I'd frame any subsequent training which came out of this in terms of how to respond and deal with such incoming emails which may be deeply troubling or concerning to end users, first and foremost reminding users that they can (and should) use their known safe paths to contact potential senders to verify legitimacy of incoming emails that are unusual. Pick up that phone, call HR, verify that the email is actually from them, especially when the matter is serious! Users need to be reminded that attackers will attempt to exploit their trust, their emotions, their personal vulnerabilities. They will use information they've stolen from elsewhere to know the best ways to target them. It isn't about never believing any emails or messages you get, it is simply about learning to verify if something seems unusual. This has two benefits... It stops the instant reactive response from causing a breach, and more importantly it notifies HR (or whoever has been impersonated) that they have been impersonated, and allows security practices such as notifying potential targets of the phish attempt as well as ensuring proactive monitoring of accounts is taking place in case someone has clicked the links or has otherwise been phished or compromised.

Reply

[-]

RagingDaddy@reddit

Dwight Schrute over here starting actual fires to prep for a firedrill

Reply

[-]

schwags@reddit

He's just mad cuz he clicked the link lol

Reply

[-]

DeathRabbit679@reddit

These are pointless anyway. You can't educate people out of clicking a phishing link if they gullible enough to do that. This isn't 2001 and people are just learning that this internet thing has bad people on it. Everyone knows to be wary, and if they choose not be, or they're too terminally stupid to remember to be, it's hopeless.

Reply

[-]

Key_Mind_8710@reddit

Your missing the point of theses emails... It's about shift legal liability from the business onto the individual. The business didn't care, it just a cost saving check box on the cyber insurance renewal policy.

Reply

[-]

cddotdotslash@reddit

First, if your network can only survive by the grace of employees not falling for phishing emails, you’ve lost the game. Like, focus on MFA, conditional access, or other mitigating controls first before conducting pointless tests. Second, yeah, you crossed the line. So not only do employees probably hate you, but you’ve alienated the exact people you need to feel comfortable reporting things to you. And among all that you still haven’t protected your network. I’m honestly surprised you have a job at this point.

Reply

[-]

dparks71@reddit

Again, I don't care about my employees as much as I care about protecting my network. Which is why you don't belong in your position.

Reply

[-]

LordValgor@reddit

Seeing stuff like this always bugs me that these people have made it to these heights. Like, how do people who have such a skewed grasp that fails the goal of being a VP/CISO get there? Crazy.

Reply

[-]

TheRealPitabred@reddit

That's how they got there. Modern leadership positions reward sociopathic behavior many times.

Reply

[-]

knightofargh@reddit

All times. Post Jack Welch there is no margin in empathy if you are a “leader” in a publicly held company. This Q is what matters, the line must go up and to the right. The notion of two-way loyalty isn’t taught or at least is ignored by modern executives.

Reply

[-]

TheRealPitabred@reddit

Yeah, it can be different for private companies fortunately. But not always.

Reply

[-]

8923ns671@reddit

Confidence and knowing people is how you advance. Competency has little do with it.

Reply

[-]

SelfImproveAcct@reddit

Usually high performers in analyst type roles who get promoted based on output and not their leadership skills

Reply

[-]

Impressive_Pea_509@reddit

Type of guy to leave a time bomb when they’re let go.

Reply

[-]

bitstream_baller@reddit

There's a reason certs like the CISSP drills in the absolute necessity of health, safety, and ethics in Infosec. It's because there's thousands of people out there like OP who miss the forest for the trees

Reply

[-]

badaz06@reddit

I'm guessing he didn't mean "I dont care" like "If they all die tomorrow so what?", but yes a poor choice in verbiage. A more seasoned response for OP would have been to say, "I hear you and will take your input for serious consideration". He is correct in that a hacker will take every advantage of someone to gain an edge, but there are better ways to do that than faking someone seriously ill or in the hospital.

Reply

[-]

Likma_sack@reddit

The most crucial thing in any organisation to protect is the employees, then the data. I agree with you 100%.

Reply

[-]

SemiDiSole@reddit

Hard disagree. Our job is to protect corporate assets, more than it is to make sure that everyone is happy. I have literally marked people for termination, for failing to comply with security guidelines (which includes repeatedly failing the internal phishing tests.) If anyone becomes a liability they will and must be removed.

Reply

[-]

dparks71@reddit

OP is seen as the liability here to his CEO. They're being told that to their face and running to an echo chamber that has no background to validate their position.

Reply

[-]

ncc74656m@reddit

Yeah, seriously. "I don't care about my employees" speaks to a real lack of empathy and it makes you untrustworthy, with good cause, which means users won't trust you enough to report the weird black boxes popping up all over their screen after clicking a bum link on Google. I'm not saying we have to handhold people and be ready to give them tissues because they went after a $5 gift card phish lure, but telling them grammie is dying is so above that line that you just can't really justify it.

Reply

[-]

anonymousITCoward@reddit

If you care about the employees, the network will guard itself...

Reply

[-]

Easik@reddit

Standard security team doing useless shit to make everyone's lives harder.

Reply

[-]

ManyInterests@reddit

Not acceptable. > serious threat actors aren't going to hold back While true, that doesn't give you the right to probe those same angles. Serious threat actors could also do _much_ worse; that cannot justify you being allowed to inflict those means against your coworkers. You, as a security professional and former red teamer, should know very well that every engagement must set clear boundaries, agreed upon with stakeholders, **before** conducting testing. You didn't get the CTO's buyin on these boundaries and if he says you crossed a line, this is _objectively_, by industry standards and norms, a clear failure on your part. Not only is it deeply unprofessional, it probably opens you and the company to legal liability.

Reply

[-]

blofly@reddit

Fail him on his phishing test and send him back through re-education camp.

Reply

[-]

Caprese_Salad@reddit

This is a phishing post. Click-bait.

Reply

[-]

Bogus1989@reddit

the team doing the phishing tests at my org, are perfect. because of them being so aggressive, people got good at it and now pay attention.

Reply

[-]

Practical-Alarm1763@reddit

r/shittysysadmin

Reply

[-]

Lerxst-2112@reddit

I think this guy forgets the “people” part in the “people, processes and technology”.

Reply

[-]

Lustrouse@reddit

You're wrong because the CTO says you're wrong. You are an employee, not an owner. Your job is not to execute your own vision, but another person's, and you failed to meet that goal. I personally don't think your test is a bad one for testing cybersecurty best practices across the org... But there is something to be said about creating a problem in order to address another.

Reply

[-]

Snarky_Survivor@reddit

What did i miss ![gif](giphy|13cptIwW9bgzk6UVyr)

Reply

[-]

BidAccomplished4641@reddit

Off topic, but where's this company that's looking to hire a new VP or AI and Cybersecurity?

Reply

[-]

BemusedBengal@reddit

You don't even need to be qualified!

Reply

[-]

largos7289@reddit

I feel like this is a test itself...

Reply

[-]

Hopefound@reddit

Business told you no. That’s what is important here.

Reply

[-]

Klutzy-Football-205@reddit

>Again, I don't care about my employees as much as I care about protecting my network This is one of those soft skill items that you don't seem to have or care about While you are technically correct about real threat actors not holding back, I think your phishing scenario would be better to mention/use in an all staff training along with "think through emotional emails" reasoning. BTW, it isn't YOUR network, it is the company's network. Ultimately, if the CTO said it crossed a line, it crossed a line whether you think it did or not. You're looking at one slice (network security) while the CTO is looking at the larger pie using soft skills (network security tests against employee morale/angst, etc ).

Reply

[-]

AH_Josh@reddit (OP)

It's my network if something goes bad. What do you think happened to the last Sec team after this company had a huge breach?

Reply

[-]

florence_pug@reddit

If you did this to me, I would lose my job just to punch you square in the face.

Reply

[-]

AH_Josh@reddit (OP)

Good to know. Goal of the test was to test emotional levelheadedness went faced with a rrally emotional topic. Also good to know for red teaming. Seems no one trains for it.

Reply

[-]

Skyhound555@reddit

This is the dumbest explanation I have ever heard of and completely not the point of phishing tests.

Reply

[-]

florence_pug@reddit

You learned nothing of value here. You're a douchecanoe.

Reply

[-]

Skyhound555@reddit

You do realize you contradicted yourself, right? If something goes bad, it ceases being your network. Phasing email tests are the lowest fruit imaginable when it comes to cybersecurity. That is basic Analyst work, not proper cybersecurity. The only reason you are making such a big deal of your phishing test, is because you are not handling the real security hardening in your environment. Your organization should not become compromised because of a singular phish, so there is no reason to take it so far. If phishing education is your first line of defense, you have massive issues in your organization.

Reply

[-]

gpcyan3@reddit

This guy speed running to unemployment again.

Reply

[-]

Greerio@reddit

Yeah, that’s was a shitty thing to do. Whether legal approved it or not doesn’t matter. You just don’t mess with people like that.

Reply

[-]

lotekjunky@reddit

It's a stretch, but how would you handle it if someone had a heart attack when you told them their loved one was in the hospital?

Reply

[-]

DarraignTheSane@reddit

> I'm VP of IA and Cybersecurity I don't wish to be offensive but I see no other way about it - As an IT Director, I am smfh and asking how in the hell you made it to VP level while lacking basic human skills such as understanding that you don't use a fake family medical emergency to phish test your people, all while doing it in the name of protecting "your" network. And then have the complete lack of self-awareness to go and post on reddit about it. How the hell did you not have anyone that you interact with warn you that this was a bad idea?

Reply

[-]

Hackwork89@reddit

OP will never admit that he could ever be in the wrong.

Reply

[-]

AH_Josh@reddit (OP)

In fairness, Im refuting everyone saying "apologize to CTO" or "you will lose your job". Those will not happen. This discussion happened months ago. Mostly posted to generate discussion as I was talking with my pentester things that have worked well. He went "woof thats crazy. But it works. I might use it"

Reply

[-]

Hackwork89@reddit

I rest my case.

Reply

[-]

jeffrey_f@reddit

You are fine. Maybe there is something under the covers happening with them. That can comeout as being upset and maybe offended. You are right though........The bad actors are not going to be going by the rules. As long as legal has your back, don't worry too much.

Reply

[-]

orion3999@reddit

Based off of your description, it went right up to the line. At the end of the day, Legal signed off on it and you didnt perform the test in a vacuum.

Reply

[-]

h0tel-rome0@reddit

VPs don't run phishing tests

Reply

[-]

OldSpice-69@reddit

Nothing wrong with this at all, I deal with idiots pressing links in emails all day. Domains are easily spoofed, and legitimate looking emails are easy to create. But learning how to spot a phishing email takes less effort than being able to create them. God forbid they find out they're related to an African prince.

Reply

[-]

MiniOozy5231@reddit

So what happens when that email that contains PHI is sent for analysis outside of your scope of control? You might have been the cause of a PHI leak, exposing the company to potential business-ending lawsuits.

Reply

[-]

bottleofmtdew@reddit

I get where you’re coming from, and while your reasoning is fair regarding threat actors, this would be something that I’d run by more than just legal, I’d loop in CTO/HR It’s one of those touchy areas that people without a security focused mind would see it as malicious from you, and could hurt people’s trust in IT

Reply

[-]

AH_Josh@reddit (OP)

My company is weirdly structured. IT and Security are not even under the same sub-organization. We are under legal and compliance. IT is under ops. We never worked together unless we need APIs or VM agents etc installed.

Reply

[-]

bottleofmtdew@reddit

That is really strange, seems to me like that is Silo’ing some communication, cause regardless of being separate departments, it’s all one beautiful umbrella of IT

Reply

[-]

robocop_py@reddit

It’s not strange. In fact it’s how it should be. When security reports through IT, then risk management suffers.

Reply

[-]

throwaway117-@reddit

Junior industry person here: I would be really grateful if you could explain why risk management would suffer

Reply

[-]

Rentun@reddit

It's about incentives and conflicts of interest. CIOs aren't assessed based on how secure the network is. They're assessed based on system uptime, shipping software, budget, and so on. Because they're not assessed on security, it doesn't get prioritized, and if security comes into conflict with any of the things they actually *are* assessed on, security is entirely dropped as a consideration. If you have a CISO that reports to business operations just like the CIO does, then you have someone who is actually accountable for security, and the CIO can't just sweep things under the rug to make themselves look better by under-investing in security. It's the same reason why auditors don't work for the same organization they're auditing.

