Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Businesses The Internet IT Technology

Ask Slashdot: How Harmful Are In-House Phishing Campaigns? 128

Posted by BeauHD from the pros-and-cons dept.
tiltowait writes: My organization has an acceptable use policy which forbids sending out spam. Every few months, however, the central IT office exempts itself from this rule by delivering deceptive e-mails to all employees as a test of their ability to ignore phishing scams. For those who simply delete the messages, they are a small annoyance, comparable to the overhead of having to regularly change passwords -- also done largely unnecessarily, perhaps even to the point of being another bad practice. As someone working in a departmental systems office, I can also attest that these campaigns generate a fair amount of workload from inquiries about their legitimacy. Aside from the "gotcha" angle, which perpetuates some ill will amongst staff, I can't help but think that these exercises are of questionable net value, especially with other countermeasures, such as MFA and Safelinks, already in place. Is it worth spreading misinformation to experiment on your colleagues in such a fashion?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Harmful Are In-House Phishing Campaigns? More

Ask Slashdot: How Harmful Are In-House Phishing Campaigns?

Comments Filter:

  • Question not formed correctly. (Score:5, Insightful)

    by Known Nutter ( 988758 ) on Tuesday April 27, 2021 @10:14PM (#61322276)
    Much like law enforcement view citizens not as partners, but as adversaries, mangers (IT or otherwise) who use programs like this do not view people as colleagues, but as adversaries.

    • Re:Question not formed correctly. (Score:5, Insightful)

      by Kryptonut ( 1006779 ) on Tuesday April 27, 2021 @10:35PM (#61322338)

      interesting mentality

      However, my motivation for attacking things where I work (part of my role) is to make them more secure. Not to "catch people out" or piss them off, but to make the environment as safe as possible for our users by finding a weakness, whether it be system or human - and secure / educate.

      • Re: (Score:2)

        by xalqor ( 6762950 )

        That's good in general, and I applaud your approach of checking everything for the purpose of fixing it. But this method of sending out the bogus emails is not useful.

        Phishing will always be possible when 1) people are able to follow links to websites, whether from email, ads, social media, QR codes, etc. and either 2a) users log in to websites with passwords, or 2b) users are accustomed to entering sensitive personal or business information into websites without logging in.

        So in this case, you already know

        • Still can't figure out what this FP thread is supposed to mean. In particular the FP itself is hard to interpret. The first reply seemed to challenge the style of thinking, and I couldn't even figure out who the second reply was responding to...

          However the topic reminded me of some security training. The company was trying to avoid being adversarial, though I think the premise of the FP was that the employees are supposed to be (or accustomed to being?) adversaries of managers and other authority figures. H

          • >the employees are supposed to be (or accustomed to being?) adversaries of managers and other authority figures.

            Seems reasonable considering that the typical salary negotiation, and all other financially-related aspects, of many (most?) employee-employer relationships are fairly adversarial, especially in corporations and institutions where the executives are insulated from dealing directly with the employees whose suppressed wages inflate their own.

        • Wait, so I am NOT going to get $10M from a Nigerian prince who needed my help freeing his acounts tied up in escrow? But I sent $900 to his attorney!

        • >2) training on how to know you're at the correct website -- NOT training in how to identify scams, which is much harder.

          Unfortunately, that training is useless unless used. And most people get complacent *very* quickly.

          If you want people to watch their back, telling them to watch their back is unlikely to be effective in a in mostly-safe environment. To get people to continue to watch their back over the long haul, that behavior needs to be regularly reinforced with danger they avoided.

          To that end ro

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        So if your motivation is to "make the environment as safe as possible", I trust that means you avoid sending any real emails asking your users to "click here to do X"? Because that is my biggest problem where I work. They send out fake phishing emails and if you slip up and click, you have to waste time with training. But then they send out real emails and when you don't click the links in them it's all "WTF WHY ARE YOU NOT CLICKING THE LINKS IN THE EMAILS???" Bitch, you just got done teaching me to not
        • Thats pretty funny. Just remember this saying:

          A students end up teaching;
          and B students end up working for C students

        • I used to respond to all e-mail containing a click-a-link with a request, copied to the company president, the hopeless desk, and the company General Counsel, for a copy of the Risk Assessment in respect of sending the request to click and the target website.

