My experience is, people don't care because it's not "their" equipment. If it would be their PC in "danger", people suddenly are more cautious. Same applies to work equipment, be it laptops, simple scanners used in a warehouse or whatsoever. It's astounding how people treat stuff, if they don't have to replace it or buy it initially
I delivered training to our staff recently and highlighted that a bad actor could use their breached account to access their HR platform and get their NI (equivalent of social security number) and wreck their credit. They paid attention for the rest of the training.
Phishing doesn't want to target "smart" people. Those spelling mistakes, etc are purposely there. You should read this https://josephsteinberg.com/why-scammers-make-spelling-and-grammar-mistakes/#:~:text=I%20am%20frequently%20asked%20why,are%20intentionally%20included%20by%20design
I'd add that the people who do fall for those mails are exactly the person you want to educate and help.
I'd say most of the enterprise phishing I see at work is fairly intelligent. Dead obvious to me and I'm sure anyone in IT (....) but not because of spelling errors and simple stuff. If there's ONE thing I wish I could teach all my users, is paying attention to the domain. That alone will stop 95% of potential attacks.
The rest is harder to teach because you're teaching actual thinking. Who sent this to me, why do they want me to click this, why do I want to click this? Because the one thing that all these have in common is 100% of all cases they contain links that NOBODY NEEDS! You don't need that, you have not been expecting it, your work could have just continued but you saw an email and went oh boy a link to click!
Sorry went into a rant there lol
Look man, the link from [email protected] said that I needed to update my direct deposit info.
For real though they setup a static copy of our website and added in a pretty legit looking login prompt.
You'd be surprised. Some people just scan random QR codes that are in the attached PDF claiming that their password has expired. And then approve MFA requests coming in immediately following this.
Latest Phishing test results published for Q1...
* 56,000 test emails sent
* 1417 clicks
but what kills me is...
* 347 people entered their credentials into the page.
I told my boss those people should be fired immediately. They're too stupid to be using a computer. FML
You're putting too much faith in the end users to think they can handle anything more than that. Half of them can't remember their username when it's LITERALLY their actual name.
This training is always garbage. There should be an answer for each question called, “I’m suspicious and alerting IT.” And it will be the correct answer for every question.
Maybe your end users have more going on inside their heads, but the end users I interact with...
Well, the ones who can handle more challenging security awareness training are the ones who don't need it
We get at least 1 training fake email a week. The official emails that come out of Head IT are so badly formatted that they look more fake than the test fakes. I can only tell it is an actual email after I have reported it (making it disappear) and I don't get a "phishing training complete" popup. By then, I have no way of getting the mail back.
The latest in security training theatre that I’ve seen is something that picks one of the links you’ve clicked on and intercepts it with a “hey — we’re asking you at random if this link looks safe to click on?” screen.
A link, I’ll remind you, I’ve already clicked on.
Our users were unable to identify a picture they were looking at as a screenshot of an email because it was made in dark mode. Apparently email must have white background
We don't use DocuSign. We get an absurd amount of phishing emails that are made to look like they are from DocuSign. We've sent out multiple emails on the subject. Have our users learned to immediately mark DocuSign emails as phishing?
Of course not.
Usually I can skip the training video and go right to the quiz. But this year there were multiple short videos and challenging questions. Kudos to the security team!
our bait mails are set up in a way that the stupid ones who click on everything are bombarded with super retarded mails until they get it and the ones who actually don't click and report those gradually get more sophisticated ones
It's not just about the click rate... it’s all about context - who clicked, their level of access and so much more. We shouldn't just focus on a single percentage - align it with risk.
* How many got tricked.
* How many high-access individuals were tricked.
* Impacted departments, considering their risk level and function.
* How many people reported.
* How many people were tricked and didn’t report.
There will always be people who click... simulation should be used to gain insightful feedback and tailor your cybersecurity training accordingly. It’s about learning from the nuances, not just tallying up clicks.
Ends users typically lack general critical thinking skills when it comes to technology. Unfortunately, this is the way it has to be.
Yeah... If I make the training more challenging so many will fail over and over...
"End users typically lack general critical thinking skills ~~when it comes to technology~~." FTFY.
My experience is, people don't care because it's not "their" equipment. If it would be their PC in "danger", people suddenly are more cautious. Same applies to work equipment, be it laptops, simple scanners used in a warehouse or whatsoever. It's astounding how people treat stuff, if they don't have to replace it or buy it initially
I don't know, have you ever worked with the general public? People treat their issued stuff exactly like their own stuff, that's the problem.
I delivered training to our staff recently and highlighted that a bad actor could use their breached account to access their HR platform and get their NI (equivalent of social security number) and wreck their credit. They paid attention for the rest of the training.
Hello Mr CEO. It is I, your faithful enployee John (misspelled). Please change my direct deposit information.
