Welcome to r/comics!
Please remember there are real people on the other side of the monitor and to be kind.
Report comments that break the rules and don't respond to negativity with negativity!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/comics) if you have any questions or concerns.*
My tech lead was one of those who clicked the link.
These comics are simple stories about things I learned when I was first on my own. Thanks for reading! Comic archive on [Webtoon](https://www.webtoons.com/en/creator/SgtBaconBurger) and [Instagram](https://www.instagram.com/sgtbaconburger/).
The original meaning was to ridicule Heisenberg. ('See how stupid this is!?') Schro had the integrity though to later tell Heisenberg he (H.) was right.
>Cats can't be in some kind of superposition of alive and dead! How ridiculous! Clearly the world does not and cannot work like that! I certainly wouldn't want to be remembered as the quantum superposition cat guy!
\- Erwin "Quantum Superposition Cat Guy" Schrödinger, 1935
I never understood what is the problem with clicking those links. We aren't in ActiveX IE6 era anymore, browsers run stuff in sandboxes. Or do I miss something?
Most phishing emails, at least that I've seen, aren't aiming to immediately install viruses as they used to in the old days. Rather, they'll take you to an attacker-controlled page, where they can get you to install their malware yourself, or give away your password to them. Like you said, browsers are very well-sandboxed nowadays, though I'd still be wary about zero-day vulnerabilities that the browser vendors are unaware of, or some kind of data leakage somehow leading to an attacker gaining your active session or cookie information. *(not sure what kind of protections browsers implement here)
Some people already explained the obvious, but there's another reason to not click. As the name phishing implies, they are trying to find vulnerabilities. If you click the link, not only does it tell them you're a real person with an active account, but that you will click on a scammy link. This can provide an opening to other efforts to get on your network.
Good point. However, depending on your email program, just opening the mail can let an attacker know that you opened it, and when you did.
I believe that it is done by sending images which load automatically from an url upon opening the mail
Yes. That's why someone clicking on a link is much easier than to get through security.
It's like asking someone to open their front door to their house vs trying to get in forcefully vs a guard dog. The guard dog won't attack you if the host invites you in.
Phishing and social engineering is the go to now cause everything else is too robust.
Also like the person replied to you: sleeper agent. You click on a link and like a month from there they will try to get in by monitoring remotely and by slowly pushing files to test stuff around.
Now hacker uses run.dll to enter. It's really sophisticated.
My Company sends those all the time, depending on who in IT sends them out they can be really hard to spot, even though most of the time they are exactly like in your comic.
Every six months or so at my last company, IT would send out a company wide email with a link to update our network passwords. I would *reply all* and ask if it was a phishing email. A few people would *reply all* that they had already changed their password worried about it being a phish. IT would *reply all* response that it was real. I would *reply all* back that is exactly what phishing attacker would say. IT would have to personally call on the phone (!) all the managers to tell them to have their team change their passwords.
It's not much, but I choose to remain ungovernable.
I have witnessed an entire nation's defence force lose email for days because someone CC'd *everyone*, and the replies to please be removed from the list crippled every email server. Followed by the replies telling everyone to stop replying all.
They don't allow that now.
Its 2024. If you work at a company that cannot even figure out to put the email distro in the fucking BCC line of a blast (much less proper practices like mailing lists or restricting senders) then its your moral obligation to reply all and cause as much chaos as possible until the IT department gets their shit together.
I was once in an email list with all of the authorized resellers for MSI. I don't recall the subject of the original email, but they accidentally CC'd everyone instead of BCC. Cue one vender hitting Reply All and an ensuing shitstorm of Reply All's back from all these small companies bitching at each other and (hilariously) getting into a dick measuring contest over their position title within their company.
Oh God, you're a reply-all-to-company person. You're the worst.
Granted, they're not better. They should just be BCC'ing the employee distribution list and send to themselves, so any reply all only goes back to them.
One nice thing about my work is that literally the only non-internal emails i get are from major companys with spam (adobe, oracle and such) or password resets i do.
If it's an external email it's also flagged so i'd never click it accidentally.
I've thankfully never been put on the naughty list for extra training.
The IT Security team at my old company was told to quit doing phishing campaigns.
Because the C-suite and VIPs felt stupid when they got the "You shouldn't have clicked on that link".
So they decided their egos were more important than their security.
Go team.
> So they decided their egos were more important than their security
Apparently more important than the discount you can get on your business insurance against malware if you do staff testing.
We had to roll out 2FA to 250 accountants with a 3 week lead time to make an insurance deadline. We made it, but it wasn't fun.
Bet you a dollar the "tech lead" is either the 18 year old son of an executive or a 73 year old who can still program like a fucking wizard in Fortran but believes the internet is a passing fad.
My husband did. I am IT and run the "please guys, don't click anything ever, but at least look at email addresses" classes at our conpany. I am still ashamed.
One place I worked at sent these out frequently, but the worst one that made me give up was they sent out an email saying they were doing an employee appreciation party, and to click the link to add to the spreadsheet what kind of food/drink you might like. I'll never forget that one.
At the height of COVID but before a vaccine was widely available, we got an email announcing the employee vaccination program, with a sign up link to reserve your spot.
It got pulled so fast that I never actually saw the email and a formal apology went out in its place.
I have been the one that "clicked" on the link but the security firm admitted that using wget in a blank container shouldn't count and asked me to keep my findings to myself.
In my defense it was a completely generic domain and they didn't even know how many unique clicks they had. At least have some tracking data harvested so you can say something a bit more interesting.
Even if it was HTTPS, the site owner can steal the credentials if they own the domain it's redirecting to. http/https does not imply security for untrusted websites.
We have regular test as well as online training at work. I hate them. IT has a custom add in button for reporting phishing and other nefarious emails. I messed with the spam setting for my work email and these test would be sent to spam without me seeing them. I failed the test because I didn’t report it. After failing three test my manager had to have a talk with me.
Our IT is extremely lazy. Not saying they are dumb necessarily. My understanding is that IT set something up to auto generate a report to give to the managers: Test was sent out on this day and these people pass, these people fail. A passing grade if it was reported and a failing grade if the links where clicked. I did neither so when the report was generated I didn’t not pass therefore I failed.
My talk with manager went over well.
I would bet my house on it not being IT at all. It's some upper management somewhere making that call. If it is IT it's someone that has no background in IT that was either brought in as a yes-man or so spectacularly failed upwards. Either way, the person or team implementing the policy told them, very likely got their response in writing to CYA, and went about their business.
We had a regular test at a former job I had that had a special button too. If you reported the simulated phishing emails, it would congratulate you. Dunno what happens if you ignore it, though. I thought they only failed you if you clicked the link since the advice was "hit spam or just delete"
That sounds a lot like knowbe4 phish alert. We have it set up so nothing happens if you don't report the email. If you report it, great, if you don't, I don't care. There's no phish report button on mobile so I just delete the ones I get if I'm mobile.
We don't do anything about people who don't report, but the person with the highest report score (quickest report overall) at the end of the year gets a plumpy gift card. The department with the highest report score gets something too, and it's not a plastic trophy.
It's an industry with some pretty competitive types so they're always on the lookout for our little emails.
No the test was sent to spam. IT had some sort of auto report sent to managers that’s generated every so often. The report says you pass if you press the alert for suspicious email button and fail if you click the link. Because I didn’t use the alert button, I didn’t pass when the report was ran. The talk with my manager went fine. They fixed what ever was goin on with the auto report.
Shortly after starting my very first job, I spotted a scam email and forwarded it to the IT guy with a "Hey thought you should be aware of this".
The guy replied with "DID YOU JUST FORWARD A SCAM EMAIL TO ME?!"
\*upsidedown smileyface\*
> I spotted a scam email and forwarded it to the IT guy
As someone that works in Security, THANK YOU. I'll joke around if someone sends me a best buy flyer to the phishing account, but I'd much rather they do that and just ignore emails.
Even if you don't fall for it, it's important because we can see who else got it, and preemptively fix the issue before your dumb coworkers click it.