          The same applied to any requests to consent to a "Privacy Notice". I required that disclosure be made of exactly what private information and the use of any private information that was in addition to the consent already given by virtue of being an emp

        • Maybe you should pay some attention to the training instead of dismissing it as a waste of time, as you may then be able to distinguish between the real email and the fake email.

    • Re:Question not formed correctly. (Score:5, Insightful)

      by rickb928 ( 945187 ) on Tuesday April 27, 2021 @10:43PM (#61322356) Homepage Journal

      In systems security, your colleagues, employees, vendors, partners, executives. and contactors are ALL adversaries. All of them are able to defeat the best of your defenses. In a moment.

      I get these tests at least monthly. If I open one my managers and VP get notified. I get enrolled in anti-phishing training, again, and am warned that repeated failures can result in other sanctions, including dismissal.

      Some years ago I found our code repository entirely encrypted, not by us or me, or our company, but by a virus. A virus introduced by a user's laptop ghat had become infected because that user found a way to disable antivirus protection, and operate on the Internet without using the corporate VPN, so their child could play a game. Yup, a game.

      Today it is even easier to be taken advantage of. It's so bad I can't even email my own W-2 to myself, not even my corporate email, since in fact the process is not entirely internal.

      Truth is your users are a proximate threat. Do you test them at all? You ought to. They will screw you and not even know it.

      • Re: (Score:2)

        by gweihir ( 88907 )

        In systems security, your colleagues, employees, vendors, partners, executives. and contactors are ALL adversaries.

        Not quite. Adversaries are intentionally acting maliciously. The people you list may be doing that, but that is not the issue at hand. This is a second, different problem and a far worse one in some regards. In the given context, these people are properly classified as risk items due to limited understanding of the IT systems they use and (unfortunately) operate.

    • Re: (Score:3)

      by gweihir ( 88907 )

      Generally not true for IT. IT will regard users as a risk item. That is different, because it means users can be assisted and educated. But since users handle IT systems these days they are not qualified to handle (because largely to MS crap being prevalent, nothing better is available or mainstream enough to replace it) because these systems are insecure and require a user with some IT security awareness to work securely.

      Of course, eventually this will need a tech fix, like secure office software, signed e

    • Re: (Score:3)

      by clovis ( 4684 )

      After reading the comments, I suspect that this article is not a question, but rather was submitted by an employee of the loginshield company that is advertising a few posts down.

    • Re: (Score:2)

      by ytene ( 4376651 )
      Actually, I think it might be more accurate to say that

      "managers (IT or otherwise) who use programs like this do not view people as colleagues, but as potential vulnerabilities in the organization's technology fabric that need to be regularly tested."

      I do appreciate that I'm splitting hairs here - and I don't do this to just blindly argue with you: I think the distinction is important. Managers have to accept that the personnel in their organization are assets of value, but they are also targets - whe

      • There's another aspect as well - all the training in the world is useless if it doesn't get used, and in the absence of an ongoing threat most people get complacent quickly.

        Semi-regular phishing tests can provide that ongoing danger, even if the only real danger is a smidge of public shaming in the form a talk with the IT people, or perhaps your gullibility ranking in the company Hall of Shame. Highlighting those employees who need additional training (or to be let go because training doesn't help) is almo

    • Much like law enforcement view citizens not as partners, but as adversaries

      You mean people like you fall for the spotlighting and cherrypicking fallacies and who say "Don't snitch", say "defund the police" or "abolish the police", and "I don't know who to root for the police or the criminals", or "That pig shouldn't have shot that 16 year old girl who was only trying to stab another teen girl." People like you are adversaries.

