this post was submitted on 17 Jun 2023
185 points (100.0% liked)

Memes

45884 readers
1587 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 
top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 2 years ago (5 children)

I quit reporting any emails at my job. Reported one from an outside source once, but it wasn't technically a phish. So I received mandatory online safety courses for "wrongly reporting a phishing scam". Which was the same courses I was already forced to take a few months prior. I was pissed.

[–] [email protected] 3 points 2 years ago

Are you kidding me? I would kill for a user base that over reports.

Better that than the guy who downloads taxformpdf.exe and runs it without a second thought.

[–] [email protected] 2 points 2 years ago

I safely opened an obvious phishing mail to see the tactics they employed - not realizing our company signed up with a company to “test” its employees. I was then required to attend mandatory phishing training - I refused on the grounds that I didn’t fall for the attempt. The “you must attend by” date came and went and I never heard anything more about it from IT. I, too, was pissed.

My favorite thing now is to report mails from the head of IT as phishing emails (e.g., “…we are seeing an increase in phishing attacks around this rando topic. Click here to learn more…”). Test me once, shame on me…

[–] [email protected] 2 points 2 years ago

That's gotta be one lazy IT team or a terrible training firm, if they're expecting training to "solve" phishing, at the cost of causing security fatigue on users.

What a terrible policy.

In my firm, we never raise a fuss over someone suspicious of phishing, because it's our job, not theirs.

If anyone was actually reporting so much that it's impacting firm time, yah don't sign them up for training, we just talk to them.

[–] [email protected] 2 points 2 years ago (1 children)

My workplace thanks us for reporting pretty much anything. What your place is doing is making people too scared to report. Smort.

[–] [email protected] 2 points 2 years ago

Any time a user puts in a ticket about something they aren't sure of, I thank them for being so careful and compliment their attentiveness. Makes them feel good and makes my life easier. Sure, lots of tickets are annoying, but dealing with people falling for shit is worse because they think I can fix everything.

[–] Tempiz 2 points 2 years ago

Your security team sucks. Users should be encouraged to report anything sus, even if it occasionally results in a false positive.

[–] [email protected] 1 points 2 years ago

Our phishing test emails have a special header so they are ignored by the spam filter.

I created an email filter that checks for this header and sends all emails with that header into the spam folder.

[–] [email protected] 1 points 2 years ago

Just automate it away. My job uses the phishing alarm button for reports, so I can't totally automate the process, but I've set up a rule in Outlook to put all the phishing test emails in a separate folder based on the headers. I can just let them sit there if I want, or just hit the report button without thinking twice about it.

[–] [email protected] 1 points 2 years ago

You deserve a raise.

[–] [email protected] 1 points 2 years ago

This is an effective method that I myself use.

[–] [email protected] 1 points 2 years ago

When someone sends you an email, by default you just assume it's fraud - Walter Wallis