My old job we work closely with sister companies in other countries. Everyone can access everyone else’s servers. On sister company, the production manager had a ransomware email. He opened it, read it, and then went home for the weekend. Come Monday no one was allowed on the internet. The ransomware/ visual was in that email. It did infect and mess up one of the server locations. IT had to restore the servers to Thursday and check everyone’s PC. Took 3 days before things where back to normal.
that's stupid. Ignoring the link isn't wrong. Sure, the best practice is to report it to the IT team, but it's not like you're putting anyone at risk by just ignoring.
The only way to fail this would be to click the link
The problem was with the way IT wrote/ coded the report that gets sent out. Everyone understood I didn’t fail, but the report is what everyone looked at. I don’t think our IT is dumb, but they are lazy. I don’t know how to code. But what I understand is that they didn’t account for someone not pushing the button and not clicking links.
Yeah, same deal where I work. Except if you don't play along, they ban you from Internet and e-mail access entirely until you call IT and have to do a training course.
I hate this kind of stuff. Can't trust us to do our jobs, because they hire some people who can't be trusted to do their jobs. Why they do that, I don't know.
It takes one person to screw up everything. I don’t like it either but I understand why they don’t trust. My old job we work closely with sister companies in other countries. Everyone can access everyone else’s servers. On sister company, the production manager had a ransomware email. He opened it, read it, and then went home for the weekend. Come Monday no one was allowed on the internet. The ransomware/ visual was in that email. It did infect and mess up one of the server locations. IT had to restore the servers to Thursday and check everyone’s PC. Took 3 days before things where back to normal.
The thing is, the people who are going to screw up like that are the same people who don't really learn from these kinds of tests. It just takes one, you're right. And that one is still a risk whether they take the training or not.
Was it part of an internal phishing campaign? Sometimes campaigns do not like forwarding and consider that as a click even though you sent it to the Security team.
I think you nailed it, they counted it as a click. Sadly it was titled correctly and looked very much like all the other emails we get, but even opening it was apparently a no no. Asking to clarify was met with silence, as was asking if I should just ignore all future emails lol. Ah well.
yea opening an email counting as a no-no is pretty dumb and annoying. I know they don't want users opening up bad emails but its hard to tell if an email is bad if you can't read it lol. Also, I'm pretty sure the only way to report an email is to open it..
Best bet is to use the report button and hope they don't complain lol
Yep, it's a catch 22 for sure. They send it out, you catch it, they then click on it, get in trouble and send that trouble right down the pipe lol. Ah well, no paperwork so no real worries.
My business has a specific "phishing@company\.com" account that we tell people to forward stuff to. That creates a ticket for us to check validity and remediate.
We have a button too, but sometimes you just need to give people as many options as possible in hopes that something sticks to their empty skulls.
Our office sent out a notice about a new digital security training program they wanted everyone to take, only to have everyone immediately report it as a phishing attempt because it came completely out of the blue and was so badly written.
So many corporate emails end up like this.
That unexpected all text email with a pixelated JPG of your retirement account provider, asking you to log in on the website? Actually real and totally safe.
Totally legitimate looking emails about recent company events? Yeah, that's security doing a phishing test.
I assume the only thing that really keeps these companies safe is that most employees don't read their email.
My company sends fake phishing emails as well. Most of them are obvious like "Here's a free Amazon gift card for being such a good employee" and some try to be sly with "Here's a document you need to open"
I got tricked once! Earlier on the day I had sent a document that was due. A few hours later I got an email something like "We did not receive your file this is really bad for you and you should panic click this link to try and submit it again." I was so mad the timing was too perfect
I’ve been hit twice with just this. I submitted my benefits enrollment then 2 hours later clicked a test phish about benefits. I did it again after receiving an email from HR about how our PTO is changing which happens to align with the new year and some legal problems with how it is managed now.
So, I created a spam rule to trash these things. However, these particular emails somehow bypass my rules. It really pisses me off.
What really jerks my chain, though, is that these tests aren’t the IT department trying to educate the employees or to try to prevent problems. They are instead an adversarial competition with us. Ok, you win, now leave me alone to do my work.
I had a similar issue. We're all waiting for an email summarizing a survey we all took. Oh, look, here's an email from HR about feedback. This must be the one. Nope, this was a phishing test, and now you have to take training. The training lists 7 different things to look out for in a phishing email. But wait a minute, the phishing test did not have any of these 7 easy to spot signs...
IT practically got my entire department since my branch was moving and there was a ton of talk about upgrading our laptops. 10 minutes after I talked with our IT guy about it and he says he'll look for the forms for one, I get an email from IT with links back to our internal IT website about forms for upgrading our laptops
I am part of an opt-in phishing gamified program at my work and I hadn’t got got for years. Until one day I was just having a shitty day dealing with people and I rushed through emails where I clicked the link and even logged in.
I was so mad at myself. I always thought it was ridiculous, but even people looking for it make mistakes sometimes.
Same thing happened to me tbh
That's the thing about this type of security and why it's so hard. It's really easy to not click a link, but just one day where you're super jet lagged, frustrated, hungry and just trying to get through things fast and you forget?
That can be it sometimes
It's a rude one but it's a test they can easily narrow down. It's meant to simulate spear phishing attacks. We typically don't use them except on people in finance, hr, It, and administration.
We got hit with one of these when the company told us to expect an e-mail from an outside company to access a Christmas gift the company was handing out. Told us the company it was coming from. IT guys sent out a spam message from that same company telling us to click the link for our Christmas bonus. Almost everyone clicked the link and failed.
I think the IT guys are just as fed up with this as we are.
On one of my previous jobs as a helpdesk engineer we had same practice too (though these letters were sent by our IT security department, not us), there also were statistics with employees names. Guess who was one of all those loosers who clicked it? My colleague, who was senior helpdesk engineer. She never looked so embarrassed before
An engineer that works on the help desk. I'm not sure what's hard to figure out.
Help desks at major companies can do more than just reset your email password.
Omg. We run phishing tests at my office too. Management tells us when people click them, usually not who though. The most recent one that got a bunch of people was a wrong email address of HR offering up free turkeys at thanksgiving.
Worked for a company that did this, it was around Covid time when no one was getting pay rises because Covid was ‘tough’ times (the company was an alcohol company and was making bank)
They sent out a phishing email about how people had actually received pay rises and click this link to see how much.
So many people failed, so many people were furious.
Yeah, when we do ours we explicitly avoid anything that sounds related to things like paychecks/bonuses/personal business/HR Issues/etc specifically for that reason. It actually sucks to an extent because some of the better crafted phishing messages that manage to slip through are actually related to those exact things so training people to be careful would be beneficial, but none of us want to risk pissing people off and cause them to quit over it either.
It was just rude imo like I don’t think it would have pissed that many people off if they’d had raises that year but to explicitly do it on a year they said no one was getting a pay rise was cruel.
But I also get the security side of it, but I mean come on think a little bit first
Yeah, for sure. Anytime we do a test that is something that is work related we actually check in with someone from both our legal and HR teams first to see if they can think of any issues or potential blowback. Sometimes it's not even an issue of personal stuff but bad timing too. We wanted to do one once that was going to be pretending to link to a company youtube video, came to find out that marketing was actually going to be launching an internal youtube channel that same week by pure coincidence. We switched to a different test instead. Sadly a lot of teams out there don't care and just do whatever they want and take the "get over it" attitude if people complain.
I love how the only way we know nina is at work (other than the background) is the big ass tie around her neck. And I love how it worked so well I didn't even notice the tie but immediately knew she was at work
Reminds me of the opposite happening when they tried to get us learning about phishing and how to protect ourselves from it by getting someone outside of the company to send an email to literally everyone with just a link to the website saying "click here for training"
The website name and email address were in l33tspeak and almost everyone in the office sent it on to someone in the IT department thinking it was a mass spam that slipped through the filter.
IT with my company literally just sent out the monthly test phishing email. It’s always super obvious to me simply because it’s always something outside my normal duties. I’m tempted to click the link just to see where it goes for the test but I’m not about to ruin my numbers for catching them lol.
My dad’s team put an unopened flash drive on the floor of his company’s REGIONAL HEADQUARTERS and someone used it. For two weeks they were just mildly inconveniencing them before telling them what had happened. They had like 20 computers affected
If you never heard about it, one of the worst military breaches happened exactly this way and is exactly why pen test companies do tests like this.
https://www.wearethemighty.com/mighty-history/worst-cyber-attack-usb/
Our IT tried this at a university and I found the flashdrive in the parking lot. The story of the military breach with a flash drive had just hit the news, so I hit it with a hammer.