Reply

[-]

throwaway117-@reddit

Thank you!! This makes sense.

Reply

[-]

bottleofmtdew@reddit

Think the assumption then is “well, risk won’t be properly managed, the risk assessment team won’t be notified of things, etc. I feel that once again goes to lack of communication between departments and silo’d information

Reply

[-]

Rentun@reddit

Security isn't IT. Their incentives are almost diametrically opposed. IT wants to maintain ease of use, system functionality, and feature support. Security wants to prioritize confidentiality, integrity, and availability. Those things are rarely ever aligned. It's very common for organizations to have security to sit in the IT department, but those organizations usually don't have strong security programs. Anywhere that's highly regulated, or where security is massively prioritized will have them as completely separate organizations, with the CISO and the CIO being peers.

Reply

[-]

AH_Josh@reddit (OP)

There was a large breach before I joined, and they assumed it was due to a sort of shared duties type. This made the leadership at the time extremely course correct in the wrong direction. Every single tool has a single admin. I don't even have AD admin credentials. They compartmentalized all of IT extremely hard.

Reply

[-]

bottleofmtdew@reddit

Wow, I feel that struggle there, but man ONE admin per app? Tell me at least some sort of break glass account is available per app, or at least occasional duty rotations. I wish you luck in your future security endeavors here 🫡

Reply

[-]

WilfredGrundlesnatch@reddit

That's pretty standard. Security is to IT what Internal Audit is to Finance. If Security reports to IT, there's a conflict of interest and Security will almost certainly be ignored in favor of IT's primary mission.

Reply

[-]

flyguydip@reddit

As long as they're not included in every phishing test. Including more people will almost always result in someone vetoing most of the test topics. Too many cooks in the kitchen is never good.

Reply

[-]

urbanhawk1@reddit

I agree that they don't need to be included in all tests. The, "You've been given a giftcard by your company for Christmas. Just click [this link](https://youtu.be/dQw4w9WgXcQ?si=FpAhGWZf2suo21bu) to recieve it," phishing test shouldn't need approval. But for the ones that are more emotionaly charged and/or likely to induce a panic I would loop them in just to cover my ass when people try to complain about them like this.

Reply

[-]

Jaereth@reddit

Especially bringing HR in. "You mean you're giving me the opportunity to tell IT "no" because they aren't smart enough to realize something is inappropriate?" This is like every HR directors wet dream lol.

Reply

[-]

bottleofmtdew@reddit

Oh yeah, I agree I feel for the tests like this specific one, it would be good to have some sort of communication with other departments. It should be a special case and not the norm

Reply

[-]

Puzzled-Formal-7957@reddit

Why would you loop in some of the very people you are trying to show are deficient and need more training and following security minded practices? On of the points is actually to get people NOT to trust IT, and to be very cautious and skeptical.

Reply

[-]

qrysdonnell@reddit

Here’s the thing. All of us could make a phishing test that will get clicks. The point of these is to raise awareness, it freak people out. People get freaked out enough when they think someone bought a laptop on their credit card - family member getting injured? Now they’re just going to take away that you’re an asshole. You made it about you. Not breaking laws doesn’t mean shit.

Reply

[-]

Jaereth@reddit

>I also stood my ground and said that serious threat actors aren't going to hold back. Exactly. I remember when COVID was just starting KnowBe4 sent one to our users like "You have been exposed to someone with COVID - click here for info" and made it look like it was from our work/hr. People flipped their shit about how that wasn't acceptable. I'm like "Guys that's an ACTUAL PHISH ACTUAL THREAT ACTORS are using RIGHT NOW. KnowBe4 is just trying to prep you for it." No dice. Director took it out of the rotation for simulated phishes. Sure everyone wants to be safe with phishing. But if you start taking away certain people's 'iamverysmart' card expect pushback.

Reply

[-]

Silly_Blood_2754@reddit

I ran into the same wall with “too real” lures. What finally worked for me was separating two things: what I think is realistic vs what the execs think is acceptable risk for morale and PR. I ended up building a “content policy” with HR and legal: no death, medical emergencies, layoffs, kids, or anything tied to current traumatic events. Still nasty lures, but we keep it to stuff like payroll changes, MFA resets, fake DocuSign, gift cards, travel reimbursements, CEO / vendor spoofing. That gave me cover: if someone complains, I point back to the policy they approved. I also show leadership real threat intel examples during QBRs so they see what we’re not allowed to simulate. That makes them own the residual risk instead of just neutering your program quietly. On the side, I tried KnowBe4 and Cofense and then Tartan App, and Tartan App caught threads I was missing because I could quickly spin up short, targeted tests tied to specific user mistakes we saw in the wild.

Reply

[-]

looney417@reddit

Your heart might be there, but you're going to get fired. Find another urgency

Reply

[-]

Defconx19@reddit

You're a VP and you're asking reddit? This is wild to me.

Reply

[-]

Randalldeflagg@reddit

Had a company running a phishing test two days into the new year. The subject? Your health insurance acceptance for that year was not complete and your insurance was canceled... Two days into the years. 3 days after the final day to confirm insurance options. There was a very near fight in HR about this. Someone's kid was literally going into surgery that morning for something critical. Massive back peddle from the execs that approved it at the parent company level.

Reply

[-]

BobRyanHere@reddit

At my work they recently did a phishing test about a holiday bonus and it came from the support address so my team got one very angry email and one person helpfully replying the link was broken lol.

Reply

[-]

jdiscount@reddit

How are you a VP with such unbelievably terrible judgement.

Reply

[-]

LaughableIKR@reddit

This is what I would call a pyrrhic victory. You won, but you pissed off everyone. This is like putting out a bonus email from HR. Yes, the scum use this too, but that doesn't mean you won't get hung out to dry because every employee who opened it is angry at you.

Reply

[-]

Mizerka@reddit

0 op relies so i guess its just ragebait but ill bite. Yeah its fucked up, i dont like users but i wont tell them their granny died, also our infosec did something similar because they werent getting enough hits on phish metrics, they spoofed our actual domain and whitelisted it through dmarc etc. they got a lot of shit for that and went away with tail tucked under their shit stained tighty whities. Also maybe hot take but phishing tests dont do anything and dont teach anyone anything about cyber security, its just a tick on corpo sheet.

Reply

[-]

was_fired@reddit

Yes, you crossed a line and likely made your organization less secure as a result. Everyone can fall for a proper phish or vish if they are actually doing a job the requires exchanging emails with the outside world. These tests are at most supposed to be a casual reminder. They are NOT nor will they EVER be a rock solid defense against phishing and trying to spend serious resources to making them into that is like trying to make a wall out of butter. It'll be an expensive mess that stops nothing, melts, and attacks all sorts of additional pests. Instead proper security focuses on ensuring that: 1. Users never get a phishing email in the first place 2. If phished users can't send data to untrusted websites that spoof your stuff or vendor stuff. 3. If the phishing is dropping malware... then you should have blocked it from showing up or running.

Reply

[-]

thortgot@reddit

The answer to phishing isn't better phishing tests, you can of course trick someone into clicking a link. If you couldn't you'd be terrible at your job. Move to phishing resistant MFA so if the user clicks the link it doesn't work solving pass the token attacks entirely.

Reply

[-]

Absolute_Bob@reddit

Look the bad guys will cross any line so it was a valid test, but you potentially made people worry their family was in danger. That's not good guy behavior, that's cruelty. I'm actually surprised you still have your job. I understand the reasoning and motivation but you wouldn't walk into the building carrying a fake shot gun acting like you're going to kill people as an active shooter drill would you? There are limits to what white hats should do, that's part of what sets you apart from the black hats.

Reply

[-]

everettmarm@reddit

As a VP you should have known better but we all make mistakes. As a VP, dismissing the voice of the org is inexcusable. The exec connects the firm to its human core, and this was a neon sign and a learning opportunity that you refused.

Reply

[-]

TheAgreeableCow@reddit

IMHO phishing tests sit in the realm of cyber culture. We absolutely want people to have good cyber judgement, have an awareness of risks and a general positive engagement with cyber initiatives. However, from a risk management perspective, they are never 100% effective. Every bit counts, but even a 10% click through rate could be dozens or hundreds of people. That is why we have defence in depth. Unfortunately, what OP is doing actually breaks down that cyber culture. It can give people a negative perception of the team, which can have an overall more detrimental impact.

Reply

[-]

DullNefariousness372@reddit

HMU my company offers phishing simulations and training so they can’t get mad at you

Reply

[-]

hidazfx@reddit

power tripppppo

Reply

[-]

NoDowt_Jay@reddit

Eh could go either way… I get why people might be upset by it due to the nature of it, but it’s also exactly what a real phish would be trying to do with the emotional knee-jerk reaction. I guess you could have balanced it by keeping the email more obvious with typo’s and easy clues.

Reply

[-]

azeottaff@reddit

INFO: Are you on the spectrum? Apologies if asking this offends you.

Reply

[-]

ferrarif50hunt@reddit

The fact that you can't see how this is crossing the line is honestly scary. Absolutely ridiculous behaviour. Nice job ensuring that every single employee hates you, though.

Reply

[-]

InfraScaler@reddit

What the fuck.

Reply

[-]

smirkingcamel@reddit

It's wild that so many people are calling you out. I think there's nothing wrong with that phishing test. In fact the cybersecurity code of conduct is a well researched topic. The social manipulation, threats, fear tactics, real life urgencies are all great examples that need to be trained and tested regularly. There is a great YouTube video that discuss the moral aspect of such tests. [Highly recommend it, check it out](https://m.youtube.com/watch?v=QDia3e12czc) At a previous company they trained people on the SOPs and secured channel/methods that HR, legal or Finance etc will take in case of an emergency and everything else must at all times be perceived as a phishing attempt.

Reply

[-]

flecom@reddit

in all seriousness it's an interesting thought experiment, while i think OP went a bit far and has some other issues (their network, their employees etc) attackers will not hold back, they will not wear kid gloves, they will do whatever it takes to achieve their goals... as such you would think the tests should be just as extreme... right? but what does that really accomplish? will people actually become more aware/vigilant? or will they just stop trusting all communications and basically grind the company to a halt because everyone will be so afraid of making an error they basically become terrified of opening an email or picking up the phone?

Reply

[-]

hellobeforecrypto@reddit

I find these to be self-flagellating. I talk past the sale and ask what we can do to protect ourselves if 100% of people clicked the link?

Reply

[-]

22OpDmtBRdOiM@reddit

How bad do you want it? "I'm from HR and got fired today, click here for a Excel sheet of all salaries"

Reply

[-]

dreniarb@reddit

I did one that said "we want to make sure we get enough donuts for the next meeting - click here to sign up for them". there were no donuts at the next meeting. there wasn't a meeting either but people were still mad. making them think they were getting donuts was bad enough - i can't imagine if i made them think their loved one was injured or dead.

Reply

[-]

flecom@reddit

> there were no donuts at the next meeting not the donuts!!! absolute monsters! hehe

Reply

[-]

PappaFrost@reddit

You can achieve the same result by just showing people a real world example of a scammer using these emotional manipulation tactics. You don't need to resort to doing it yourself in the simulation. I agree that this does cross a line. Just show people real ones that your company has received, which should 'inoculate' people against the scam.

Reply

[-]

hellobeforecrypto@reddit

There are some really antisocial people in this field, huh?

Reply

[-]

fire-wannabe@reddit

Yes this crossed a line. Your logic makes sense, but it ignores the fact that HR probably got complaints.

Reply

[-]

SpeechMuted@reddit

This reminds me of the stories of active shooter drills in schools where they weren't announced as drills and blanks were used to make it "realistic". At the very least, these phishing tests are going to very quickly erode any loyalty that employees have. I would have zero interest in working for a company that treated my emotions so callously, nor would I be willing to continue employing a VP that treated my employees like that.

Reply

[-]

flecom@reddit

> This reminds me of the stories of active shooter drills in schools where they weren't announced as drills and blanks were used to make it "realistic". that's absolutely batshit, let's traumatize kids preemptively in case a traumatic situation occurs?