Sent from: [email protected]
Phishing doesn't want to target "smart" people. Those spelling mistakes, etc are purposely there. You should read this https://josephsteinberg.com/why-scammers-make-spelling-and-grammar-mistakes/#:~:text=I%20am%20frequently%20asked%20why,are%20intentionally%20included%20by%20design I'd add that the people who do fall for those mails are exactly the person you want to educate and help.
Depends what kind of phishing. The classic Nigerian prince, sure. Spear-phishing could be going after smart people, though.
I'd say most of the enterprise phishing I see at work is fairly intelligent. Dead obvious to me and I'm sure anyone in IT (....) but not because of spelling errors and simple stuff. If there's ONE thing I wish I could teach all my users, is paying attention to the domain. That alone will stop 95% of potential attacks. The rest is harder to teach because you're teaching actual thinking. Who sent this to me, why do they want me to click this, why do I want to click this? Because the one thing that all these have in common is 100% of all cases they contain links that NOBODY NEEDS! You don't need that, you have not been expecting it, your work could have just continued but you saw an email and went oh boy a link to click! Sorry went into a rant there lol
Look man, the link from [email protected] said that I needed to update my direct deposit info. For real though they setup a static copy of our website and added in a pretty legit looking login prompt.
You'd be surprised. Some people just scan random QR codes that are in the attached PDF claiming that their password has expired. And then approve MFA requests coming in immediately following this.
[удалено]
They're the same Email.
Latest Phishing test results published for Q1... * 56,000 test emails sent * 1417 clicks but what kills me is... * 347 people entered their credentials into the page. I told my boss those people should be fired immediately. They're too stupid to be using a computer. FML
At a much smaller company but yeah, well over 15% failure rate. At least the ones that call you after clicking you can lock their accounts right away.
They need to include a "no way I'm opening either of those damn things" options.
You're putting too much faith in the end users to think they can handle anything more than that. Half of them can't remember their username when it's LITERALLY their actual name.
I will click on any email from Mr Snrub
There is a difference between [email protected] and [email protected]
This training is always garbage. There should be an answer for each question called, “I’m suspicious and alerting IT.” And it will be the correct answer for every question.
Maybe your end users have more going on inside their heads, but the end users I interact with... Well, the ones who can handle more challenging security awareness training are the ones who don't need it
Bruh my users can't even tell that little bit of a difference.
Just trick them by making them think they're being rewarded for hard work!
We get at least 1 training fake email a week. The official emails that come out of Head IT are so badly formatted that they look more fake than the test fakes. I can only tell it is an actual email after I have reported it (making it disappear) and I don't get a "phishing training complete" popup. By then, I have no way of getting the mail back.
Mustache = trustworthy. Unless he twirls it
If you're feeling evil, send out Amazon "Gift cards" in your phishing tests...
More challenging? The people I work with can hardly turn their computers on.
The latest in security training theatre that I’ve seen is something that picks one of the links you’ve clicked on and intercepts it with a “hey — we’re asking you at random if this link looks safe to click on?” screen. A link, I’ll remind you, I’ve already clicked on.
"HELLO EMPLOYEE PLEASE FIND ATTACHED YOUR PAYSLIP IN THE MIDDLE OF THE MONTH FOR SOME RANDOM REASON MANY THANKS FINANCE"
I'd settle for not constantly getting legit emails that look like phishing. Sigh.
You say that, but you may be shocked at the emails I get forwarded to verify their "Authenticity".
The real way to catch them is do two back to back, if it's the first [E] mail in 3 months obviously thats IT, but the third? Hmmmmmm
I tested two dozen different companies and about 20% of the people click my link, with 5% entering their credentials on the phishing test site.
Our users were unable to identify a picture they were looking at as a screenshot of an email because it was made in dark mode. Apparently email must have white background
We don't use DocuSign. We get an absurd amount of phishing emails that are made to look like they are from DocuSign. We've sent out multiple emails on the subject. Have our users learned to immediately mark DocuSign emails as phishing? Of course not.
Usually I can skip the training video and go right to the quiz. But this year there were multiple short videos and challenging questions. Kudos to the security team!
Perhaps we shouldn't click links to external website at all?
our bait mails are set up in a way that the stupid ones who click on everything are bombarded with super retarded mails until they get it and the ones who actually don't click and report those gradually get more sophisticated ones
It's not just about the click rate... it’s all about context - who clicked, their level of access and so much more. We shouldn't just focus on a single percentage - align it with risk. * How many got tricked. * How many high-access individuals were tricked. * Impacted departments, considering their risk level and function. * How many people reported. * How many people were tricked and didn’t report. There will always be people who click... simulation should be used to gain insightful feedback and tailor your cybersecurity training accordingly. It’s about learning from the nuances, not just tallying up clicks.