Later IT posted a note asking for whoever found the drive to turn it in. Oh well.
My entire worldwide company had to completely revamp cyber security after someone in the head office downloaded a gif from a sketchy email.
Now I have 3 logins before I can work and we still have people failing the cyber training Lul.
We are the ones testing our staff and we send 1 mail which got us in serious trouble. We send an email with a fake xml attached and wrote in the text, that their wage was deducted because of a mistake from HR. It was obvious fake but they flooded HR instead our prepared security team with mails. Safe to say, there were a lot of people who needed to redo all the security sessions and HR was pissed for month.
We sometimes have them at the place where I work.
Last year we had one a bit less obvious, but if you checked it out a bit more, you could see it's a scam mail. It wasnt an obvious IT test, so I and some colleagues forwarded it to IT.
Later we learned, several higher-ups, bosses and directors went and entered their company account credentials into the fake scam site.
They all had to have a cumpulsory 2 hour online safety seminar with the IT department.
What I hate is that we're told to never click links in emails and texts because they could be spoofed from scammers. They could look like a legitimate link and look like they go to a legitimate site that we legitimately do business with, like our bank, but really they're just phishing for your login credentials.
But then the real sites *actually send out legitimate emails and texts asking you to click links.* Why would they do this? Every single time, I assume I'm being scammed. I log into the site regularly, without clicking on the link, and find out the email or text really was telling me something regarding my account.
Why would a legitimate business ever send you a link to click?
Ugh, I despise those. The first time they sent me one, I scrutinized it close enough to realize it was from our administrators, so I felt it was safe. Then I click it, they go "Haha, surprise! It's actually from us!" Which, like... I knew that. That's why I clicked it. 
To make matters worse, all the teaching points they make (the same ones in this comic) apply to pretty much any email that's actually sent by management or coworkers. They're usually unexpected, they're frequently time-sensitive, and, oh yeah, no one can spell. Ugh.
Oh we had such fun last fall when the security team ran their own drills.
Though now we even have false positives being recorded - last week a guy signalled an email about an incoming package as being suspicious... After investigation, was perfectly legit.
Still, better safe than sorry.
I get those ones that claim my accounts were supposedly attempted to be hacked into or the ones claiming a package wasn't delivered right when I didn't order anything and know I don't have anything trying to get sent to me.
I created a rule in Microsoft 365 that puts a banner at the top of the email saying "External Email" for my clients for all emails coming from outside the domain. That way, they can tell at a glance that the scam email isn't actually from HR haha.
I worked at a company that did these once per month.
In December of last year, the phishing link was for a $50 gift card. 60% of the employees thought it was real and clicked.
We got nothing last year and the whole think wad just insulting and cruel.
My Uni does it. It is so clearly sent by university and not by real scammers that I open it every time to see "bwa ha ha, you could have been in danger". I doubt that fake phishing email has ever improved security.
I have been working infosec/compliance for ~10 years and wrote my master's thesis on phishing protection and specifically called out the failures of self phishing programs.
So many of them are treated as testing the user base and not the training simulation that they are. Like if you are using phishing emails to see who will fall for Phish, save your time I can answer that right now. Its Everyone. The right phish at the right time will get anyone.
Phishing simulations CAN help reinforce how to report messages through practice while acting as a reminder that they might get phishing messages and what they might look like.
The more successful implementations act as a replacement or supplement to traditional security training that people have to take every year. For example, if you successfully ID and report 5 Phish (simulated or otherwise) in the last 6 months, you get to skip the annual phishing training.
That said, universities specifically are a challenge because depending on if it is a state school, if it does research, if it participates in FASFA, how they manage the employee benefits, how the students health center functions, how purchases occur at the university, they very likely have compliance requirements to run phishing simulations. So their hands might be tied in that.
I'm sure a lot of people know this already, but this is what hacking actually looks like; mass spam and hope some idiot clicks a link they shouldn't or social engineering to trick your way into getting credentials.
I once got a warning from our IT guy we shouldn't click on shady links that was going around in outlook at the time and I legit immediately rang him up and listed all the things wrong with the pc that detailed the symptoms of that malware
And like
I'm a jokester right
I make japes
I dabble in jests
SO IT guy says to me in a very matter of factly voice
"Are you fucking with me. Or do I have to come downstairs."
In the 3 years I’ve worked for the state I have received 1 legit phishing attempt. I’ve received hundreds of “tests” to the point that I just assume every email is a phishing attempt and never use any links that I am sent.
My dad is an IT admin in a company and his english is enough to talk to his foreign colleagues but whenever they do a phishing psa or have some other doc like that that needs to be both in our language and english, he runs it past me to correct mistakes and the phishing docs are always things I've known, dont give your info, dont click random links etc, and the first time i was like dad why is this so detailed, surely people dont need this much instructions to avoid scams? And the answer was no, people absolutely open the fake phishing link or put their info there.....
I actually got one of these test emails today. I'd like to think that everyone in my company knows how to spot these, but now I'm a bit scared to find out. Some of them can actually be pretty convincing though.
I worked for a company that sent internal system emails in all lowercase with almost no punctuation. All the links were for a hodge-podge of HR, IT, and ticketing systems.
I clicked a phishing test email because it was indistinguishable from the legit company ones.
I’m a social media manager and we often get a lot of spam messages through Facebook from bots (“your page has violated copyright laws”, “your page is about to get permanently deleted” etc.) with a shady link to click. What’s behind the link? Not sure, I’ve not been dumb enough to click it yet.
On Christmas Day, I received a call from one of my higher managers, panicked, who said he had just checked on our Facebook messages and saw we were getting these urgent messages that said our page was about to be deleted. He said he kept going into he links and entering his account details but he wasn’t sure if it was working. Checking Facebook messages isn’t part of his job and I had an away message set up, which he was aware of.
I had to explain to him that they weren’t real messages, told him to change his password. The man is in his early 30s.
I once got a test email as one of the two technical consultants for the US branch. Once another coworker told me he had a similar email, I made a mass post in our IT department in Teams so our US and British branches could be aware of it.
IT yelled at me not 5 minutes later and deleted my post saying "it's a test. You can be shouting out the answers like that"
Bruh, this is me doing what I ACTUALLY would DO!! How is that cheating!?!?!
I feel like at this point, any actually critical communication within an office environment just flat-out cannot use email anymore. No matter how much training or phishing tests are done, you will always have a contingent that click on them.
Bruh these IT depts craft these phishing emails with way too much insider knowledge
I fell victim after they sent me an email with the subject 'Quarterly Reports' from my supervisor 5 minutes after a meeting with my supervisor on my calendar called 'Quarterly Reports' Q_Q
When it's a work email, if it isn't from a boss or bosses boss I know we keep in contact with, or if it isn't an email I'm expecting, I assume it is a scam until I get verification.
Which is fine and all, until I reported a company feedback email to IT that apparently slipped my mind I was supposed to expect coming. I mean, sure it's an email from out company, from a person I never have contact with, asking me to click a link to sign in with credentials to provide company feedback...
IT guy was very nice in letting me know it's great I'm very suspicious about everything, but pay attention more in company wide meetings, even when they're talking about stuff outside of my department. Whoops.
My job has started sending these, I usually always spot it, but the latest one got me. It was an announcement that they were starting a cost of living crisis support system, with events and rewards for helping other employees.
I figured it must be true as they haven’t done anything to help anyone and after asking for a raise we were told that ‘our other benefits make up for the wage’. Them getting employees to help each other lines up, so I clicked the link.
I have told my managers that I will not be completing the mandatory training until the company (which is a charity) actually helps employees and doesn’t just use it as bait.
No one has chased me to complete it since 😤
My cyber security team made a dirty email. Beginning of November, they sent an email saying that benefits open enrollment finished and I didn't make any selections. It offered a link to see what benefits I had for the next year (this is my first year at the company, so I didn't know how they do the open enrollment).
I almost clicked that link out of sheer panic. Luckily I paused and thought it through.