Reply

[-]

accidentalciso@reddit

I agree with your CTO. Phishing tests shouldn’t be about gotchas to trick users. They are about testing the effectiveness of your training program so that you can improve your training materials. How many users “fell for it” isn’t a great metric because we already know that anybody can be tricked. Instead, focus on reporting rates. If your training is working well, you should see steady increases in your reporting rates over time. Reports is important because it lets the IT/security take proactive action to respond.

Reply

[-]

RandomGen-Xer@reddit

I wish our team had some creativity. After seeing some easily-spotted ones come through for the 3rd or 4th time, I just setup a rule to check for the added headers their program uses, and send them all to my LooksPhishy folder for ease or reporting and getting my virtual kudos each time. Give me a challenge.

Reply

[-]

Brua_G@reddit

All's fair in love, war, and phishing simulations.

Reply

[-]

Problem_Salty@reddit

But it isn't. Not if you want to win the war, are keep your loved ones around. You need an approach that works. Look we don't spank kids anymore because it led to bad outcomes. We need to focus on good outcomes and to get those, you need a positive reinforcement approach or YOU WILL LOSE the war.

Reply

[-]

Brua_G@reddit

https://preview.redd.it/xhcch2gm20xg1.png?width=252&format=png&auto=webp&s=1d3543af76b02d5ccaf04286392db29808158657 You got it

Reply

[-]

phoenix823@reddit

So you're the security guy right? And the basis of all Cybersecurity is risk management, right? So you've gone ahead and performed this test on behalf of the company. Now all of your company's employees believe it is acceptable in the company culture to cause them considerable mental stress and anxiety because a bad guy might do it. How do those employees view company leadership now? What else might be fair game? Who else might try some ASD-inspired "well ackshully..." shit? And how might that impact their relationship to their manager, the company, future hiring, Glassdoor reviews, decreased enthusiasm, loss of "Great Place to Work" bullshit-but-matters-to-the-CEO? Did you think through that list of risks? Did you weigh them with the head of HR who could weigh in on the cultural impact or the CEO who has overall responsibility for the enterprise? Or did you decide "well it's legal, so..." and just let it fly? Seriously?

Reply

[-]

GrizellaArbitersInc@reddit

You crossed the line in my eyes. You can tell users you will be doing testing and give them a carrot for reporting. But you can also tell them things you will never legitimately do as an organisation like email about gift cards or hospital info. Use it to reinforce to them that THOSE ARE ALWAYS the scams. You won’t have a company to protect if nobody wants to work there.

Reply

[-]

Stygian_rain@reddit

You don’t threaten jobs or money (fake pay raises) in phishing tests. Its crappy. This falls under that umbrella. All you’re doing is pissing off users. You don’t want users to hate security.

Reply

[-]

Best-Economics7594@reddit

Youd be surprised how many phishing emails from bad actors literally are just that... pay raises. Happens often and people fall for it often. There is nothing for a botnet to scan a school systems webpage or anything government webpage and find the "CEO/Dean" and send out mass emails pretending to be them with a spoofed domain to its own users.

Reply

[-]

vnoice@reddit

Check out www.greyphish.com </self-promotion>

Reply

[-]

NextSouceIT@reddit

What is this? There is no about page or info. Then it just pops up wanting me to create an account.

Reply

[-]

blueskyn01se@reddit

There is an about page, at the bottom with other links. Looks like this is a real time monitor of new web domains across the internet. And offering a service for companies to monitor for if anyone makes a fake version of your website to try and lure your users into getting scammed. This landing page is damn cool to watch lol….perfect show of how scammers are literally working around the clock to try and trick you into putting your info into a fake login page. Just got one yesterday that sent me a very believable spoof of my state’s department of motor vehicles saying I had an overdue fine to pay. It looked exactly like the real one, except the only functioning hyperlink was that payment portal lmfao

Reply

[-]

F0rkbombz@reddit

They do, and one could easily pull examples of real phishing emails from their spam filter to support phishing assessments with this kind of lure. I think the point is that you have to factor in that InfoSec teams need to maintain trust and goodwill to be successful, while attackers don’t. I wouldn’t consider this type of lure entirely off-limits, but I’d want to make sure my org has clearly communicated what “right” looks like for this specific topic, and ensure we’re getting some value out of it other than just proving that people can be tricked. Maybe run it in late fall to prepare staff for the real phishing emails like this that are usually spike at the end of the year / early next year.

Reply

[-]

Best-Economics7594@reddit

Ya for sure, trust is always 1st. but thats the thing, I know for a FACT my local hospital will NOT call my employer telling THEM to contact ME about my family's health / accident, The hospital will literally call whoever is on file/family member, Not work first. That'll be a HIPPA thing to me against the hospital itself. So people who got this "phising test" with that, Ya its kinda messed up but as long as OP didnt put real info/whatever about family members and was just a link to "CLICK HERE FOR MORE INFO" blahblahb type stuff, I personally dont see anything wrong.

Reply

[-]

angrydeuce@reddit

I would lump PTO in that category too. My boss thought it would be funny to setup an automation to immediately fire a very official looking PTO Denied phishing sim back any time a PTO request comes in. Got me with it once and gave me a bunch of shit as "I should know better" but completely ignored my point that, given that this was an automation that only fires when legit PTO requests are submitted, its not really in the spirit of the point of these tests...i.e., if we have a man in the middle attack going on related to PTO requestsp, with all the access controls, geoblocking, and SOC monitoring we have implemented, a single phishing email is the *least* of our problems as that means the call is coming from inside the fucking house and we need to kick our vendor's asses. Still didn't stop him from bringing up that I fell for a phishing email during our next huddle...fucker. Anyway, I told him "cool, good to know, well in that case Im just going to assume every PTO request I put in is approved since youre going to phish everyone with fake denials that can only be triggered via a request via our legit, MFA-enabled, payroll platform. So, you know, if you really are denying my PTO for some reason, you better get on the phone and tell me cuz I *will not* be at my desk otherwise lol

Reply

[-]

matthew7s26@reddit

That's some bullshit right there. One of the main things we train users on for detection is "were you expecting this email?" His setup just totally compromises that effort.

Reply

[-]

angrydeuce@reddit

He seriously thought he was so clever and threw a "Ha, *GOTEEM*! at me when I immediately called him up and was like "Dude, what the *fuck*?" Want me to never look at an email notification coming from our payroll platform again and just delete them immediately? Because thats how you get people to never look at email notifications from our payroll platform ever again. Good thinking, that.

Reply

[-]

injury@reddit

It gives Michael Scott and the fake firing vibes

Reply

[-]

Jaereth@reddit

Omg we just watched the one where he fake fires Stanley lol.

Reply

[-]

flyguydip@reddit

Or declaring bankruptcy vibes, or giving scholarships out to inner city kids vibes, or panicking in fake fires vibes. lol

Reply

[-]

Tessian@reddit

This sooo much. Just because attackers will cross any line doesn't mean you do. It's a shitty thing to do to employees you have to work with and contrary to what you claim- having employees who don't hate their infosec program is very important if you want anyone to bother reporting a real problem to you.

Reply

[-]

ReptilianLaserbeam@reddit

also, if there are no off-limit topics they will treat every email as a phishing simulation-phishing test and either open everything or ignore everything which wouldn make the real test numbers look extremely suspicious.

Reply

[-]

Int-Merc805@reddit

Ok, just playing Devil's advocate here. We only get scams targeting pay, raises, union negotiation process for more pay, etc. That and we get the ones where a relative died and they want to offload their entire life for cheap. I have simply used the scams themselves as a blog type of post alerting people to the potential scams. It is a topic of conversation in our office weekly though. Should we be testing similarly. Our folks don't fail our internal tests, because they know about them. The pay/family death ones clearly tug at a heart string that is causing failures.

Reply

[-]

Nexzus_@reddit

Mentioned above that our most "successful" (read abysmal) phishing test was about annual bonuses.

Reply

[-]

statikuz@reddit

>You don’t threaten jobs or money (fake pay raises) in phishing tests. Its crappy. I mostly agree, especially if its specific and will reasonably hype them up rather than just create curiosity. (e.g. the difference between "review your bonus!" and "new pay scale documents"). You don't want to make people feel like Clark Griswold opening his bonus letter and then going "lol jk phishing test." There is some value in teaching people that phishing preys on urgency and curiosity but be very careful (i.e. don't do) things that will create acute emotional reactions.

Reply

[-]

PumpkinNo4869@reddit

I would argue a fake raise or bonus is not much different than the thousands of fake 'free ipad/you won the lottery' pop ups people got so long as you leave the email looking a bit sketchy. Faking an email from HR/internal communication saying a relative is in the hospital is just fucked up on a completely different level though.

Reply

[-]

Expensive_Plant_9530@reddit

Yeah I remember hearing about the phishing test where it was a fake Christmas bonus. Yes, objectively, that’s absolutely something a phisher will try and use against a user. But on the other hand, that being intentional by management is very tone deaf and hugely bad for morale. I’m not 100% convinced this falls in the exact same category as the job and money ones, but it does feel like it crossed a line. You want to work with the employees, not against them.

Reply

[-]

AGsec@reddit

\>my employees as much as I care about protecting my network. bro

Reply

[-]

Puzzled-Formal-7957@reddit

what's wrong with that?

Reply

[-]

banjo_boy45@reddit

You did nothing wrong. You did your job. You deserve a hug.

Reply

[-]

demonintheteahouse@reddit

You only crossed the line in the sense that you ignored internal operational politics. From a security standpoint, it’s brilliant security awareness training; however, security is also about navigating red tape and operating in a way that leadership deems acceptable no matter how “right” you are.

Reply

[-]

fonetik@reddit

If you’ve ever worked at a company that really pushed fire drills and emergency preparedness, this is sort of along the same lines. You should be doing all of that and fire safety is important to train on… but most places don’t do it. And if you’re the guy that never shuts up about fire safety keeps it up, eventually other solutions prevail. In my mind, this executive just told you one view and that’s worth validating before you drop it. But then drop it and be right if the worst ever happens. The mode I went with was “yes to making it less for the org, but these very high profile people with extra access that could be targeted by hackers? They get the extra training. We test them and let them know they are being tested. High alert.”

Reply

[-]

xs0apy@reddit

You say you ran this by legal, but did you run it by HR? Anything can be legal, doesn’t mean HR is gonna like it. And don’t get me wrong, I see you said you’re a VP level position there, but I kind of see their point. I think the point they’re attempting to make is that you ran poked employees with a narrative that is going to raise the hairs on the back of people’s necks level scared. You are totally right that threat actors aren’t going to hold back, but threat actors don’t have to provide mental support and handle the fallback after their actions, the business kind of does. I think it’s a great idea, but for something like this I would want major support from people who sign my paychecks first before doing a dramatic phishing test that’s gonna require explanations to people after their fact. HR is going to want to be ready for the onslaught of grievances that will inevitably come, which I am sure is what really got the CTOs attention. Good intentions, but you should’ve got support for this first because now HR and management can throw you under the bus and say they didn’t even know.

Reply

[-]

thedudesews@reddit

Thanks for the fiction Josh

Reply

[-]

Hangikjot@reddit

yeah... don't do that. Just send them the 5 to 15 minute training videos a few times like 1 to 4 times a year, and a monthly email with screenshots of examples of phishing attempts you have captured in the past month, with some arrows pointing how what users should notice.

Reply

[-]

Admirable_Strike_406@reddit

This fake

Reply

[-]

hitosama@reddit

There are a lot of things we as humans in general could do to improve almost every aspect but we aren't because of emotions, ethics, morality etc. Think about that for a bit.

Reply

[-]

Indecisive-one@reddit

Wow, that is definitely crossing a line. You’re taking phishing sims way too seriously.

Reply

[-]

Ihavefourknees@reddit

That was SO far over the line it's crazy you even have to ask. I've never once seen a real phishing email go anywhere close to where you went.

Reply

[-]

Tessian@reddit

Remember this? [https://www.cbsnews.com/news/godaddy-apologizes-insensitive-phishing-email-bonuses-employees/](https://www.cbsnews.com/news/godaddy-apologizes-insensitive-phishing-email-bonuses-employees/)

Reply

[-]

traumalt@reddit

You mean an example of a very successful phishing test? Christmas gift cards/ end year bonuses are one of the most popular ways to do such tests, I'm not sure why there was even such an outrage in the first place over that one. I mean, "click a link" and "fill out a form with your personal details"? literally exhibit A as an obvious phishing attempt...