    • Do any of you know your coworkers? If you're in a corporate environment you have a very large percentage of coworkers who couldn't spot really good phishing attempt at all and they will click on the links and load malware on their system. My company does these same tests and I've seen more and more coworkers becoming better aware of what to look for. This is a good educational tool IMO. Before they tried these tests they tried training via the normal online training classes. That just didn't work for th

    • The issue is how does the IT managers deal with the flaws found from their phishing testing.

      Do they use it as a gotcha to find a way to punish people who are in non-compliance.
      Or do they take the data, and say break it out by department to see how well their training is being deployed, and if you see say the Finance Team is the biggests offender, while Marking Team is good at dealing with them. Then we have good information to try to figure out why Finance is having a problem, while Marketing is good at it

    • That or a good way to train staff on how to recognize phishing attempts.

    • Helping people to not damage the company and, by the way, detect phishing in their own personal email, and possibly help friends and family not fall victim to these attacks is not "adversarial".

      You can't train phishing with an annual online course - you need to reinforce behavior for people who are sifting through their email months and months after the training. Real world examples help users.

  • User awareness / good habit forming (Score:5, Interesting)

    by Kryptonut ( 1006779 ) on Tuesday April 27, 2021 @10:19PM (#61322292)

    Internal Phishing campaigns if carried out well, help to boost user awareness of potential threats. This reduces the likelihood of an outbreak because users are naturally weary of clicking on random stuff already as a result of previous internal campaigns (which help identify those who need a bit more training on the topic).

    I remember at one place I worked, we used to get a lot of users asking for malware infected e-mails from "FedEx" for unclaimed parcels, knowing full well they hadn't ordered said parcels. FedEx isn't exactly a hugely popular carrier here either.

    • Not only that, it gives you an indication of how good your staff are at noticing scams and if your training is effective or not.

  • Good educational experience (Score:5, Interesting)

    by DesertNomad ( 885798 ) on Tuesday April 27, 2021 @10:22PM (#61322302)

    I see nothing about colleagues and adversaries.

    My company announced some time ago that they'd be occasionally sending out pseudo-phishing emails. It's good for me since I see so many emails a day, it's good for the company to heighten others' awareness to the potential attacks, and having some small experience with the attack vectors and damage that can happen, it's appropriate for my IT people to do so. We have a lot of clients for whom a leak could be problematic.

  • Beneficial. (Score:5, Interesting)

    by gurps_npc ( 621217 ) on Tuesday April 27, 2021 @10:24PM (#61322304) Homepage

    Just one employee clicking on stuff they should not can destroy either/both the company and that employee's life.

    I can attest that. I just spent over 30 hours convincing my bank that no, it wasn't me that took out thousands of dollars from over 10 ATM's and that NO, the fact they had my pin code did not mean I was responsible and that no, it was not possible for me to physically be both at an ATM and in an Airplane at the same time.

    No emails involved, but ID theft is commonest crime now a days. Little risk of being caught, high potential return.

    • Just one employee clicking on stuff they should not can destroy either/both the company and that employee's life.

      If it can happen that easily, then there is a more serious problem with the infrastructure.

  • You tell me. (Score:5, Insightful)

    by geekmux ( 1040042 ) on Tuesday April 27, 2021 @10:33PM (#61322332)

    "Is it worth spreading misinformation to experiment on your colleagues in such a fashion?"

    Guess that all depends on one thing; How bad is the user clickrate?

    Companies deploy these kinds of things for a reason. TFS actually conflated the issue with an internal anti-spam policy, which is not the same thing (related, but different).

    If you're questioning if you could benefit or even need an anti-phishing campaign, there are many other metrics that will help guide you, but none are likely as effective as real live training. Do you need it? You tell me. Every user community, is different. The clickrate stats, will show you.

    As far as the value of that training, again you tell me which is worse; the temporary shame and guilt of reminding a click-happy employee of the dangers of phishing emails with a few minutes of remedial cybersecurity training...or the permanent pain and guilt that employee will carry, knowing it was their untrained click-happy ass that brought down the corporate house and everyones job with it, by being patient zero with a ransomware infection.

    Mitigations like MFA and URL scanning are good, but the problem with purely relying on technology? Society has unfortunately gotten really good at building a better idiot.