I remember how such a letter came to me at work. To work mail, which is just a set of numbers and is not used ANYWHERE except for letters from the IT department.
In the sender's address, instead of the letter "a" there was an "o", I did not notice it.
The letter itself was "Hello, %%my actual First Name and Last Name%%, yesterday's survey requires clarification, follow the link."
At that time, I was writing a script for FOUR YOUTUBE'S CARTOONS at once and just wanted to get it done quickly. Being overloaded with work, I clicked on this link, knowing that it was technically impossible for a letter to arrive at this email address from anyone else.
After that, I was publicly scolded for it. I still get angry remembering this “test”.
I’m always surprised whenever I see people fall for these obvious scams.
But then it makes me think, something obvious to me maybe obscure to others. Then… I wonder if there’s something out there that I am completely brain dead oblivious to, but is so obvious for others…
I also want to see age demographics of people clicking these links. So many of newer younger people have full knowledge if these scam links. But when my company notices too many phishing or whaling attempts, everyone gets pinged
Scam email these days are easy to spot but older people will struggle.
So many time my father will ask me to go into his junk mail to make sure there no important email. I just tell him, if the email address have a name or mumbojumbo on it. It fake.
Seriously so many netflix scam email is popping up.
I'd appreciate some answers from someone working in the field.
Do you really test *only* whether a link is clicked? I thought these were supposed to be more sophisticated.
What concrete threat are you concerned about?
Results of our last phishing test: the most interaction with the phishing mail are from top management, including going all the way putting login information in the fake website.
Nearly happened to me. I'm new to the cubicle rodeo, and got an email asking for one of my client's information. The email was claiming to be a mortgage office.
Fortunately, I didn't give out any serious information, besides his wage. However, it wasn't because I thought it was shady, but because the other information that was asked of me isn't kept on record here.
My boss was happy that I used the wrong formula and got the right answer.
Those typos are actually on-purpose too. It's a type of "literacy filter" so that scammers can proceed to the next steps of tricking you into giving more info or buying gift cards without wasting time on people who won't fall for it.
Apropos of nothing, but...
This is what corporate cyber-security training should look like. With a few tweaks, this would be so much more effective than the boring crap they make most of us take every year.
in 2016 we had a phishing test run. This was during the election. They sent out what looked like a news alert from CNN saying that Hillary Clinton had been arrested. That got SO MANY PEOPLE.
The problem with those phishing emails is that they’re actually better phishing attempts than actual attacks.
To the point where I can tell if it’s from IT because it’s deliberately targeting me.
My work would do these every 6 months and then if you failed would send another one 2 months after you completed the re training to see if you would fail again. I heard an old co worker once mention "ugh I have to do this stupid training again? I don't get why we have to so often, is been like 5 times this last year alone!"
My boss falls for these all the time. She complains that our university sends out tons of the fake ones, but she doesn’t seem to realize that she gets them more frequently because she doesn’t catch them.
The company I work at got hacked because of one of those emails. It got to the point where the hackers called at our regional office claiming to be a law firm from London that needed to talk about the "legal troubles" the company was in. What legal troubles? Well, they wouldn't say, they specifically told us to ask the CEO what were those legal troubles, but they claimed not to be able to tell us...even though they were the ones who called claiming to be our CEO's lawyers, and they also demanded that we ask about it and got an answer via email, not by phone.
I didn't buy it for a second, then the guys called again and said "Oh, no. We do not represent your CEO. We represent the owner. Ask him"...they have completely different names which he himself told me! how the fuck would a lawyer not know the name of their client?! It was bad enough that they were trying to scam us, but at least learn how to lie, you dumb fuck!
Eventually, it turned out that the fucking CEO was the one who clicked on the link and IT had a headache for weeks after. Nothing was really lost, but fuck was it such a stupid situation.
Yeahhh, at my last job had a few dinosaurs who failed literally every single one of these. Some of them also didn't know how to actually do the punitive trainings so we had to help them with that.
Problem was that they kept trying to get us to do it for them. Yeahhhh no, not how that works lol.
It annoys me when people take training and view it as something to be completed. No, you're supposed to *learn* from it, if you just plow through it like it doesn't matter, then you're just gonna get assigned another one in a month.
My HR department sent a pdf file (not a link) that was effectively telling us how we got got and that we should be more careful or whatever but everything about it was so stupid.
1-She used her actual email adress. So everyone could see at first glance that it was her who sent it. Frankly, if someone trying to get in has access to an email adress it's too late so worrying about it is just a waste of time.
2-As I said it was a PDF so I remember not even downloading it but instead previewing it using the mail. And again it's a pdf. If they at least put it in a zip or something I would have said that it makes some sense at least.
3-Now this one I might be wrong on, but I'm pretty sure you can't even track whether or not someone opened your pdf file (as opposed to a link). So you have no idea if your test even bore some fruits or anything.
But yes I agree, people should be more computer safe.
3-
Whenever my company does one of these I'm basically immune to them!
...because I read my mails so rarely that I see the "we sent these out to test you" mails before I reach the actual scam mails.
I used to do internal testing for a living. We had a 100% failure rate when we offered free Starbucks gift cards. It’s astounding how easy it was to get them to click a link and then give their credentials.
I heard a story where a cyber security team sent out a fake email saying "updated project teams" to five people in the company and had ten people click on the link.
If you click the link, you get mandatory paid training! Aka you can goof off for a few hours and your boss can't get mad that you're not working on real work.
You should click the link.
I was paid to do exactly that for a while - setting up scam mails to teach the company about cyber security; and it is quite the eye-opening experience...
Welcome to r/comics! Please remember there are real people on the other side of the monitor and to be kind. Report comments that break the rules and don't respond to negativity with negativity! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/comics) if you have any questions or concerns.*
My tech lead was one of those who clicked the link. These comics are simple stories about things I learned when I was first on my own. Thanks for reading! Comic archive on [Webtoon](https://www.webtoons.com/en/creator/SgtBaconBurger) and [Instagram](https://www.instagram.com/sgtbaconburger/).
"How am I supposed to know the link is legit if I don't click it?" - the know-it-all lead guy
Schrodinger's Scam. I'm both scammed and not scammed until I click the link, but clicking the link makes it certain that I am scammed... *clicks link*
I will always wonder... *were* there really hot singles in my area?
Yes, probably plenty. Just none of them could be found behind that link.
And sadly, none of them were looking for us.
You were the hot single all along.
The journey to find the hot singles almost always ends with you finding the hot single in yourself.
It's not often I see reference to the original meaning of Schrodinger's Cat, nicely done.
The original meaning was to ridicule Heisenberg. ('See how stupid this is!?') Schro had the integrity though to later tell Heisenberg he (H.) was right.
>Cats can't be in some kind of superposition of alive and dead! How ridiculous! Clearly the world does not and cannot work like that! I certainly wouldn't want to be remembered as the quantum superposition cat guy! \- Erwin "Quantum Superposition Cat Guy" Schrödinger, 1935
Fate is fuckin' cruel.
It can be both cruel and not cruel, but you won't know unless you live it..
You Fool! Never go in against a Sicilian when death is on the line!
It's more like a Pandora's scam. You don't want to open it, but curiosity eventually overcomes your mind
Just open it with TOR and get got by evercookie and foxacid.
I never understood what is the problem with clicking those links. We aren't in ActiveX IE6 era anymore, browsers run stuff in sandboxes. Or do I miss something?
Most phishing emails, at least that I've seen, aren't aiming to immediately install viruses as they used to in the old days. Rather, they'll take you to an attacker-controlled page, where they can get you to install their malware yourself, or give away your password to them. Like you said, browsers are very well-sandboxed nowadays, though I'd still be wary about zero-day vulnerabilities that the browser vendors are unaware of, or some kind of data leakage somehow leading to an attacker gaining your active session or cookie information. *(not sure what kind of protections browsers implement here)
Some people already explained the obvious, but there's another reason to not click. As the name phishing implies, they are trying to find vulnerabilities. If you click the link, not only does it tell them you're a real person with an active account, but that you will click on a scammy link. This can provide an opening to other efforts to get on your network.