Reply

[-]

ibreatheintoem@reddit

Used to have a boss that would tell us "don't do anything that will get you or the business on channel 2, 5, 7, or 9. We have a PR department for that"

Reply

[-]

sadmep@reddit

Are you agreeing with who you are commenting on or disagreeing? Because typically the goal is to NOT act in a way that your company has to issue a public apology.

Reply

[-]

Tessian@reddit

I'm agreeing with him for the reason you pointed out.

Reply

[-]

EnhancedEddie@reddit

That was obvious btw. If a company as big as godaddy needs to issue a public apology for offering fake bonuses, then this is wayyyy over the line. This is much worse, and I would be pissed as an employee. If I’m the VP, I’m firing OP. His attitude regarding employees and inability to consider both sides is not fit for leadership.

Reply

[-]

thargoallmysecrets@reddit

Lmfao "but you didn't play fair in our war games!" Be fr fr

Reply

[-]

Best-Economics7594@reddit

This.

Reply

[-]

Usual_Ice636@reddit

>I've never once seen a real phishing email go anywhere close to where you went. Thats a common one over text and phone calls. Rarer for email.

Reply

[-]

kicsi2l8@reddit

Probably crossed a line a bit. When using HR related phishing templates, I always get buyin from the head of that team prior to sending something like that, since I wouldn’t want them and their team to get caught off guard by multiple people reaching out to HR with questions. I let them decide if they want to confidentially inform their team members. Same if it’s another department that’s “spoofed” in a phishing email test (like legal, finance, etc.). Especially with sensitive templates like the one you describe. You never know what maybe happening in peoples lives.

Reply

[-]

DJMagicHandz@reddit

I would go to HR about this TBH, you clearly crossed an extremely delicate line. You're lucky to still have a job.

Reply

[-]

Draft_Punk@reddit

How are you the VP of Internal Audit AND Cybersecurity? Those two roles can’t co-exist.

Reply

[-]

dataBlockerCable@reddit

VP of IA and Cybersecurity...and posting on reddit for advice...Are you going to take the responses and throw them in the face of the CTO?

Reply

[-]

repooc21@reddit

No line crossed. This is a good opportunity for you and/or the rest of the leadership to drill that message in.

Reply

[-]

Honolulu-Blues@reddit

Lol. I'm sure pissing off your employees is a good idea! Same with destroying the companies trust in you. This is surely not something that could be presented as something an attacker could do in training and reminding people to be vigilant.

Reply

[-]

repooc21@reddit

.... you never heard of people falling for this shit over the phone? If OP feels it necessary to smooth things over with the user base and/or the CEO, he could issue an apology. Something along the lines of "I'm sorry if that upset you..." We all know soft skills go a long way but c'mon now. He's doing his job. This is an excellent training opportunity to drill into everyone to stay calm. Use your head. In the history of ever ever has anyone ever rattled off their loved ones work email address as a point of contact? That email should have been an instant eyeroll and delete.

Reply

[-]

Honolulu-Blues@reddit

Where in the job description is using emotional manipulation against your co-workers listed? I'd be interested to know which company requires that as well. I've worked with several agencies and the DoD and we sure as hell never did such a thing. And the consequences are much higher there. So I'm interesred in why it is some of you think you need to take such actions?

Reply

[-]

repooc21@reddit

You act like he waged war against co-workers to get someone to quit. His legal department gave him the greenlight. Don't be so soft. This whole thing should be a learning experience for his user base and every one in this sub. Bad actors will do what ever it takes to get you to give them what they want. Full stop, no further discussion. He used a phishing test to demonstrate this.

Reply

[-]

Honolulu-Blues@reddit

"You act like he waged war against co-workers to get someone to quit." I don’t. I’ve simply stated the facts. It’s morally suspect, bad for company culture, weakens overall security posture by decreasing trust, and shows a gap in administration and communication. "Bad actors will do what ever it takes to get you to give them what they want. Full stop, no further discussion." Bad actors will do whatever it takes to get what they want. That’s obvious. The question is whether your internal program should mirror that at the expense of trust and effectiveness.

Reply

[-]

SemiDiSole@reddit

Oh please, people are always pissy when they fail their tests. You simply need to communicate that you are just doing your job and have no malicious intent towards them. It's just part of your job, to make sure that they don't fall for shit like that.

Reply

[-]

FauxReal@reddit

I think causing people emotional distress thinking their family is in danger is much worse than professionally pissing off the workplace culture.

Reply

[-]

SemiDiSole@reddit

If you actually fall into distress over this then that is on you.

Reply

[-]

FauxReal@reddit

Sure, and you still have to deal with the fallout. It doesn't matter how technically correct you are.

Reply

[-]

repooc21@reddit

lol ![gif](giphy|5xtDarmwsuR9sDRObyU)

Reply

[-]

Honolulu-Blues@reddit

Sending people emails that their family members have been in a terrible accident is not part of the job lol. Especially without prior approval and proper communication

Reply

[-]

SemiDiSole@reddit

Task was to phish and damn did they deliver, they exposed a significant weakness in the company. Furthermore if you don't define any Rules of Engagement that's on you, not OP. They just did their job.

Reply

[-]

Honolulu-Blues@reddit

If you can't draw that line yourself you aren't fit for the role.

Reply

[-]

SemiDiSole@reddit

If you are unable to draft RoE before any sort if test you are unfit for IT as a whole lmao. Lazy ass attitude.

Reply

[-]

gamebrigada@reddit

It's important to remember that when you're doing phishing campaigns, tricking the users into failure is not the point. You're trying to teach people to be cognizant, aware and suspicious. Not to terrorize them that they suck. You also need to be careful about playing too much on peoples emotions. Yes, you are correct that it would be ideal to get people to bypass their emotions when it comes to your businesses security. However this is just not reality and is not something you can accomplish without severely ruining your company culture. For those cases, that's why you have layers. You're never going to achieve perfection for when just the right email, with just the right words, plays on the users emotions in just the right way, and still force them to think twice. The best approach is to be a bit more hands off. KB4 for example has a FANTASTIC stream of recently reported phishing emails. There is always huge variety, and they are very much what falls through our filters. Because we shuffle them and everyone doesn't get the same thing, and one hits a little too close for home, I can just say "sorry I don't select them they come from our security stream", and at worst its just a few users so I can just apologize.

Reply

[-]

JacksGallbladder@reddit

> Well, I got pulled aside by the CTO and was essentially told my phishing test crossed the line. I informed the CTO that everything was run past legal and breaks no laws. Yeah you broke no laws, but you're an ignorant dickhead for sending this kind of phishing test out, because for a breif moment a lot of people thought their family member could be seriously injured. You absolutely crossed a line.

Reply

[-]

800oz_gorilla@reddit

I don't think so and I agree with you. We've been hit once and it cost a lot of money. Attacks come from trusted partners, spoofed domains, even co-workers who have let someone into their account. Point of phishing simulation attacks or to remind people of that. I know someone who was being plagued by a former employee who was calling her at work, saying they had her son and to say goodbye. Someone was screaming in the background yelling for mom. And that was just a revenge attack They weren't trying to get her to do anything. AI is going to significantly accelerates the sophistication and targetedness of these attacks. Just make sure you leave enough clues in your simulation email that it's a fake. The goal is to keep people on their toes not give them a heart attack.

Reply

[-]

vnoice@reddit

Check out www.greyphish.com </self-promotion>

Reply

[-]

800oz_gorilla@reddit

That was fast. Hello Bot!

Reply

[-]

The_Wkwied@reddit

Generally, was a line crossed? **No**. You're right, bad actors will pull on the heart strings. Did you personally cross a line? Yeah, your leadership has expressed that much at least. They are the ones that sign your check, if they say you crossed a line, a line has been crossed, no matter how arbitrary it is. If you're at odds with your leadership, I think a good course would be to have a third party cybersec team send out the phishing trainings. That way, when they say that 'your kid is dead, can you enter your password so you can find out what happened'?, you can point to the third party who will say the same thing that you did, that bad actors will play on the heart strings.

Reply

[-]

VeryRareHuman@reddit

I am really sorry to say - Good luck keeping your job. Of all the options you want to scare employees that their family is hospital or may be dead. Wow! You didn't think through. You def crossed the line.

Reply

[-]

Normal_Choice9322@reddit

Nah you're insane to do that I'd probably knock you the fuck out

Reply

[-]

realmozzarella22@reddit

I understand your basic perspective. But you will lose a lot of people with how you manage this. Things like this should be done with more care. You’re smashing through like a bull in a china shop. It should be more like a careful surgery. Yes the hackers are ruthless. But you are not the hacker. Train them wisely.

Reply

[-]

deathtron@reddit

Eh. Next time clear that with HR or your boss. Your assumptions are all correct, except that it’s not “your” network.

Reply

[-]

DrMacintosh01@reddit

It’s the Executives network when things are going well. It’s ITs network when a breach happens.

Reply

[-]

TraditionalHousing65@reddit

Yes, you just described the life of an admin. Our job is to keep the lights blinking, so of course it’s on us when a breach happens.

Reply

[-]

DrMacintosh01@reddit

When execs stop you from keeping the lights blinking

Reply

[-]

TraditionalHousing65@reddit

When the lights start paying you every two weeks then you can prioritize them over what your execs want.

Reply

[-]

Free_Break8482@reddit

So the message I'm getting here from all the replies is make my phishing emails really personal and high stakes because that's apparently off limits to internal security training.

Reply

[-]

sabre31@reddit

Get your resume ready. I would hit that update-resume.bat file. You will be the most hated person and execs will just look to remove you.

Reply

[-]

VA6DAH@reddit

Honestly. I would mention to be suspicious of emails saying family is sick, especially in training videos. Would I simulate them? Oh hell no. It crosses a line.

Reply

[-]

itsmrmarlboroman2u@reddit

You're not ready to jump to CISO if you're here asking why this crosses a line. You need some serious soft skill training and corporate mindset adjustments. I would recommend studying for CISSP; you'll learn a lot about how to make decisions for the business.

Reply

[-]

Aware-Owl4346@reddit

Why do I get the feeling OP doesn’t have kids, maybe doesn’t have a wife? Because if someone planted the idea that those people were injured as some sort of test, it would be game over.

Reply

[-]

Quagmoto@reddit

Yikes! 😳 SAT is important but we vote in small groups on what the content is and this one would’ve been flagged as going too far.

Reply

[-]

NightMgr@reddit

In The Office episode "Stress Relief" (Season 5, Episodes 14/15), Dwight Schrute intentionally sets a fire in a trash can in the annex to test fire safety protocols, causing mass panic, chaos, and a, heart attack for Stanley. Dwight locks the exits and heats door handles, which results in the staff breaking windows and ruining the office in a chaotic panic.

Reply

[-]

tagged2high@reddit

I will say I've seen other organizations complain about phishing tests like yours, so in that sense your experience isn't unusual. I agree with you that the real phishers don't pull punches and your test is accurate to a real and professional effort by bad actors. That said, the average corporate leader isn't likely to care about realism, and is more interested in preventing having to deal with the angry complaints they'll receive from employees about their falling for the test. You probably won't win the battle. No one does a fire drill with a smoke machine, locked elevators, and forcing all staff from the skyscraper into the street.

Reply

[-]

arkiverge@reddit

This one of the best examples of being both right and wrong at the same time. As someone else said, this isn’t your network, it’s the company’s network. Assess the cultural impacts of these kinds of choices and run them past whoever top-level decision maker should be accountable and don’t take a company decision that you disagree with personally. Unless it’s truly wrong or risk-laden standing you should let the company decide what it wants to do.

Reply

[-]

Magusds@reddit

I have always disliked the whitelisting of the fake phishing mail. The best phishing mail test is one that isn’t caught by your guard rails.

Reply

[-]

KiefKommando@reddit

Yeah I was with you until I read the subject matter of the phish test, that one might have caused panic for employees who already had a loved one in the hospital. There’s a right way to do what you were trying to do but there’s no need to god that hard for training. The point could have been made with some other email from HR, just not that specific one.