    • Re: (Score:1)

      by xalqor ( 6762950 )

      You don't need to bait employees with your own phishing email to know if you have a phishing problem. You can just deploy all available technical measures, and provide all employees with good training, and then monitor for incidents.

      Let's consider other kinds of human problems: do you bait your employees with fake bribes, or do you audit your purchasing process and remind them that accepting bribes is against company policy? do you bait your employees with sexual advances to see if they'll do some quid pro

      • baiting them helps to educate them. As long as you don't have idiotic punishments or embaressment attached to it, just training and education. They should also be accompanied by good hygiene throughout the department to make sure communications never appear to resemble dodgy phishing campaigns. These campaigns exist now because they work.

        • Re: (Score:1)

          by xalqor ( 6762950 )

          You can literally do the same education, in a class/training format, without baiting them like that. You can show examples of phishing emails, you can do a little interactive "spot the scam" game, etc.

          I agree there shouldn't be any idiotic punishments for training mistakes if you do bait them, but that whole activity is unnecessary because there are better ways of solving this problem.

          The number of sites most employees actually need to visit to do their jobs, is usually very limited, and changes infrequentl

          • class and training format failing as a method are why this method exists. User ignore or pay little attention to training and in many large organisations real world tests with real world consequences (like additional training) is by far the best option. This is a positive human process that has proven to work, especially if done right, classroom and formal training has proven to be far less effective.

      • Re: (Score:2)

        by bws111 ( 1216812 )

        Those comparisons are stupid. Getting phished is a result of carelessness, not an intentional action. Accepting bribes, etc, is an intentional action. Everyone THINKS they are not careless and phishing can't happen to them. Tests like this shows that they CAN be careless, and that there are consequences for that carelessness. And no, classroom training does not accomplish the same thing (as can easily be shown by the fact that we get trained and people still fail the tests).

        As for other types of tests

      • Yeah, but you ALWAYS have a phishing problem, because a certain percentage of your employees NEVER learn. Ever.
        The best you can hope for is to train them to forward anything suspicious to the security department as a CYA. That way, if they get nailed for not opening something, they can claim they're following procedure and found the original suspicious in some way.

      • and provide all employees with good training

        Also known as wasting a ton of your employee's time by teaching them something they already know. Again.

        You test the employees to filter out who needs training and who does not. I already have many hours per year of stupid mandatory training. I don't need more so that you can make a Slashdot advertisement for your product.

        do you bait your employees with fake bribes

        Yes. Purchasing isn't the only place where bribery causes problems. In fact, purchasing is probably one of the least-damaging places for a bribe. If it's successful, you paid a bit m

    • Re: (Score:2)

      by Distan ( 122159 )

      > How bad is the user clickrate?

      My clicks are meaningless. The "fake phishing" links our IT department sends (or more specifically the subcontractor sends) are obviously fake. My personal policy is to never click phishing but always click fake phishes. Sometimes I just write a script to do repeated wgets of the phish link from hundreds of systems as a "poor mans DDOS".

      The only thing my click means is I caught *IT* trying to trick me.

      • Re: (Score:2)

        by GlennC ( 96879 )

        I do something similar, but less malicious.

        When I get the "fake phish," I follow our organization's policy and forward it to to IT Security with a note that tells them I may click on the link out of curiosity to know what their "nasty-gram" says.

        It helps that our Information Security team is more focused on education than on punishment.

      • > How bad is the user clickrate?

        My clicks are meaningless. The "fake phishing" links our IT department sends (or more specifically the subcontractor sends) are obviously fake. My personal policy is to never click phishing but always click fake phishes. Sometimes I just write a script to do repeated wgets of the phish link from hundreds of systems as a "poor mans DDOS".

        The only thing my click means is I caught *IT* trying to trick me.

        First off, purposely screwing around with/gaming IT security systems, should be against your corporate policy and the AUP.

        Secondly, you would have earned yourself about 742 hours of remedial anti-phishing training pulling a stunt like that.