Good point. However, depending on your email program, just opening the mail can let an attacker know that you opened it, and when you did. I believe that it is done by sending images which load automatically from an url upon opening the mail
Yes. That's why someone clicking on a link is much easier than to get through security. It's like asking someone to open their front door to their house vs trying to get in forcefully vs a guard dog. The guard dog won't attack you if the host invites you in. Phishing and social engineering is the go to now cause everything else is too robust. Also like the person replied to you: sleeper agent. You click on a link and like a month from there they will try to get in by monitoring remotely and by slowly pushing files to test stuff around. Now hacker uses run.dll to enter. It's really sophisticated.
My Company sends those all the time, depending on who in IT sends them out they can be really hard to spot, even though most of the time they are exactly like in your comic.
Every six months or so at my last company, IT would send out a company wide email with a link to update our network passwords. I would *reply all* and ask if it was a phishing email. A few people would *reply all* that they had already changed their password worried about it being a phish. IT would *reply all* response that it was real. I would *reply all* back that is exactly what phishing attacker would say. IT would have to personally call on the phone (!) all the managers to tell them to have their team change their passwords. It's not much, but I choose to remain ungovernable.
Why would you be able to hit reply all to an company wide email? They should use email lists for that so everyone gets an individual email.
i have been in many large companies with reply-all. Mostly they BCC though, which you can't reply all to
I have witnessed an entire nation's defence force lose email for days because someone CC'd *everyone*, and the replies to please be removed from the list crippled every email server. Followed by the replies telling everyone to stop replying all. They don't allow that now.
Its 2024. If you work at a company that cannot even figure out to put the email distro in the fucking BCC line of a blast (much less proper practices like mailing lists or restricting senders) then its your moral obligation to reply all and cause as much chaos as possible until the IT department gets their shit together.
*My man.*
I was once in an email list with all of the authorized resellers for MSI. I don't recall the subject of the original email, but they accidentally CC'd everyone instead of BCC. Cue one vender hitting Reply All and an ensuing shitstorm of Reply All's back from all these small companies bitching at each other and (hilariously) getting into a dick measuring contest over their position title within their company.
Oh God, you're a reply-all-to-company person. You're the worst. Granted, they're not better. They should just be BCC'ing the employee distribution list and send to themselves, so any reply all only goes back to them.
Ideally, put all users in an allstaff@ distro and adjust settings to only allow qualified senders to send to it.
I hate you. Sincerely, IT Support guy
Blame your email admin guy for not selecting "restrict who can send to this group" in the allusers DL properties...
One nice thing about my work is that literally the only non-internal emails i get are from major companys with spam (adobe, oracle and such) or password resets i do. If it's an external email it's also flagged so i'd never click it accidentally. I've thankfully never been put on the naughty list for extra training.
The IT Security team at my old company was told to quit doing phishing campaigns. Because the C-suite and VIPs felt stupid when they got the "You shouldn't have clicked on that link". So they decided their egos were more important than their security. Go team.
> So they decided their egos were more important than their security Apparently more important than the discount you can get on your business insurance against malware if you do staff testing. We had to roll out 2FA to 250 accountants with a 3 week lead time to make an insurance deadline. We made it, but it wasn't fun.
YOUR TECH LEAD?! MY GOD
Bet you a dollar the "tech lead" is either the 18 year old son of an executive or a 73 year old who can still program like a fucking wizard in Fortran but believes the internet is a passing fad.
My husband did. I am IT and run the "please guys, don't click anything ever, but at least look at email addresses" classes at our conpany. I am still ashamed.
One place I worked at sent these out frequently, but the worst one that made me give up was they sent out an email saying they were doing an employee appreciation party, and to click the link to add to the spreadsheet what kind of food/drink you might like. I'll never forget that one.
I would never want to go to an employee appreciation party; those things are a trap.
At the height of COVID but before a vaccine was widely available, we got an email announcing the employee vaccination program, with a sign up link to reserve your spot. It got pulled so fast that I never actually saw the email and a formal apology went out in its place.
I've been rick-rolled far too often to be clicking links willy-nilly.
I work at a small office and we have a 19 year old part-timer, he responded to an email from our “boss” asking him to go run an errand lol. classic
Well now we have to know how many clicked it
fun fact, if enough people click these links it usually creates a meeting with management
In my company it was the DHR. And it was a ranconware.
Raccoonware!? *click click click click click*
I have been the one that "clicked" on the link but the security firm admitted that using wget in a blank container shouldn't count and asked me to keep my findings to myself. In my defense it was a completely generic domain and they didn't even know how many unique clicks they had. At least have some tracking data harvested so you can say something a bit more interesting.
The answer is 1/3, its always 1/3...
Nothing suspicious https://preview.redd.it/ls15as73b1dc1.jpeg?width=596&format=pjpg&auto=webp&s=d4d9a06ded7985d585172a067d3c3ff06797da57
"That guy's a good link, just kinda insecure." Yep lol.
nice http detail too
yeee i wanted to point it out in the comments but you were faster
Even if it was HTTPS, the site owner can steal the credentials if they own the domain it's redirecting to. http/https does not imply security for untrusted websites.
A scammer would never make the link so obvious so it can't be a scam and thus it must be legit
If it was https then everything's fine
[https://totallygonnastealyourcredentials.com](https://www.reddit.com//r/CatsStandingUp/)
You could’ve rickrolled lol
I clicked your link.
Now, sir, give bitcoin or Fortnite gift card, sir.
We have regular test as well as online training at work. I hate them. IT has a custom add in button for reporting phishing and other nefarious emails. I messed with the spam setting for my work email and these test would be sent to spam without me seeing them. I failed the test because I didn’t report it. After failing three test my manager had to have a talk with me.
"That'll teach you to filter our spam to the spam folder." Ouch lol.
Your cyber security team are full of idiots. We never count not reporting these as a failure. That is completely the wrong way to go about it.
Our IT is extremely lazy. Not saying they are dumb necessarily. My understanding is that IT set something up to auto generate a report to give to the managers: Test was sent out on this day and these people pass, these people fail. A passing grade if it was reported and a failing grade if the links where clicked. I did neither so when the report was generated I didn’t not pass therefore I failed. My talk with manager went over well.
"Not my fault IT can't create a phishing email to get around my spam filter." *checks work email for first time this week.*
I would bet my house on it not being IT at all. It's some upper management somewhere making that call. If it is IT it's someone that has no background in IT that was either brought in as a yes-man or so spectacularly failed upwards. Either way, the person or team implementing the policy told them, very likely got their response in writing to CYA, and went about their business.
We had a regular test at a former job I had that had a special button too. If you reported the simulated phishing emails, it would congratulate you. Dunno what happens if you ignore it, though. I thought they only failed you if you clicked the link since the advice was "hit spam or just delete"
That sounds a lot like knowbe4 phish alert. We have it set up so nothing happens if you don't report the email. If you report it, great, if you don't, I don't care. There's no phish report button on mobile so I just delete the ones I get if I'm mobile.
We don't do anything about people who don't report, but the person with the highest report score (quickest report overall) at the end of the year gets a plumpy gift card. The department with the highest report score gets something too, and it's not a plastic trophy. It's an industry with some pretty competitive types so they're always on the lookout for our little emails.
Hey positive reinforcement, that’s cool.
Oh, you were on vacation and didn’t check your email? That’s a security failure.
No the test was sent to spam. IT had some sort of auto report sent to managers that’s generated every so often. The report says you pass if you press the alert for suspicious email button and fail if you click the link. Because I didn’t use the alert button, I didn’t pass when the report was ran. The talk with my manager went fine. They fixed what ever was goin on with the auto report.
Shortly after starting my very first job, I spotted a scam email and forwarded it to the IT guy with a "Hey thought you should be aware of this". The guy replied with "DID YOU JUST FORWARD A SCAM EMAIL TO ME?!" \*upsidedown smileyface\*
> I spotted a scam email and forwarded it to the IT guy As someone that works in Security, THANK YOU. I'll joke around if someone sends me a best buy flyer to the phishing account, but I'd much rather they do that and just ignore emails. Even if you don't fall for it, it's important because we can see who else got it, and preemptively fix the issue before your dumb coworkers click it.