Reply

[-]

Intrexa@reddit

When people believe something has happened, the body reacts as if that thing had happened. From the time when someone read and believed the message, to when they found out it was fake, there is no difference to them if it was fake or real. For that 15 minutes, their family members were hurt. For 15 minutes, you hurt one of their family members so badly, that they couldn't even use a phone to call the employee, that some cop or hospital worker had to look up relatives places of employment to contact family. That's the kind of shit where people are going to have nightmares for months. That's the kind of shit where every email notification they get for the next couple of years their stomach is going to drop because it reminds them of that time their mom was seriously injured in a hospital. I also like how the two options you present as "crossing the line" or "incredibly morally sound, didn't even come close to crossing the line". I'm coming back with incredibly far over the line. You don't care about employees? It's not morally right to hurt people to add another layer of protection onto an intangible object. Also, final notes, this is likely going to hurt the network overall. Abusing people creates hostility, they are going to care even less about anything IT does now. They are going to look into every way possible to create shadow IT and bypass processes, because they don't want to work with you.

Reply

[-]

hardeningbrief@reddit

I have split opinions on this. Yes, it's your job to keep your network protected. But I also understand your CTO for talking to you about it. Attackers aren't going to hold back, and a well crafted phishing mail like this has been the reason for a lot of security measures at the perimeter failing. But next time, I would suggest using urgency in another context. Yes, your job is important, but it's not worth ruining the realationship with people at your company for it.

Reply

[-]

Prize-Star-9671@reddit

You talk to the CTO like they work under you. When c-suite says you’ve crossed a line, you’ve crossed it. And it’s much more their network than it ever was yours. Are you footing the bills personally, or is the CTO’s budget paying for that network?

Reply

[-]

iamabdullah@reddit

How the hell did you become a VP???

Reply

[-]

conspicuousxcapybara@reddit

It’s sometimes best to ask for permission from an authority you trust within the company. Idk, that CTO or the Privacy Officer or whatever, since your target was HR.

Reply

[-]

Unusual_Bake_1482@reddit

Did you ever work helpdesk or did you go straight to cyber security? I would be surprised if you are still employed in a couple of weeks. You crossed a line.

Reply

[-]

ReptilianLaserbeam@reddit

there are some topics that are off-limits at least on tests: family, money and religion. Just avoid those for your peace of mind. Also, it doesn't hurt to inform the C-suite, or at least your CTO in this case that your team is going to run a simulation, they probably would want to approve it beforehand.

Reply

[-]

AH_Josh@reddit (OP)

Our C suite is our biggest offenders. Informing them would invalidate the most important part of the test. For example. A real threat actor phished a C suite, spammed the 2FA until he clicked "approved" to "stop having it pop up". He called me an asshole for telling him what he did was wrong.

Reply

[-]

subpardave@reddit

The more you have explained about your organisation the more frankly insane it seems. I get it's a small outfit and has been breached in the past but getting out of there really may be worthwhile. When the inevitable happens again - and with this lot, it will - they are going to point at you.

Reply

[-]

TrainAss@reddit

Why are you using that shitty of MFA that it enables and allows MFA fatigue? That's on you. Hell, Microsoft even stopped the "allow" option. Now you have to enter or confirm a number displayed on the screen.

Reply

[-]

FauxReal@reddit

Might have been cool with legal for technical reasons but, I think if you're going to cause a bunch of people in the office to be emotionally upset over thinking a loved one is seriously injured... Well that's not going to bode well for people's concentration or morale/trust in the workplace. Either way, if the executive says don't do that. Don't do that.

Reply

[-]

elatllat@reddit

> I will randomly run phishing tests, we NEED to do at least one per quarter, Or just bounce all emails with domains not on an allow list.

Reply

[-]

AH_Josh@reddit (OP)

I have no control over our infrastructure. I cant even *see* ACLs in firewalls. Im not allowed. Plus all the alerts of regular ass users downloading whole .exe's over the internet? Safe to say I don't trust the team running our DLP/Filtering.

Reply

[-]

subpardave@reddit

That's... Crazy. At least read only access, or even full cfg dumps. Your org sounds seriously disfunctional.

Reply

[-]

AH_Josh@reddit (OP)

It is. I am not refuting that.

Reply

[-]

rynoxmj@reddit

I would have fired you. The emotional distress you inflicted on your colleagues completely lacks empathy and would likely would pass the sniff test for a hostile workplace complaint.

Reply

[-]

notainotbot@reddit

I 100% stand by you OP. People dont realize that in a bigger sense, this might one day prevent hospitalization of our family members (ok this is stretching it too far but you get the point)

Reply

[-]

jadedarchitect@reddit

Malicious actors will pose as HR, sure. An employee should never pose as HR without direct authorization. I've personally terminated C-level accounts where someone's head got a little big for their britches, and they did something similar like send out "HR" communications for whatever reason , and they got fired as hell. Yes, you crossed the line. No, phishing tests are not bad. Yes, that PARTICULAR test is going to cause ripple effects, which is why you crossed the line. From morale to retention - that sort of "Your wife/dad/mom/whatever is in the hospital" email is kinda f\*cked up, coming from your employer. What happens when there's a real emergency, people ignore it cause they think it's a phishing test? Think it through man, you sound like you need to take a step back on this being "your" network. It's not yours - never has been and never will be. You ran it past legal, but you didn't run it past HR - 90% of companies would never approve that sort of message as a phishing test, it looks reaaaaaal bad lol - go apologize if they give you the chance.

Reply

[-]

Lucky-old-boy@reddit

![gif](giphy|SF4aJKqEchIiY) There are lots of serious things you can do to get people to click, but that is one that’s not cool. Also, not a common target most bad actors use

Reply

[-]

ThisGuy_IsAwesome@reddit

I personally would not use something like injured family member or bonuses from work. Gift cards and all that I’m good with. Just doesn’t sit well with me. It’s just something I can’t do.

Reply

[-]

Swimming_Office_1803@reddit

I’ve got the stick once for impersonating Microsoft with free invites for an event where the company was a sponsor. Some people reported it to MS instead of internally and that stirred shit up with the partnership manager and some other higher ups. I just said “I get the optics on this of the partner, but the event and our sponsorship are public info. Just as I thought of it, any bad actor could do it for a targeted attack. If you want easy so everyone passes, get someone else to manage the testing” Not sure if I’d go the personal life route as you did, but I agree that sometimes we need to craft some stuff that goes beyond the usual templates.

Reply

[-]

Secret_Account07@reddit

Yeah that’s not cool man. Don’t fuck with people’s feelings. If I got the email my heart would skip thinking one of my coworkers was seriously hurt or going to die.

Reply

[-]

DrMacintosh01@reddit

Your SpecOps proved just how easy it was to compromise your company and your job yet you look at your team like their are the bad guys? Get real!

Reply

[-]

rootofallworlds@reddit

Nah I'm with the parent comment here. Yes one compromised employee account sending phishing emails to other employees is a real threat, but if you are going to simulate that, you absolutely need to plan for the effect of that on the real employee!

Reply

[-]

DrMacintosh01@reddit

That was an oversight for sure. But not really sure how they could have prevented it?

Reply

[-]

sadmep@reddit

"Hey Bob, it's Alice in secops. Would you be cool if we use your name in our phishing test to simulated a compromised user? You're cool with that? Excellent, thanks!"

Reply

[-]

statikuz@reddit

You don't see the problem here? It is not *we did a realistic test* it's *we did a realistic test without apparent thought or approval*.

Reply

[-]

AH_Josh@reddit (OP)

It was approved by the required signees before being sent.

Reply

[-]

DrMacintosh01@reddit

OP said they got it approved by legal (and I think they mentioned approved by HR somewhere)

Reply

[-]

EnhancedEddie@reddit

Who said anything about compromise? OC said nothing of the effectiveness of the test, only that 50 people personally reached out to the affected employee. That’s basically harassment meanwhile he’s trying to get work done. Completely unacceptable. Stay away from management or anything involving people.

Reply

[-]

DrMacintosh01@reddit

What about impersonating a user and getting 50 people to believe it isn’t a complete failure for the organization?

Reply

[-]

EnhancedEddie@reddit

50 people reaching out for verification* The idea scenario

Reply

[-]

anonymousITCoward@reddit

>Don’t fuck with people’s feelings. Oh I don't know about that... the time I sent out an email saying they won the lottery was pretty fun 100% fail rate... the best part of it was that we don't have a lottery here.

Reply

[-]

ihaxr@reddit

I really hate when people remove the `[External]` flag from emails for regular phishing tests. It's not a valid testing scenario and if your Exchange transport / anti spam / white listing rules are compromised you have a much bigger issue than a user clicking on a link. Maybe as a once a year test, sure. But doing these multiple times in a quarter is just malicious on your part.

Reply

[-]

____NEBULA@reddit

You genuinely sound like a psychopath. And an idiot

Reply

[-]

OneSeaworthiness7768@reddit

>It was designed to be HR Okay… >reaching out because a family member was seriously injured. Click the link to get the hospital info and contact info. Oof! That’s pretty fucked up man. I completely understand the backlash and this is *not* something I would stand my ground on. While you may not have crossed any lines with legal, this is just something that runs a high risk of upsetting the employees. I think there are better ways you could go about training them on that type of scam.

Reply

[-]

TechMonkey13@reddit

Seriously thought this was r/shitty sysadmin for a hot minute cause damn that's the shittiest phishing test I've ever heard anyone do. I'd fire you. I'm not even kidding. That's horrible. You're a piece of shit.

Reply

[-]

F0rkbombz@reddit

I don’t think this was a good phishing assessment. Your assessment seems like it might rely on internal knowledge as part of the lure, and seems like it was just designed to prove people can be fooled, which is pretty much table stakes at this point. You do you, but we build all our assessments based on real phishing emails that hit our org or are trending in threat intel / cyber news. This way we are actively educating people who fail against a real risk that’s easy to prove.

Reply

[-]

sarge21@reddit

>Again, I don't care about my employees as much as I care about protecting my network. That is my job. Your network only matters because of people like the employees/customers/end users. A network without people is worthless. >I also stood my ground and said that serious threat actors aren't going to hold back. You weren't hired to act like a threat actor. You were hired to protect people. Traumatizing people is so fucking obviously wrong. The actual mistake itself deserves a reprimand. the fact that you made this follow up post saying you care about your network more than people as a defense means that you're probably not suited to involved in decision making at all. >So, I am coming to you guys to ask, did I really cross the line? Or is this phishing test well within morally white areas. I stood my ground but find myself second guessing. It's not even a close call. I would immediately fire you. Don't fucking tell people their loved ones were hurt

Reply

[-]

Kilobyte22@reddit

Please don't use tests that try to trick the user. I really like this blog post, it covers that topic: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html?m=1

Reply

[-]

KeyComprehensive5917@reddit

Yeah bud you screwed up here. You should own it and apologize. The purpose of the phishing campaigns is to educate, not protect the network. For a security engineer, this is the wrong hill to die on. Now you lost the confidence and trust of the users, and expect those users to find ways to circumvent security.

Reply

[-]

publicdomainadmin@reddit

r\\ShittySysadmin

Reply

[-]

jort_catalog@reddit

Found the Windows user

Reply

[-]

Zer0C00L321@reddit

I actually think this is one of the best ways of testing your security. It will absolutely show you where weaknesses are. On the other hand after reading some of the other comments though it brings some light into the situatuon though. If the company as a whole says no don't do that. Sometimes you have to choke down your pride and say you got it.

Reply

[-]

tarkinlarson@reddit

Please do it. Why not put a fake portal behind it to sign in with username and password to see how bad it gets. ![gif](giphy|pTQUOfSmjo2hG)

Reply

[-]

redfiresvt03@reddit

The lack of empathy in the statement “I don’t care about my employees as much as I care about protecting my network” makes you unfit for a position of leadership.

Reply

[-]

Tuuulllyyy@reddit

Are you a psychopath?

Reply

[-]

bang_switch40@reddit

We call this "Lawful, but awful"

Reply

[-]

randommonster@reddit

I did one with a "Birth Announcement" photo book of a popular sales person at our office. I got a better that 70% hit rate with that one. Hackers use Facebook too was my defence. you are doing good work. My network only has problem when users are messing with it.

Reply

[-]

PDQ_Brockstar@reddit

You're not wrong, and you'd be getting chewed out if that exact scenario happened and your users were compromised because you didn't training them. HOWEVER, it definitely gives off pretty gross vibes. How often do you do in person security trainings? I would maybe leave these types of scenarios to in person trainings so they can understand the threat and the scenario without having to cross any lines.