        One of the main points of this kind of training is to continue to ratchet it up and make the email simulations harder and harder to detect, in order to prepare users for the real thing. If you system is failing to do that, then you're not really effectively training your

    • Guess that all depends on one thing; How bad is the user clickrate?

      That depends on another thing. How was the fake phishing email formatted? My company sent a phishing email around from the official corporate IT email address. Now no one will open emails from corporate IT. They're complaining that people won't click the link to take the training. For good reason!

    • Thanks for your comments. This thread has given me a few things to think about, although I'm still not totally sold on the concept.

      Some have compared this sort of exercise to a fire drill. We don't do those, at least without prior notification, for fear of freaking people out, like in the trauma [npr.org] caused by active shooter drills on children.

      Also, I've not yet fallen for one of these. Given how they come in with our URL checker stripped, having "phishing" tags coded in the image bugs, from domains openly regis

  • I think they work... (Score:4, Insightful)

    by Telephone Sanitizer ( 989116 ) on Tuesday April 27, 2021 @10:34PM (#61322334)

    I contract with a workgroup in a large enterprise where the IT department sends out similar messages.

    Corporate IT takes it a step further, requesting that anyone who thinks they've received a phishing message forward the message to an IT mailbox where the message will be examined by a knowledgeable professional. They added a button to Outlook to make it easy to do this. Anyone who receives a phishing message and does not forward it to the IT mailbox may be dinged. Enough dings and they'll have to take a 3 hour cyber-security class.

    Prior to this practice, I caught several users responding to phishing messages, mostly by virtue of the user having second thoughts and asking me about the message right before they hit "Send." Users in other departments in the organization were suckered by spear-phishing messages and wired thousands of dollars to scammers.

    Now, they're paranoid. Users ask me about every message that appears to be the slightest bit suspicious, and they forward messages regularly to the IT mailbox. Sometimes, the messages are legit. For example, a poorly-drafted notice of a software subscription renewal. But it's clear that most people simply can't distinguish these messages without help.

    Yes, sophisticated users are annoyed and critical of the distraction. But not everyone is a sophisticated user.

    • Re:I think they work... (Score:5, Interesting)

      by BeerFartMoron ( 624900 ) on Wednesday April 28, 2021 @12:12AM (#61322524)

      My wife's work does this as well, and there is a documented policy of what users should do with suspect mail (you forward them to a well documented internal email address, which are also the folks that run the tests). If you follow the instructions employees are given at training, you get prizes (cafeteria discounts, coffee gift cards, etc.). Fall for them and click the links, you get a minimal follow up training (watch a ten minute refresher video). It takes a few minutes out of her day once every few months. She likes them, says they are "fun". Wife is PhD, Director level; company is a $50+ billion worth and routinely moves tens of millions per transaction.

      Point is, IT knows what they are doing and why. The employees know what they are doing and why. They've made a game out of stopping this and folks seem to enjoy playing.

      Their IT is not out to trick folks, not out to make folks look bad. They're saying, "This is 'Serious Business', but we as a whole are smarter than the bad guys and we can beat them. And there are PRIZES for winning!"

      • This is absolutely right. The point of phishing tests is not to catch people so you can say 'gotcha!' and scold them. This results in surly, annoyed staff who feel bad. Give training, let people know when they make mistakes but be encouraging, praise them for spotting suspicious emails (even give them small gift cards for scoring well on tests), and you'll better secure your systems, and ideally, have staff who are happier and more confident.

    • Re: (Score:1)

      by xalqor ( 6762950 )

      Anyone who receives a phishing message and does not forward it to the IT mailbox

      Doesn't that seem unreasonable, when the IT department can already read everybody's email and just do this for them? You'd have to do that to find a phishing email they received and ignored, right? Or better yet, IT could deploy technical solutions to protect users (and company assets).

      • Because in a real company, you don't want the IT department to be able to read other users' messages (at least not without leaving a log trail, and having to do some explaining later).
        Why would an IT professional need to read medical documents send to HR?
        Why would an IT professional need to read contracts sent between parties?
        Why would an IT professional need to read his supervisor's emails?
        Not to mention the legal department...