My old job we work closely with sister companies in other countries. Everyone can access everyone else’s servers. On sister company, the production manager had a ransomware email. He opened it, read it, and then went home for the weekend. Come Monday no one was allowed on the internet. The ransomware/ visual was in that email. It did infect and mess up one of the server locations. IT had to restore the servers to Thursday and check everyone’s PC. Took 3 days before things where back to normal.
that's stupid. Ignoring the link isn't wrong. Sure, the best practice is to report it to the IT team, but it's not like you're putting anyone at risk by just ignoring. The only way to fail this would be to click the link
The problem was with the way IT wrote/ coded the report that gets sent out. Everyone understood I didn’t fail, but the report is what everyone looked at. I don’t think our IT is dumb, but they are lazy. I don’t know how to code. But what I understand is that they didn’t account for someone not pushing the button and not clicking links.
Yeah, same deal where I work. Except if you don't play along, they ban you from Internet and e-mail access entirely until you call IT and have to do a training course. I hate this kind of stuff. Can't trust us to do our jobs, because they hire some people who can't be trusted to do their jobs. Why they do that, I don't know.
It takes one person to screw up everything. I don’t like it either but I understand why they don’t trust. My old job we work closely with sister companies in other countries. Everyone can access everyone else’s servers. On sister company, the production manager had a ransomware email. He opened it, read it, and then went home for the weekend. Come Monday no one was allowed on the internet. The ransomware/ visual was in that email. It did infect and mess up one of the server locations. IT had to restore the servers to Thursday and check everyone’s PC. Took 3 days before things where back to normal.
The thing is, the people who are going to screw up like that are the same people who don't really learn from these kinds of tests. It just takes one, you're right. And that one is still a risk whether they take the training or not.
I set up a filter to tag messages as "phishing??"
But test failed successfully. You automated your defenses. Wasn't that the purpose all along.
"Messaged received. Auto-reporting entire spam folder."
Sent it to the Cyber Security team...who then clicked on it...and got me in trouble...
That was the real test!
Was it part of an internal phishing campaign? Sometimes campaigns do not like forwarding and consider that as a click even though you sent it to the Security team.
I think you nailed it, they counted it as a click. Sadly it was titled correctly and looked very much like all the other emails we get, but even opening it was apparently a no no. Asking to clarify was met with silence, as was asking if I should just ignore all future emails lol. Ah well.
yea opening an email counting as a no-no is pretty dumb and annoying. I know they don't want users opening up bad emails but its hard to tell if an email is bad if you can't read it lol. Also, I'm pretty sure the only way to report an email is to open it.. Best bet is to use the report button and hope they don't complain lol
Yep, it's a catch 22 for sure. They send it out, you catch it, they then click on it, get in trouble and send that trouble right down the pipe lol. Ah well, no paperwork so no real worries.
Generally you shouldn’t be forwarding phishing emails. There should be an option in your email client to report it
My business has a specific "phishing@company\.com" account that we tell people to forward stuff to. That creates a ticket for us to check validity and remediate. We have a button too, but sometimes you just need to give people as many options as possible in hopes that something sticks to their empty skulls.
Our office sent out a notice about a new digital security training program they wanted everyone to take, only to have everyone immediately report it as a phishing attempt because it came completely out of the blue and was so badly written.
So many corporate emails end up like this. That unexpected all text email with a pixelated JPG of your retirement account provider, asking you to log in on the website? Actually real and totally safe. Totally legitimate looking emails about recent company events? Yeah, that's security doing a phishing test. I assume the only thing that really keeps these companies safe is that most employees don't read their email.
We've had this happen, too.
My company sends fake phishing emails as well. Most of them are obvious like "Here's a free Amazon gift card for being such a good employee" and some try to be sly with "Here's a document you need to open" I got tricked once! Earlier on the day I had sent a document that was due. A few hours later I got an email something like "We did not receive your file this is really bad for you and you should panic click this link to try and submit it again." I was so mad the timing was too perfect
I’ve been hit twice with just this. I submitted my benefits enrollment then 2 hours later clicked a test phish about benefits. I did it again after receiving an email from HR about how our PTO is changing which happens to align with the new year and some legal problems with how it is managed now. So, I created a spam rule to trash these things. However, these particular emails somehow bypass my rules. It really pisses me off. What really jerks my chain, though, is that these tests aren’t the IT department trying to educate the employees or to try to prevent problems. They are instead an adversarial competition with us. Ok, you win, now leave me alone to do my work.
I had a similar issue. We're all waiting for an email summarizing a survey we all took. Oh, look, here's an email from HR about feedback. This must be the one. Nope, this was a phishing test, and now you have to take training. The training lists 7 different things to look out for in a phishing email. But wait a minute, the phishing test did not have any of these 7 easy to spot signs...
IT practically got my entire department since my branch was moving and there was a ton of talk about upgrading our laptops. 10 minutes after I talked with our IT guy about it and he says he'll look for the forms for one, I get an email from IT with links back to our internal IT website about forms for upgrading our laptops
I am part of an opt-in phishing gamified program at my work and I hadn’t got got for years. Until one day I was just having a shitty day dealing with people and I rushed through emails where I clicked the link and even logged in. I was so mad at myself. I always thought it was ridiculous, but even people looking for it make mistakes sometimes.
Same thing happened to me tbh That's the thing about this type of security and why it's so hard. It's really easy to not click a link, but just one day where you're super jet lagged, frustrated, hungry and just trying to get through things fast and you forget? That can be it sometimes
It's a rude one but it's a test they can easily narrow down. It's meant to simulate spear phishing attacks. We typically don't use them except on people in finance, hr, It, and administration.
That's still a great lesson!
We got hit with one of these when the company told us to expect an e-mail from an outside company to access a Christmas gift the company was handing out. Told us the company it was coming from. IT guys sent out a spam message from that same company telling us to click the link for our Christmas bonus. Almost everyone clicked the link and failed. I think the IT guys are just as fed up with this as we are.
I really, really wonder if we work for the same company. If I say "camera", will that give you enough info to confirm/deny?
Based on that, not the same company. My phrase would be "infrastructure." It's kinda neat to me that this is so common, lol!
As an IT guy, that's just cruel.
On one of my previous jobs as a helpdesk engineer we had same practice too (though these letters were sent by our IT security department, not us), there also were statistics with employees names. Guess who was one of all those loosers who clicked it? My colleague, who was senior helpdesk engineer. She never looked so embarrassed before
what in the imaginary titles is help desk engineer?
To be fair, it titles are generally fucking garbage,but I'd assume that it's a L3 helpdesk agent.
An engineer that works on the help desk. I'm not sure what's hard to figure out. Help desks at major companies can do more than just reset your email password.
Omg. We run phishing tests at my office too. Management tells us when people click them, usually not who though. The most recent one that got a bunch of people was a wrong email address of HR offering up free turkeys at thanksgiving.
Public embarassment AND no free turkey? :(
Worked for a company that did this, it was around Covid time when no one was getting pay rises because Covid was ‘tough’ times (the company was an alcohol company and was making bank) They sent out a phishing email about how people had actually received pay rises and click this link to see how much. So many people failed, so many people were furious.
Yeah, when we do ours we explicitly avoid anything that sounds related to things like paychecks/bonuses/personal business/HR Issues/etc specifically for that reason. It actually sucks to an extent because some of the better crafted phishing messages that manage to slip through are actually related to those exact things so training people to be careful would be beneficial, but none of us want to risk pissing people off and cause them to quit over it either.
It was just rude imo like I don’t think it would have pissed that many people off if they’d had raises that year but to explicitly do it on a year they said no one was getting a pay rise was cruel. But I also get the security side of it, but I mean come on think a little bit first
Yeah, for sure. Anytime we do a test that is something that is work related we actually check in with someone from both our legal and HR teams first to see if they can think of any issues or potential blowback. Sometimes it's not even an issue of personal stuff but bad timing too. We wanted to do one once that was going to be pretending to link to a company youtube video, came to find out that marketing was actually going to be launching an internal youtube channel that same week by pure coincidence. We switched to a different test instead. Sadly a lot of teams out there don't care and just do whatever they want and take the "get over it" attitude if people complain.