Reply

[-]

knxdude1@reddit

If I had received this when my father was sick before he died I would have found you and kicked your ass. I mean honest to god physical assault, you pulled a dick move and got called on it. Learn and move on

Reply

[-]

fdeyso@reddit

On the other hand they use these tactics in real life, more for spearphishing type attacks, i agree it’s a bit immoral, but attackers won’t have morality either. No one should be using work emails to personal communications outside work, hr would call but even that’s weird.

Reply

[-]

sadmep@reddit

>attackers won’t have morality either. You should have better morality than phishers.

Reply

[-]

fdeyso@reddit

Yes, but you’d have to prepare users somehow, if i’d plan something like this i’d consult HR at least and have everyone fully on board.

Reply

[-]

sadmep@reddit

Yes, you have to educate users. But this isn't a binary choice, the only offerings aren't "Be as bad as the bad guys" or "do nothing." The right thing to do is somewhere in the middle.

Reply

[-]

fdeyso@reddit

Agree, tbh i’d built it into a HR email, saying “we’ll never send something like this and a couple of screenshots” or something like that and clearly establish how it’d be communicated if it ever happens.

Reply

[-]

knxdude1@reddit

I don’t disagree but it’s bad form. Reddit auto mod didn’t like my reply so it deleted it 🤷

Reply

[-]

MisterIT@reddit

This absolutely crosses a line, and it’s scary that you don’t see it.

Reply

[-]

mander1555@reddit

I would not use a phish test like that.

Reply

[-]

Vesalii@reddit

Is the 38% figure real? That's horrible. It shows that you run proper testing. Don't fold to the CTO.

Reply

[-]

-King-K-Rool-@reddit

Legally speaking youre fine... from every other viewpoint youre a POS. > I dont care about my employees I care about my network GG, you dont belong anywhere near your current position. Its not your network and or your employees. I'm glad you dont care about them though because after this phishing email I guarantee they dont give a shit about you. 2 years from now youre still going to be dealing with the backlash of this. "Hey, security says you cant use this software anymore" "The dude that sent out a fake email about my mom dying? Lol fuck him, I dont care"

Reply

[-]

The_Blue_One@reddit

Honestly, I don't think you're wrong. I just heard about this story [https://www.wwnytv.com/2026/04/19/family-reunites-with-dog-after-alleged-scammer-used-ai-photos-try-extort-2700/](https://www.wwnytv.com/2026/04/19/family-reunites-with-dog-after-alleged-scammer-used-ai-photos-try-extort-2700/) Like you said, if scammers aren't going to hold back, why should you? People already complain about the fake raises or fake gift card phishing emails. They'll keep complaining, but they'll be in deeper trouble if they are the ones that fall for the scam that costs the company potential millions.

Reply

[-]

sadmep@reddit

>if scammers aren't going to hold back, why should you? Because you should hold yourself to a higher standard than a scammer.

Reply

[-]

poorleno111@reddit

Lol this is why folk don't like infosec.

Reply

[-]

HugeButterfly@reddit

Employee moral might be the facet that's not jumping out at you. Keep the network safe while not making employees feel screwed-with by their own employer. It's more difficult than actually phishing someone but it's important to your superiors.

Reply

[-]

Pyrostasis@reddit

Yeah Id have an issue with this as well. You are going to piss off a lot of folks, spike half the orgs blood pressure for nothing, and could panic several folks. There are plenty of ways to test with out scaring folks someone in their family is seriously hurt.

Reply

[-]

Forsaken_Squirrel_31@reddit

Yeah that's a little much for ethical reasons but in your defense an attacker would most definitely use similar tactics. I don't think you're right but I don't think you're wrong either.

Reply

[-]

TallBoy_Ryan@reddit

I also run the phishing tests at my job and can confirm that you fucking suck dude. Never even once considered pretending someone’s family member is in the hospital and then getting mad that they panic and freak out. Incredible rage bait though, you piece.

Reply

[-]

nacho_night@reddit

I wish you were my boss, good shit holding your ground imo.

Reply

[-]

Major-Error-1611@reddit

You should focus less on these extreme phishing simulations and start looking I to phishing-resistant credentials/MFA and other security controls that will protect the user account even if the user's password gets phished.

Reply

[-]

subpardave@reddit

Realistic and punchy phishing tests are all well and good - done them myself in the past. But.. run it by someone incase you are flying too close to the sun.

Reply

[-]

After-Vacation-2146@reddit

You were wrong on this. I understand that TAs don’t hold back but we exercise restraint to not cause undue strife with employees. Some things are considered sacred, such as pay/compensation/layoffs, and you broke that covenant. Have legal and HR weigh in on your lures next time or give you an unacceptable topic list.

Reply

[-]

sibble@reddit

You had positive intentions but crossed the line - there are other ways to create urgency.

Reply

[-]

Defiant-Chip6513@reddit

Yea.. That's a no... You are a robot targeting human emotions at that point. That's something that should be training on with the user's knowledge of what's going on. I have a BS in CS and MSDA and my heart would still sink if I got an email like that. Human emotions...

Reply

[-]

rootofallworlds@reddit

If the email was very generic, I'll go against the grain and say it's borderline. When it comes to phishing testing my attitude is "don't be a dick", yes the attackers are but we don't need to stoop to their level. Our goal should be to reduce the likelihood of users falling for a real phishing email. Angering the userbase, making the 'story' about how cybersecurity and the company are bad, driving a wedge between us and other departments, these are counterproductive. The classic one is phishing tests around raises and bonuses. There is one time when those are acceptable - when the employer is *actually* doing raises or bonuses. Now if the email said a specific relative, eg "We got news your mother has been seriously injured", or even worse put names of employees' relatives in the email as a spear phishing simulation, then you went WAY over the line. In any case, you're going to need to agree with the higher-ups what kind of bait is and isn't acceptable.

Reply

[-]

Candid_Department924@reddit

You absolutely crossed the line. This is not normal behavior.

Reply

[-]

npaladin2000@reddit

You did your job. Unfortunately sometimes it's our job to piss people off (because they can't install their favorite idle app) or make their life difficult (because they have to change their password so often and why isn't "password" acceptable?). Likely your CTO is management rather than technical? It probably "crossed the line" because he fell for it and it's a bad look. Or one of his C-suite friends fell for it and gave him an earfull. Unfortunately, when we do our job right, people don't like it. But it frankly shouldn't be our metric anyway. You have it right: your job is to protect the network, the systems, the data, etc. The second something gets compromised, especially through a phishing email they'll ask you why you didn't train people well enough.

Reply

[-]

FaceEmbarrassed1844@reddit

I am not sure I would do the same. The fact you personally crafted that email and didn't use a template is a wild move. You aren't wrong but you need executive buy off if you are going to cowboy stuff like that.

Reply

[-]

MagillaGorillasHat@reddit

You've definitely lost the plot. It's not you vs. the employees.

Reply

[-]

caltrop_cereal@reddit

yeah i think your deranged. this isnt "your" network unless you have shares in the company, and this crosses a line that does not need to be crossed to remind people to be wary of suspcious links.

Reply

[-]

PM-ME-BATMAN@reddit

I'd update my resume in advance of my firing if I did something this stupid

Reply

[-]

kitsinni@reddit

You know when manager say they can find people with the technical skills but not the soft skills ...

Reply

[-]

SelfImproveAcct@reddit

Surely there’s a better way

Reply

[-]

robbersdog49@reddit

Wow. Crossed the line mate. I'm going to echo what everyone else has already said. I understand your logic, and you should be training people to recognize when an email is emotionally charged. Maybe use something like this as an example in a training session. But to make staff think that a close relative has been badly injured and is in hospital is just crazy. There's have been times on my life where if you'd done that to me I'd have laid you out. How dare you do that to your staff and then expect them to respect you?

Reply

[-]

Classified_117@reddit

Honestly i think we need tougher fishing tests, 90% of the time a breach is from a clicked link

Reply

[-]

robocop_py@reddit

90% is an understatement. Very rarely does a breach start with some exploit.

Reply

[-]

Classified_117@reddit

I was being generous lol

Reply

[-]

silentstorm2008@reddit

Look, you have to remember there is a person with feelings on the other end of the email.

Reply

[-]

colmwhelan@reddit

I understand why people FEEL it's over the line, but I don't think it actually is....

Reply

[-]

iotic@reddit

It did cross a line, you are insane to think that’s ok

Reply

[-]

ranhalt@reddit

The only vendor provided template I ever pulled was jury duty because we Americans do not provide education on how jury duty works and it’s not IT’s job to teach civics. There was no specific courthouse name or location, no jurisdiction, but an employee showed up at the county courthouse on a work day and told their boss they had jury duty, boss didn’t ask for proof. So IT caused an employee to lose hours. No fallout when we agreed to kill the template immediately. I’d pose you and everyone an important question. What’s more important to you: low failure rate or high report rate? How much lower can your failure rate get, and how much higher can your report rate get? Encourage your employees to be a success for the company instead of worrying them about being a risk. Document repeat failure employees and establish protocol with leadership that they support. If they don’t care about repeat failure employees, get that in writing. What’s the amount of effort you’d have to put in to correct the bottom 1% performers? Focus on what the employees are doing correctly to push them up. Carrot, not the stick. Find a video that demonstrates how a failure can hurt a company, show them the current high risk vectors and bait. But tell them that every test they report could be a real threat, and alerting it could make them a hero.

Reply

[-]

hoodie1776@reddit

Respectfully, I do not know how you ascended to the role of VP of IA and Cybersecurity with this kind of attitude. If you want people to respect you and by extension, everyone in this sub, you have to approach things in a way that is realistic but human.

Reply

[-]

kniffs@reddit

IT is 50/50 operations <-> soft skills and in most positions higher than helpdesk, probably more like 60-70% soft skills. With all due respect, i think you need to work on your soft side a little.. This type of thing would not fly in our org

Reply

[-]

haroldthehampster@reddit

If 38% of the users clicked, and that is being overlooked in favor of outrange towards the content of the phish that kinda proves your point. Humans are emotional. Adversaries use that to their advantage more and more often. We need to do better at getting people to recognize when their emotions have heightened. People are bad at recognizing that in the moment, when people are anxious that's when mistakes are made that wouldn't normally occur. No one is immune to emotional distress. When content initializes an emotional response that's when the clicks happen. People who know better will click emotional content. It's important to include emotional triggers in phishing training, to do otherwise is shortsighted, egotistical. Emotional attacks work and they are far from uncommon. Why do you think so many people fall for donation scams?

Reply

[-]

RadioStaticRae@reddit

I think it's well within morally acceptable to use this example as a phishing test (who tf expects a notice like that anyway via e-mail? From HR at their own company? Wouldn't a call and voicemail be more appropriate if they're considered an emergency contact? And if they aren't an emergency contact, then you are correct that official channels would not be first contact in that scenario.) Ultimately, it doesn't matter what any of us thinks. Exec gets what exec wants. You can argue your case, but as many of us know they may not even consider our viewpoints anyway.

Reply

[-]

SourcePrevious3095@reddit

One the one hand, that's an a-holish stunt. On the other, no way in an emergency situation like that would HR send an email. That's a call or in-person visit.

Reply

[-]

Conscious-Arm-6298@reddit

This is a very Dwight Schrute thing to do, i love it.

Reply

[-]

Mental_Beginning_698@reddit

I love it. You didn't come close to going full digital Anthony Jeselnik on them. This place is toast without you if thats their appetite for risk. Social engineers use all the dirty tricks and thats why we have Granny's paying their overdue IRS bill with Apple gift cards or else we're gonna put your grandson in jail. because we all know thats the IRS's preferred payment method.

Reply

[-]

Patient-Stuff-2155@reddit

It's obviously over the line, but also completely unnecessary. Most people will fall for much easier phishing attempts, it doesn't need to get remotely personal. No need to actually make them panic.

Reply

[-]

cultvignette@reddit

A good security admin protect the network and assets by remaining vigilant. A great one does not forget empathy exists. If you sent this test in my organization, you'd no longer be a part of it.

Reply

[-]

SinTheRellah@reddit

I hope this is rage bait. If not, you will be looking for a new job soon.

Reply

[-]

DrMacintosh01@reddit

Only a corpo bot would fire an IT guy for acting in the best interest of the company.