        • Re: (Score:1)

          by xalqor ( 6762950 )
          I was referring to automated email scanning solutions... unless your company is using Gmail or something, the IT dept controls the email server and can do a lot to reduce the number of suspect emails that even make it to user inboxes. Real companies also use anti virus that, guess what, looks at everybody's files on a regular basis.

      • Re: (Score:2)

        by bws111 ( 1216812 )

        Seriously? No, the IT department is not allowed to read everyone's email. They can (and do) have automatic scanning for spam/phishing, but how do you think those scanners get trained? By people reporting stuff that got through.

    • Re: (Score:2)

      by ranton ( 36917 )

      An additional benefit we have had is a move towards more SSO throughout the third party apps used by different departments. We found our click rate for fake emails coming from human resources were far higher than other departments. After investigating we found our HR department used a half dozen applications for time tracking, payroll, wellness programs, applicant tracking, etc. All emails from these applications were marked [External] by our mailing system, and each one asked for a username and password af

  • In other words ... (Score:5, Insightful)

    by fahrbot-bot ( 874524 ) on Tuesday April 27, 2021 @10:35PM (#61322336)

    Guy falls for in-house phishing email and is looking for redemptive rational for why campaign was bogus ...

    I worked for a large defense contractor for 16 years and we were all required to take IT security training every year and were also subjected to these types of phishing exercises. I simply forwarded them to the security folks as instructed by the training. People fall for this stuff all the time, even with training, so deal with it, it's the company's network and systems and it's their job to make sure everyone is up to speed.

    My organization has an acceptable use policy which forbids sending out spam. Every few months, however, the central IT office exempts itself from this rule by delivering deceptive e-mails to all employees as a test of their ability to ignore phishing scams.

    They're not exempting themselves it part of their job. This *is* acceptable use for the central IT department. Stop being immature.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Guy falls for in-house phishing email and is looking for redemptive rational for why campaign was bogus ...

      Pretty much. An instance of the more general principle "moron claims not to be a moron".

      As to enforced password expiry, they are not comparable and are known to be a bad practice. NIST and the BSI and others have stopped a while ago to require them. Some audit companies (large names) are late and still ask for them to be implemented, to the detriment of the customer:
      https://www.schneier.com/blog/... [schneier.com]

    • Re: (Score:2)

      by tlhIngan ( 30335 )

      How about some positive reinforcement?

      My company has a button you click on phishing emails. I certainly can see an opportunity to make employees alert and willing to use the button if you encouraged its use.

      Employees who fall for the fake phishes shall be subject to further education and training.

      But those who report phishing emails should get something in the end. If you catch every test phish out there, you get an award (can be anything - doesn't have to be high valued, but something like a free doughnut,

    • it's the company's network and systems

      That's a straw argument. Ownership doesn't grant blanket authority to do anything they want do with their network and systems. It doesn't follow that my ownership of anything gives me absolute right to do with it what I please. Imagine a police department whose policy is for their officers to have cleared weapons in their holsters when they are in the station. By that argument it would be within the right of internal affairs to go up to an officer entering the station, and say "we're going to check that

  • For those who simply delete the messages, they are a small annoyance

    Our IT security training vids/quizzes say (often enough that they're clearly making a point of it) to never delete "suspicious" emails, but always report them through the internal site. My response is that I filter spam for a reason, and my job isn't to read dozens of spam emails to pick out the one they sent.

    Someday I'm sure they'll enact consequences on us for not wasting our time (if they can sell it to management).

    • Someday I'm sure they'll enact consequences on us for not wasting our time (if they can sell it to management).

      Of course, they're paying you for your time and to "waste it" how they see fit -- perhaps properly identifying phishing emails ...

  • These are actually good practice to have in place, especially if they are done properly and also handled in the correct manor. In that, I mean as a good method to understand the current risk levels the company is facing from phishing attacks aimed at their employees. And used for understanding overall levels of security awareness employees have of the various threats that are out there.