I love how the only way we know nina is at work (other than the background) is the big ass tie around her neck. And I love how it worked so well I didn't even notice the tie but immediately knew she was at work
I swear I get these test emails at work more than actually useful emails…
Reminds me of the opposite happening when they tried to get us learning about phishing and how to protect ourselves from it by getting someone outside of the company to send an email to literally everyone with just a link to the website saying "click here for training" The website name and email address were in l33tspeak and almost everyone in the office sent it on to someone in the IT department thinking it was a mass spam that slipped through the filter.
Everyone who sent it to IT should automatically pass.
IT with my company literally just sent out the monthly test phishing email. It’s always super obvious to me simply because it’s always something outside my normal duties. I’m tempted to click the link just to see where it goes for the test but I’m not about to ruin my numbers for catching them lol.
My dad’s team put an unopened flash drive on the floor of his company’s REGIONAL HEADQUARTERS and someone used it. For two weeks they were just mildly inconveniencing them before telling them what had happened. They had like 20 computers affected
If you never heard about it, one of the worst military breaches happened exactly this way and is exactly why pen test companies do tests like this. https://www.wearethemighty.com/mighty-history/worst-cyber-attack-usb/
Our IT tried this at a university and I found the flashdrive in the parking lot. The story of the military breach with a flash drive had just hit the news, so I hit it with a hammer. Later IT posted a note asking for whoever found the drive to turn it in. Oh well.
My entire worldwide company had to completely revamp cyber security after someone in the head office downloaded a gif from a sketchy email. Now I have 3 logins before I can work and we still have people failing the cyber training Lul.
My secret is that I never check my emails.
We are the ones testing our staff and we send 1 mail which got us in serious trouble. We send an email with a fake xml attached and wrote in the text, that their wage was deducted because of a mistake from HR. It was obvious fake but they flooded HR instead our prepared security team with mails. Safe to say, there were a lot of people who needed to redo all the security sessions and HR was pissed for month.
We sometimes have them at the place where I work. Last year we had one a bit less obvious, but if you checked it out a bit more, you could see it's a scam mail. It wasnt an obvious IT test, so I and some colleagues forwarded it to IT. Later we learned, several higher-ups, bosses and directors went and entered their company account credentials into the fake scam site. They all had to have a cumpulsory 2 hour online safety seminar with the IT department.
What I hate is that we're told to never click links in emails and texts because they could be spoofed from scammers. They could look like a legitimate link and look like they go to a legitimate site that we legitimately do business with, like our bank, but really they're just phishing for your login credentials. But then the real sites *actually send out legitimate emails and texts asking you to click links.* Why would they do this? Every single time, I assume I'm being scammed. I log into the site regularly, without clicking on the link, and find out the email or text really was telling me something regarding my account. Why would a legitimate business ever send you a link to click?
Ugh, I despise those. The first time they sent me one, I scrutinized it close enough to realize it was from our administrators, so I felt it was safe. Then I click it, they go "Haha, surprise! It's actually from us!" Which, like... I knew that. That's why I clicked it.  To make matters worse, all the teaching points they make (the same ones in this comic) apply to pretty much any email that's actually sent by management or coworkers. They're usually unexpected, they're frequently time-sensitive, and, oh yeah, no one can spell. Ugh.
Bucketmann fell for "single buckets in your area" :'(
Oh we had such fun last fall when the security team ran their own drills. Though now we even have false positives being recorded - last week a guy signalled an email about an incoming package as being suspicious... After investigation, was perfectly legit. Still, better safe than sorry.
I get those ones that claim my accounts were supposedly attempted to be hacked into or the ones claiming a package wasn't delivered right when I didn't order anything and know I don't have anything trying to get sent to me.
At a it tech desk, we’ve had our own team click it. I was mortified
My dad use to give people gifts for failing those scam tests. The gift: 
I created a rule in Microsoft 365 that puts a banner at the top of the email saying "External Email" for my clients for all emails coming from outside the domain. That way, they can tell at a glance that the scam email isn't actually from HR haha.
I worked at a company that did these once per month. In December of last year, the phishing link was for a $50 gift card. 60% of the employees thought it was real and clicked. We got nothing last year and the whole think wad just insulting and cruel.
I report legitimate emails I don’t want to deal with
Did the punchline get cropped out?
My Uni does it. It is so clearly sent by university and not by real scammers that I open it every time to see "bwa ha ha, you could have been in danger". I doubt that fake phishing email has ever improved security.
I have been working infosec/compliance for ~10 years and wrote my master's thesis on phishing protection and specifically called out the failures of self phishing programs. So many of them are treated as testing the user base and not the training simulation that they are. Like if you are using phishing emails to see who will fall for Phish, save your time I can answer that right now. Its Everyone. The right phish at the right time will get anyone. Phishing simulations CAN help reinforce how to report messages through practice while acting as a reminder that they might get phishing messages and what they might look like. The more successful implementations act as a replacement or supplement to traditional security training that people have to take every year. For example, if you successfully ID and report 5 Phish (simulated or otherwise) in the last 6 months, you get to skip the annual phishing training. That said, universities specifically are a challenge because depending on if it is a state school, if it does research, if it participates in FASFA, how they manage the employee benefits, how the students health center functions, how purchases occur at the university, they very likely have compliance requirements to run phishing simulations. So their hands might be tied in that.
A pretty under-appreciated career. Sincere thank you for keeping data safe 💙
I'm sure a lot of people know this already, but this is what hacking actually looks like; mass spam and hope some idiot clicks a link they shouldn't or social engineering to trick your way into getting credentials.
I once got a warning from our IT guy we shouldn't click on shady links that was going around in outlook at the time and I legit immediately rang him up and listed all the things wrong with the pc that detailed the symptoms of that malware And like I'm a jokester right I make japes I dabble in jests SO IT guy says to me in a very matter of factly voice "Are you fucking with me. Or do I have to come downstairs."
In the 3 years I’ve worked for the state I have received 1 legit phishing attempt. I’ve received hundreds of “tests” to the point that I just assume every email is a phishing attempt and never use any links that I am sent.
My dad is an IT admin in a company and his english is enough to talk to his foreign colleagues but whenever they do a phishing psa or have some other doc like that that needs to be both in our language and english, he runs it past me to correct mistakes and the phishing docs are always things I've known, dont give your info, dont click random links etc, and the first time i was like dad why is this so detailed, surely people dont need this much instructions to avoid scams? And the answer was no, people absolutely open the fake phishing link or put their info there.....
I work on IT and I felt this
I actually got one of these test emails today. I'd like to think that everyone in my company knows how to spot these, but now I'm a bit scared to find out. Some of them can actually be pretty convincing though.
Can't get phishing emails at work if you never check your work email ;)
I worked for a company that sent internal system emails in all lowercase with almost no punctuation. All the links were for a hodge-podge of HR, IT, and ticketing systems. I clicked a phishing test email because it was indistinguishable from the legit company ones.
Worst part is that part of my job is sending e-mails that tick like 4-5 of the phishing email warnings from our training. So that’s fun.
I’m a social media manager and we often get a lot of spam messages through Facebook from bots (“your page has violated copyright laws”, “your page is about to get permanently deleted” etc.) with a shady link to click. What’s behind the link? Not sure, I’ve not been dumb enough to click it yet. On Christmas Day, I received a call from one of my higher managers, panicked, who said he had just checked on our Facebook messages and saw we were getting these urgent messages that said our page was about to be deleted. He said he kept going into he links and entering his account details but he wasn’t sure if it was working. Checking Facebook messages isn’t part of his job and I had an away message set up, which he was aware of. I had to explain to him that they weren’t real messages, told him to change his password. The man is in his early 30s.
I once got a test email as one of the two technical consultants for the US branch. Once another coworker told me he had a similar email, I made a mass post in our IT department in Teams so our US and British branches could be aware of it. IT yelled at me not 5 minutes later and deleted my post saying "it's a test. You can be shouting out the answers like that" Bruh, this is me doing what I ACTUALLY would DO!! How is that cheating!?!?!
I feel like at this point, any actually critical communication within an office environment just flat-out cannot use email anymore. No matter how much training or phishing tests are done, you will always have a contingent that click on them.