Reply

[-]

PhillAholic@reddit

HR and Legal may have something to say about that.

Reply

[-]

AH_Josh@reddit (OP)

HR and Legal both cleared the e-mail before I sent it.

Reply

[-]

EnhancedEddie@reddit

Legal doesn’t mean ethical or appropriate

Reply

[-]

Honolulu-Blues@reddit

Pissing off your employees and emotionally manipulating them is in the best interest of the company? If you want to present something of this magnitude it should be done in training. Not as an internal phishing campaign. Some of you are insane lol.

Reply

[-]

DrMacintosh01@reddit

Training is useless if there isn’t a practical test. Otherwise it’s literally wasting hours of company time in lectures or training materials because the information will not be retained beyond the day of training.

Reply

[-]

dotbat@reddit

Hey for your next trick why don't you do fake phone calls from each school to the parents saying their kid is in the hospital, it'll be great. You need to go to the CTO tell him you thought over what he said and that he was right and you're sorry. Today.

Reply

[-]

beagle_bathouse@reddit

>I care about protecting ***my*** network You the CEO?

Reply

[-]

theoreoman@reddit

You took the line, marked it, then launched a rocket to pluto with that email. Sure a threat actor might use that, but you don't need to test every single possible way. You're not going to war with the most elite Chinese hackers and you're troops need to be hardened, your hoping Brenda in accounting doesn't click a weird email. You're missing the point of your job in cyber security. It's to manage risk, cost, probability, maybe you should retake some of these certs because that's the most fundamental part of the job. The job is to lower the probability of someone falling for a phishing email, but when they do fall for it your job to have controls in place that will detect it and limit exposure.

Reply

[-]

SnooSprouts7609@reddit

Nothing wrong, no matter what other people tell you. Who cares about culture.

Reply

[-]

MorninggDew@reddit

Definitely over the line. You’re lucky you didn’t get fired and frankly I’m amazed HR agreed to this. This is like testing peoples fire awareness by setting the building on fire.

Reply

[-]

Matazat@reddit

I feel like I'm taking crazy pills in here. Network security does not care about your feelings, and your coworkers would be infinitely more upset if they lost their jobs to a catastrophic crypto event than fake emails that they'll forget about by the end of their shift.

Reply

[-]

MedicatedDeveloper@reddit

It'll just take a couple people going to HR about it to cause more problems than you can imagine. You put your job on the line with this one. Never fuck with family stuff in a business. Yes it was a good simulation but in TERRIBLE taste. I expect to see a meeting with HR on your calendar in the next week or two. I'm curious how many people complained about you causing emotional suffering. HR doesn't play with that kind of shit.

Reply

[-]

AH_Josh@reddit (OP)

This test was in January, was cleared by legal and HR. My job is not on the line. This was more of a discussion of the morality of it.

Reply

[-]

spectralTopology@reddit

The problem I always found is that the topic of the phish test is either always controversial or always so trivial that it doesn't test anything. That being said, your choice of phish topic was designed by you to get you canned, not to test anything. I hope you're joking about this. If not you may need to go to some sort of sensitivity training. Ain't no one going to remember any of the good things you did at that company, just this one test.

Reply

[-]

waxwayne@reddit

I find one thing that some sys admins really miss out on are the soft skills. Our comfort zone is hard technical skills and we often miss the Forrest in pursuit of the trees. We are not just at work to accomplish a task that could eventually be done by AI. We are humans who are there for our nuance and our ability to build relationships. I can think of no relationship more important than that of a VP and their CTO. If your CTO is trying to communicate with you that you crossed a line you shouldn’t be concentrating on the thickness and color of the line. You should be concerned that they have lost faith in you and that your relationship has been damaged with the company. The hard skills you possess are there to foster your relationship and reputation in the company. That reputation is your main goal in any job really.

Reply

[-]

SemiDiSole@reddit

Nah, you're fine. Anything goes. Threat actors will use every means to attack. The E-Mail itself is in its premise so incredibly stupid, that noone should have clicked on the link in the first place. (Why would HR have that information - it's PII, they are not allowed to get it in the first place!) Everyone who fell for that needs to learn how to think straight.

Reply

[-]

agrk@reddit

I've seen people psysically assault coworkers over less. All it takes is one unstable employee with a relative in the hospital and you might trigger an uncontrollable chain of events.

Reply

[-]

AH_Josh@reddit (OP)

I work in a different country than our employees. Also they don't know who I am, nor who runs the phishing test. Had one person ask if it's AI an automated.

Reply

[-]

bvandepol@reddit

Are you French?

Reply

[-]

YSFKJDGS@reddit

There is already a grey area when it comes to these, but you would have to be absolutely insane to try and deploy a test like this without going to leadership and getting approval. Also, if someone with a "VP" title is literally sending phishing emails, you can probably leave the title out because that makes even less sense.

Reply

[-]

AH_Josh@reddit (OP)

Approval was given by the people who need to give it as outlined by SOPs. CTO is not included in the approval chain because they always fall for the tests.

Reply

[-]

Ninjabeaver212@reddit

We run pretty aggressive phishing tests so I'm going to be biased by saying you didn't cross a line. Attackers aren't going to be nice or conveniently easy to spot for users.

Reply

[-]

AH_Josh@reddit (OP)

Im coming from a world where I actively phished people for results. I phished to get credentials during my white box testing. I use what worked the best.

Reply

[-]

flyguydip@reddit

I like to use real life examples. Find a real life example that was blocked and you're in the clear.

Reply

[-]

Ninjabeaver212@reddit

BEC is so common now. You cannot trust an email just because it came from a vendor you work with.

Reply

[-]

Ninjabeaver212@reddit

As long as it's cleared with who matters(HR, etc) you should be clear. We've seen attackers attempt phishing with very similar tactics. Users NEED to slow down and think before clicking any links sent to them.

Reply

[-]

YOLO4JESUS420SWAG@reddit

Holy shit this is the dumbest thing I've ever read. You're wrong. Listen to your csuite exec before you get yourself canned.

Reply

[-]

ncc74656m@reddit

This is the same to my mind as COVID bonuses/wfh stipends during the height of COVID, only somehow worse. Yes, I am well aware that the phishers used these exact lines, and literally nothing is sacred or off limits to them. But we have to pull some punches, even if they don't give us that grace. Your prompt is seriously over the line for me, and while I think it's completely absurd that people would believe that HR is going to inform you like this given that this isn't how things usually work, it's still skeevy and a low blow. I think directly hitting people in the bank account or on their family is over the top and unfair. Instead, this would've made a much better slide on the training deck rather than a straight phish. That would get your point across without getting peoples' hearts in their throat in a way that has to be off limits. In the future if your company wanted to approve that kind of phish, I would propose that it needs to be approved by no less than the head of HR, CTO, and CEO. At the very least, then they wear that albatross. Personally I'd push back on this though as an actual lure.

Reply

[-]

RabidTaquito@reddit

I'm with you. It's all fair game. It very much crosses a line, but that is so literally the point. That said, I would not be surprised if the CTO (unfairly and ridiculously) has it out for you now. As for commenter's complaints that "you shouldn't stoop down to the threat actor's level". Bullshit. Anyone with any level of elevated permissions needs to be able to react calmly and logically in distressing and/or emotional situations. The rest of the dreggs can fail for all I care, but if this test revealed that a domain admin is susceptible than that person should at the very least be forced to undergo requalification for that domain admin role.

Reply

[-]

AH_Josh@reddit (OP)

CTO clicked the phishing link too, I went back and checked. Same with our FW admin and Virtual Machine admin. And me and CTO are on fine terms. Wasn't a yelling match. They like laughed a little bit and said "Ehhh maybe too far this time"

Reply

[-]

sp1cynuggs@reddit

“I don’t care about my employees” you don’t belong in this field. Our entire fucking job is to help the employees and make their life’s harder

Reply

[-]

nazerall@reddit

I don't have an opinion either way, but the responses are somewhat surprising. Sounds like if we refuse to test this kind of scenario how are we to prevent the exsct scenario being exploited?

Reply

[-]

jews4beer@reddit

Yep that's where I landed after reading through the thread. Like holy shit OP is an asshole for attacking feelings, but...they kinda showed that it's an effective attack. So where is the middle ground to teaching people that their emotions can be weaponized - and not actually doing it in training.

Reply

[-]

sadmep@reddit

By training people to be aware of phishing techniques. I don't get why so many people in this thread seem to think it's a binary choice of be a complete dick like an actual phisher or do nothing. There's a gradient.

Reply

[-]

Beneficial-Trouble18@reddit

Training and awareness?

Reply

[-]

gabacus_39@reddit

Wow. Some people are actually backing OP here. That was so far over the line it's unbelevable. It almost feels like a troll or rage bait. No one in their right mind would think that it's ok sending a spoof email that a family member was seriously injured. Seriously, what the fuck.

Reply

[-]

alter3d@reddit

Who cares about employee morale, it's not like pissed off employees are a risk to network security.

Reply

[-]

robocop_py@reddit

Nope. Phishing remains our #1 threat corridor through which BEC and high dollar fraud occurs. AI is making it impossible for us to totally rely on technical controls. We must secure the human. This means security awareness training. This means phish testing at a difficulty level slightly higher than your users can handle. As for crossing any lines, no, we learned this during Covid. The leading security minds were all saying we shouldn’t use Covid in our phishing because it will make people doubt real important Covid information. Then what happened? Attackers started using Covid as the basis of their phishing. Nothing is off limits anymore, because nothing is off limits for attackers.

Reply

[-]

genericuser292@reddit

Legal and "a total dick move" can both be true.

Reply

[-]

midnitepremiere@reddit

The initial test, and your doubling down over and over after being called out for it, are so nuts that I’m starting to think this is bait. If it’s real, and you really think you did nothing wrong, you’re in desperate need of some introspection.

Reply

[-]

littleko@reddit

You crossed the line, and the 38% click rate is exactly why. Simulating a family medical emergency isn't training, it's trauma. People who clicked weren't being careless, they were being human. Now they associate your security team with the worst moment of their week and you've burned trust you need for actual incident reporting. Threat actors don't care about morals, sure. You're not a threat actor. Stick to urgency, authority, financial lures. Plenty of realism without weaponizing grief.

Reply

[-]

b4k4ni@reddit

You are right about protecting the business and being a bit creative with testing. And also about phishers using pressure/time sensitive topics to get you. BUT - you also need to see the other side. The normal user. The worker. With a background and social net you don't know. While you did it in the best interest of the company, you didn't calculate in the social limits there are. Imagine someone you reached has a dying family member at home. I'd say, get someone from another part of your comany and show them what you wanna do beforehand. Get a reply if this is out of hand or not. Sometimes our moral compass hangs a bit or what you think is ok is really not. If you send it right away after they approve, when they are still with you, there's also almost no chance of snitching. And if you do something like this, where you need to use a bit more fear or whatever to get people - maybe don't wait for them to enter their password. Redirect to a website stating asap that this was a test, they failed and need to apply what they learned even under pressure. It's not easy to balance that. And really, run such more professional test against someone else to check. And take this into training to show them, how they can be scammed.

Reply

[-]

themastermatt@reddit

Youre a bit misaligned here. First, Executives want good looking numbers instead of actual security so when more users "fail" they dont correlate that to any need other than to make that number go the other way. From there, yeah a TA might use these tactics but Id be talking with you too about crossing that line by making mothers think their children might have been seriously injured or circling the drain just to trick them into clicking a phish sim URL. Had that happened to me and then i got that condescending "Oops, this was a test" nonsense along with whatever training or other outcomes you might have setup - id be beside myself and raising a huge stink.

Reply

[-]

Nexzus_@reddit

No, not at all. We haven't gone the family route, but our most "successful" (read abysmal) phishing test was related to annual bonuses. "Click here and login to see what kind of bonus you're getting this year"

Reply

[-]

discgman@reddit

I mean what if you sent out an email from HR saying everyone is getting bonuses, just click here. Its helping people be more aware but its borderline at best.

Reply

[-]

bobsbitchtitz@reddit

I might be the only one here who agrees with you. I’ve seen escalating things from phishing attempts recently with bad actors using ai to make things look super realistic. People need to be aware of anxiety inducing phishing attempts and become desensitized to it.