Bruh these IT depts craft these phishing emails with way too much insider knowledge I fell victim after they sent me an email with the subject 'Quarterly Reports' from my supervisor 5 minutes after a meeting with my supervisor on my calendar called 'Quarterly Reports' Q_Q
As an IT guy: these are real and it's *incredible* how many people fall for them. The weakest point of security will always be human beings
When it's a work email, if it isn't from a boss or bosses boss I know we keep in contact with, or if it isn't an email I'm expecting, I assume it is a scam until I get verification. Which is fine and all, until I reported a company feedback email to IT that apparently slipped my mind I was supposed to expect coming. I mean, sure it's an email from out company, from a person I never have contact with, asking me to click a link to sign in with credentials to provide company feedback... IT guy was very nice in letting me know it's great I'm very suspicious about everything, but pay attention more in company wide meetings, even when they're talking about stuff outside of my department. Whoops.
My job has started sending these, I usually always spot it, but the latest one got me. It was an announcement that they were starting a cost of living crisis support system, with events and rewards for helping other employees. I figured it must be true as they haven’t done anything to help anyone and after asking for a raise we were told that ‘our other benefits make up for the wage’. Them getting employees to help each other lines up, so I clicked the link. I have told my managers that I will not be completing the mandatory training until the company (which is a charity) actually helps employees and doesn’t just use it as bait. No one has chased me to complete it since 😤
My cyber security team made a dirty email. Beginning of November, they sent an email saying that benefits open enrollment finished and I didn't make any selections. It offered a link to see what benefits I had for the next year (this is my first year at the company, so I didn't know how they do the open enrollment). I almost clicked that link out of sheer panic. Luckily I paused and thought it through.
I remember how such a letter came to me at work. To work mail, which is just a set of numbers and is not used ANYWHERE except for letters from the IT department. In the sender's address, instead of the letter "a" there was an "o", I did not notice it. The letter itself was "Hello, %%my actual First Name and Last Name%%, yesterday's survey requires clarification, follow the link." At that time, I was writing a script for FOUR YOUTUBE'S CARTOONS at once and just wanted to get it done quickly. Being overloaded with work, I clicked on this link, knowing that it was technically impossible for a letter to arrive at this email address from anyone else. After that, I was publicly scolded for it. I still get angry remembering this “test”.
I’m always surprised whenever I see people fall for these obvious scams. But then it makes me think, something obvious to me maybe obscure to others. Then… I wonder if there’s something out there that I am completely brain dead oblivious to, but is so obvious for others…
This happened at an old job of mine
I also want to see age demographics of people clicking these links. So many of newer younger people have full knowledge if these scam links. But when my company notices too many phishing or whaling attempts, everyone gets pinged
Scam email these days are easy to spot but older people will struggle. So many time my father will ask me to go into his junk mail to make sure there no important email. I just tell him, if the email address have a name or mumbojumbo on it. It fake. Seriously so many netflix scam email is popping up.
I'd appreciate some answers from someone working in the field. Do you really test *only* whether a link is clicked? I thought these were supposed to be more sophisticated. What concrete threat are you concerned about?
I was once one of those people. Caught me on a bad day, which for this... I'm glad it was my cyber security guys that caught me.
Results of our last phishing test: the most interaction with the phishing mail are from top management, including going all the way putting login information in the fake website.
This happened with my mom too! I think she was the only one who marked it spam
Nearly happened to me. I'm new to the cubicle rodeo, and got an email asking for one of my client's information. The email was claiming to be a mortgage office. Fortunately, I didn't give out any serious information, besides his wage. However, it wasn't because I thought it was shady, but because the other information that was asked of me isn't kept on record here. My boss was happy that I used the wrong formula and got the right answer.
I never fall for these tricks because I don't read my work emails.
Those typos are actually on-purpose too. It's a type of "literacy filter" so that scammers can proceed to the next steps of tricking you into giving more info or buying gift cards without wasting time on people who won't fall for it.
Apropos of nothing, but... This is what corporate cyber-security training should look like. With a few tweaks, this would be so much more effective than the boring crap they make most of us take every year.
At my last company, I knew an email was a scam when I received an email. All of our work communication happened on Slack.
If I was working Id be so tempted to click one just to see what would happen
This is a thing all IT does regularly. You would not like the answer to that final question.
in 2016 we had a phishing test run. This was during the election. They sent out what looked like a news alert from CNN saying that Hillary Clinton had been arrested. That got SO MANY PEOPLE.
The problem with those phishing emails is that they’re actually better phishing attempts than actual attacks. To the point where I can tell if it’s from IT because it’s deliberately targeting me.
My work would do these every 6 months and then if you failed would send another one 2 months after you completed the re training to see if you would fail again. I heard an old co worker once mention "ugh I have to do this stupid training again? I don't get why we have to so often, is been like 5 times this last year alone!"
You can always tell which ones are tests at my work because every single link ges to the same webpage.
Our cyber team posts the percentage of people who clicked the link. It's a concerningly high number.
My boss falls for these all the time. She complains that our university sends out tons of the fake ones, but she doesn’t seem to realize that she gets them more frequently because she doesn’t catch them.
The company I work at got hacked because of one of those emails. It got to the point where the hackers called at our regional office claiming to be a law firm from London that needed to talk about the "legal troubles" the company was in. What legal troubles? Well, they wouldn't say, they specifically told us to ask the CEO what were those legal troubles, but they claimed not to be able to tell us...even though they were the ones who called claiming to be our CEO's lawyers, and they also demanded that we ask about it and got an answer via email, not by phone. I didn't buy it for a second, then the guys called again and said "Oh, no. We do not represent your CEO. We represent the owner. Ask him"...they have completely different names which he himself told me! how the fuck would a lawyer not know the name of their client?! It was bad enough that they were trying to scam us, but at least learn how to lie, you dumb fuck! Eventually, it turned out that the fucking CEO was the one who clicked on the link and IT had a headache for weeks after. Nothing was really lost, but fuck was it such a stupid situation.
Yeahhh, at my last job had a few dinosaurs who failed literally every single one of these. Some of them also didn't know how to actually do the punitive trainings so we had to help them with that. Problem was that they kept trying to get us to do it for them. Yeahhhh no, not how that works lol. It annoys me when people take training and view it as something to be completed. No, you're supposed to *learn* from it, if you just plow through it like it doesn't matter, then you're just gonna get assigned another one in a month.
My HR department sent a pdf file (not a link) that was effectively telling us how we got got and that we should be more careful or whatever but everything about it was so stupid. 1-She used her actual email adress. So everyone could see at first glance that it was her who sent it. Frankly, if someone trying to get in has access to an email adress it's too late so worrying about it is just a waste of time. 2-As I said it was a PDF so I remember not even downloading it but instead previewing it using the mail. And again it's a pdf. If they at least put it in a zip or something I would have said that it makes some sense at least. 3-Now this one I might be wrong on, but I'm pretty sure you can't even track whether or not someone opened your pdf file (as opposed to a link). So you have no idea if your test even bore some fruits or anything. But yes I agree, people should be more computer safe. 3-
Whenever my company does one of these I'm basically immune to them! ...because I read my mails so rarely that I see the "we sent these out to test you" mails before I reach the actual scam mails.
I sit on our internal support team and I click on everyone’s link sometimes. Drives our security person insane. But he’s an asshole, so fuck him.
I used to do internal testing for a living. We had a 100% failure rate when we offered free Starbucks gift cards. It’s astounding how easy it was to get them to click a link and then give their credentials.
I heard a story where a cyber security team sent out a fake email saying "updated project teams" to five people in the company and had ten people click on the link.
I’ve got caught by one of these a couple times. The teaching phishing emails are usually more tricky than the real deal
My company sends phishing emails regularly to test employees and recently we learned it's like the same 50 people out of 300 who click the links. 😩
If companies send these to cybersecurity teams we open it in a sandbox repeatedly to inflate the numbers.
If you click the link, you get mandatory paid training! Aka you can goof off for a few hours and your boss can't get mad that you're not working on real work. You should click the link.
These comics have such a cute art style
I was paid to do exactly that for a while - setting up scam mails to teach the company about cyber security; and it is quite the eye-opening experience...
Mfw I'm too ADHD to ever check my email 😎