Reply

[-]

Zeitcon@reddit

You shouldn't have used that subject for your phishing mail. I would have mentioned the possibility of phishing mails addressing such sensitive subjects in training material to raise awareness, but I wouldn't have used it as part of a company phishing test.

Reply

[-]

null_frame@reddit

Legally it is fine. Ethically it crosses the line.

Reply

[-]

joeykins82@reddit

If you've bypassed things like an \[EXTERNAL\] tag for a phishing exercise then that's not ok at all IMO. If an attacker has breached your systems then phishing emails are the least of your concerns.

Reply

[-]

Best-Economics7594@reddit

Personally I think you did fine, You are 100% correct, Bad actors are NOT going to hold back. Ive seen them do 10x worse then "family hospitol matters". Its happened at my previous work, Ive sent out phishing test and people STILL fail them, and literally send hundreds of dollars via cashapp/venmo to bad actors and think that we are the network techs can get it back for them. Its really really annoying. Now if you put someones real info in the email like the persons mom/dad real info in there THAT may be crossing the line, but if the phishing test was a simple "CLICK HERE FOR MORE INFO" then you did fine. Hold your ground.

Reply

[-]

ProgrammingAce@reddit

Imagine sending a photo of an employee's house to them, telling them you'll burn it to the ground if they don't hand over their login credentials, then saying it's to protect your network from phishing attacks. I think a basic requirement is that you shouldn't take actions make your coworkers feel bad. This isn't some hypothetical attack, this is an actual attack that you actually did to people, your own coworkers. Lets be precise for the reasoning, you didn't do it to protect your network, you did it to see if people would fall for it. And they did. And, you knew they would. Your job is to build an infrastructure that can't be compromised by someone clicking on an email. Email has been a threat to businesses for 40 years. You can't rely on high schoolers not to click on links to protect your data.

Reply

[-]

DrMacintosh01@reddit

When an attacker goes after your organization, they aren’t gonna be pulling any punches. The attacker isn’t going to ask for your consent before they start their attack. The attacker isn’t going to consider your emotional wellbeing. Users need to be ready for that. The only way they are going to really be ready for it is if they experience it.

Reply

[-]

ReFractured_Bones@reddit

I would run these things deeper than legal, argue your point but not die on this hill. Technically you are sound and I agree that bad actors will never play fair, but humans are often emotional and reactionary before thinking through everything.

Reply

[-]

OG_Dadditor@reddit

You're a fucking asshole, that was way over the line.

Reply

[-]

npsage@reddit

"So, I am coming to you guys to ask, did I really cross the line? Or is this phishing test well within morally white areas. I stood my ground but find myself second guessing." Just so you know when your next employer reaches out to your current one this is 1000% going to come up in their conversation. Because from a legal standpoint "My company did X thing as a joke" and "My company did X thing as "training test" there is very little difference. You pull stuff like this you're going to eventually hit the wrong person in the wrong way, and it will end poorly first for the company, then for you. If you worked at a bank, would you think that just because a robber is going to probably come in with a loaded gun; that you should also bring a loaded gun and point it at a teller's head?

Reply

[-]

floatingby493@reddit

That is pretty extreme tbh. One time our security person sent a test phishing email that looked like it was from a former supervisor who had passed away and they deservedly got an ear full from the users who were upset and still mourning their death.

Reply

[-]

Zahrad70@reddit

Friend, ease up. Security is important, sure, but it’s not THAT important. You can justify anything with that “the criminals won’t hold back” nonsense. As close as possible to the real thing is not the point of training - you cannot anticipate, much less test for, everything bad actors might come up with. The point of the training is to build up defensive fundamentals and keep people sharp. Apologize to your users, and beg your CEO’s forgiveness. This was way over the line.

Reply

[-]

fartiestpoopfart@reddit

just because something is legal doesn't mean it's not wildly inappropriate. there could be employees who are emergency contacts for family members who are legitimately at risk and a message like that could cause serious emotional distress or worse, you never know what someone might be going through in life. not to mention the rage or disgust they would feel when they follow the links and get a "Gotcha! You failed this test and require more training." type of message. i don't even talk to the majority of my immediate family and would still be pissed if i got an email like that just because of how fucking stupid that is.

Reply

[-]

Honolulu-Blues@reddit

" I don't care about my employees as much as I care about protecting my network. That is my job." Humans are more valuable than the network bub. You need to develop your interpersonal skills and work on developing better working relationships. If you destroy the trust of your co-workers you're actively harming yourself and the network.

Reply

[-]

masterxc@reddit

I see this as being very controversial so there's no real "yes" or "no" answer, and a lot of it comes down to communicating with the powers that be on how aggressive your tactics should be. If you've been hit before by a similar message, then at the very least training users to be on the lookout for signs of a phishing email and providing the proper tools (warning banners, etc) so they will learn to check these first would be ideal. I get where you're coming from - exploiting emotions is exactly what threat actors do and it's highly effective. However, on the other hand...it's your workplace. If you go too far in that direction, people will learn to fear these instead of learning the signs of a phishing email. It would be just as effective to impersonate IT or something and asking people to click on a site to update credentials (and provide some urgency behind it to invoke the same response) but it wouldn't be so triggering to people who may actually have a crisis in their life you don't know about.

Reply

[-]

ABlankwindow@reddit

You work in a customer service role. Your customers are your fellow coworkers. Many IT people seem to forget that because we live so much of our lives in our office caves. As to your question it depends on the industry you work in and the resulting business culture. These type of tests will get under peoples skin and if your network doesn't actually require that level of scrutiny. then you are just pissing off your customers for minor potential increase in security. If you work someone where lives could literally be at stake if your network is breached, then yay go the whole 9 yards and make the test as real as possible. The old military saying thought process of train like its real \\ we bleed while we train so we don't when we fight for real. And if they complain remind them lives are at stake. but your average business you're not going to appreciable lower than chance of someone not falling for a real attack but for sure you will piss them off. so if the CTO is telling you this isn't a fit for the company culture you say yes sir and do your job or find a new one. I would not say this one was an asshole move it was ESH. but if you do it again without support of CTO or CEO then yeah would be the asshole. Its the business's property not yours after all. your job is just to be a Sheppard, but the farmer still owns the flock.

Reply

[-]

PhillAholic@reddit

Way over the line. Your goal is to protect your network by EDUCATING your users to act responsibly. Users will not be open to learning if their security team are assholes who go overboard. I sincerely suggests you reevaluate your methods and goals here. Your prioritizes are out of whack.

Reply

[-]

Lobster_Bodyslam@reddit

I like your tactics OP but I do see the concern from your CTO as well as many of my fellow redditors in the comments. I don't think it was over the line at all as many in the comment claim. It's a good test to see who needs better training. Users need to think for a second. HR isn't gonna send out an email claiming a loved one is in the hospital. HR would call or, hopefully, a family member would call. If I received that email, I may shoot a text for a family member and might call HR. I would not click anything in that email.

Reply

[-]

Rorasaurus_Prime@reddit

Yeah, you crossed a big line. There are plenty of ways to do it without toying with peoples emotions.If I were your CTO I'd have had some pretty strong words for you. And I'm extremely security conscious.

Reply

[-]

Next_Confection_3046@reddit

I suddenly don't feel bad about my fake OneDrive file share tests. Jesus fucking christ bro you went way over the line here

Reply

[-]

ultimateVman@reddit

It seems we're all pretty much in concensus that it was over the line. But, this is an opportunity. This particular event can be part of your employee security training. Explain that Info Sec will no longer use family safety in their tests, BUT real threats will not be so kind and they WILL exploit that. Use this case as an example and both you, your management and the employees of the company can make this a learning experience rather than issue.

Reply

[-]

Sith_Luxuria@reddit

Way over the line, you may have not crossed a legal line, but you crossed a leadership one and thus weakened trust and overall in IT. This wasn’t testing awareness, it was testing how people react to a personal crisis. That’s not a fair or useful control and to be very blunt, is callous. There’s a line between realistic and reckless. Using a family emergency framed as HR pushes people to respond as humans, not employees, so your data is skewed. You’re responsible for protecting the company and its people. The people, our users are the true edge over every system. If employees feel manipulated, you lose trust, and that weakens security. 38% click rate means your baseline needs work, not that you escalate to the most extreme scenarios. Just because hackers use emotion and malicious methods doesn’t mean you should use that internally on the people you serve. IMO, get off your high horse and remember that without them, we have no job.

Reply

[-]

SeekingApprentice@reddit

A lot of this is clearly embellished. At the end of the day - why make trouble for yourself with this... Training them to think through emotional situations. People don't care that in depth and you have to work around that and frame it far differently.

Reply

[-]

florence_pug@reddit

Ya that crosses the line. Did you even think about it before sending? What is actually wrong with you?

Reply

[-]

Sad-Branch-6927@reddit

Over the line for sure. Don’t involve family. This coming from a guy who sent one out saying to sign in to approve your pay increase. Got that one approved by my director and cfo before though. Everyone clicked on it.

Reply

[-]

siciidkfidneb@reddit

Dude you are out of your mind

Reply

[-]

Lost-Droids@reddit

We went with the approach same as Google that phising tests are bad and just piss users off (link below) Training, reminders mostly ish in a company wide security workspace and positive rewards when users escalate things to us is far better Sending something about family is so far over the line you can't even see the line Google Online Security Blog: On Fire Drills and Phishing Tests https://share.google/89a6cTyjdKHu1sZF0

Reply

[-]

West_Acanthaceae5032@reddit

Completely over the line. We use natural greed, a Benefits Portal or Raffle and try exploiting people for money. Never go for shock value and never try to go for something that could leave people in an emotional state that you created.

Reply

[-]

aldotheapache1032@reddit

Thats why we have external labels turned on in Outlook and shows a warning on top on every email from outside the organisation, granted we have guys that sign up even then

Reply

[-]

the_doughboy@reddit

Recently we had extreme Push Back. Using Knowb4 one of them was a Teams Notification and it was perfectly crafted for your company. However we over whelmingly got the message "Never send these again or I will never action any email in the future." If the phishing tests look as legit as real emails and there is a fear of clicking the link then people are going to stop actioning legitimate emails AND not even ask IT "Is this legitimate?"

Reply

[-]

danfirst@reddit

I ran phishing tests for a long time, I would never send that. Yes, I know that threat actors will send bad things, there still should be a line though. At the beginning of covid I had a co-worker who wanted to send out a test about how everyone's health insurance was getting dropped. I shut that shit down right away.

Reply

[-]

IcyChemical3661@reddit

Bad actors aren't going to be cute with their attacks. I'm with you.

Reply

[-]

deefop@reddit

Legal and "correct" are two very different things. I agree that threat actors aren't going to hold back, but this still went over the line in terms of the panic it might have caused. That said, did 38% of users click the link? If that's the case, then your original point \*is\* valid, insofar as that you have a userbase that is highly susceptible to the false urgency created by phishing attempts, and some attacker on the other side of the world doesn't give a fuck about your employees feelings. So if I were you I'd own up and apologize, but if you really had a failure rate that big, I'd stand my ground by saying "Hey, I accept that this might have crossed a line in terms of testing, BUT 38% of people failed, and if this were a real attack, the company would be in serious trouble, and we can't ignore that reality even if we acknowledge that this test went too far."

Reply

[-]

reegz@reddit

When I did this I would run two campaigns. The standard one and then an advanced one that was more spear phishing oriented. The advanced one only a few key folks knew I was doing them, nothing was allow listed so I had to play by the same rules as the bad actors. They were designed to allow our processes to play out. If it gets caught by the SOC that sucks for me etc. Regular tests the users, advanced tests your team and processes.

Reply

[-]

MaToP4er@reddit

Well, your CTO will bite his elbow when shit will fuckin hit the fan… but it wont be your problem

Reply

[-]

Master-IT-All@reddit

You are correct, the CTO likely fell for it and is salty.

Reply

[-]

sadmep@reddit

>Again, I don't care about my employees as much as I care about protecting my network. Your job is both. And yes, making people freak out thinking a family member was injured does cross the line, like... obviously so.

Reply

[-]

StaticR0ute@reddit

Yikes

Reply

[-]

NormanJohn1@reddit

You sent a phishing e-mail claiming a family members was hurt? You're a clown

Reply

[-]

snebsnek@reddit

Way over the line.

Reply

Reply to Post

679 Comments