    I am not sure if by the notion of the poster that such things are being done properly in this instance. Ideally, the compa

    • Re: (Score:3)

      by gweihir ( 88907 )

      We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"

      Getting that fixed is the only real long-term solution. MS will not do it though, they have neither the ethics, nor the skills.

  • 0day

    • Yeah 2FA isn't going to help when the hacker has access to a logged in account, or can even wait until the user logs in.

  • People are the weakest link. Practice helps. (Score:3)

    by passionplay ( 607862 ) on Tuesday April 27, 2021 @11:00PM (#61322396)
    Making someone feel good won't fix a situation. MFA does not protect email. Any safety you have from automated systems is just an illusion. All it takes is one person to be convinced to bypass the security warnings. People are both your weakest link and your strongest asset. If you train your people, your organization will be invulnerable to people attacks. Now you just have to worry about the mechanical attack surface. That's a whole lot smaller and straight forward. The math is simple. You are in a wild forest with random animals that could attack in any which manner at any moment some of which are cute and furry. Do you train all your people? Or do you trust that the person you didn't train won't mistake a furry cute mogwai for the gremlin it truly is - once you feed it after dark and add water. Said differently. Training is necessary for recognizing potentially harmful actions that may look benign. Even something as simple as an email is deadly as an attack vector because it has to be open to the outside. So you have to trust your people more than your machines to keep your business safe. Even if it means feeling bad for the "gotcha's" - participation trophies won't hold back ransomware. Time to face the big bad world. Or if you don't believe me - run a honeypot and see what happens.
  • They are NOT bad practise, they are good practise. It is one of the best ways to raise awareness of phishing as users generally ignore training or any material sent out. The best ones of these then take any user that incorrectly clicks on a link to compulsory training they must complete.

  • Best Practices (Score:3)

    by sg_oneill ( 159032 ) on Tuesday April 27, 2021 @11:04PM (#61322404)

    These are pretty much best practoce , as long as its done right.

    1) That the user is expected to report *all* phishing.

    2) That screw ups are not punished, but that there is some sort of educational resource to explain the problem and how to avoid it. Don't humilate your staff, thats a dick move, educate them.

    3) Have the program designed by a security professional, not some imbicile who probably buys dick suplements out of spam and wouldnt know shit about the topic.

  • They are an important security tool (Score:3)

    by gravewax ( 4772409 ) on Tuesday April 27, 2021 @11:06PM (#61322410)
    As is demonstrated by the poster most users have a very poor understanding of security and the consequences of security failures. Phishing tests are one of the best means of education in the email space, especially when combined with real consequences like training for failing the test.

    • As is demonstrated by the poster most users have a very poor understanding of security and the consequences of security failures.

      And whose fault is that? If the IT team wants staff (like the poster) to take phishing training/testing seriously, they need to first educate that staff on why it's important. It's Adult Education 101. Adults don't learn well if you haven't explained to them how the thing you're teaching will benefit them.

      • Every organisation I have seen implementing this does this in conjunction with proper training. These tests reinforce what they should already know and be doing, they are not generally just thrown out their as random tests of stupidity.

  • IT people not good enough at it (Score:3)

    by WoodstockJeff ( 568111 ) on Tuesday April 27, 2021 @11:14PM (#61322428) Homepage

    Local community college does periodic phishing messages. They're so badly done that anyone who falls for them really should not have access to any internal systems of consequence.

    But they also don't appreciate it when you point out that normal college correspondence makes it easy for well-designed phishing messages to be viewed as "real".

    I know because I complimented them on their phishing test message, with a detailed list of the discrepancies that made it obvious that it was phishing message, Domain mis-match, failed authentication of sender, and a link to an out-of-domain site that you were supposed to enter your college log-in credentials to continue.

    I later found out that it was a real, campus-wide announcement of required training. My dissection of their faulty message was not well received.

    • Reset my morning wonderfully.

      It's worth remembering that college IT staff are usually woefully paid, and therefore tend to be less than highly skilled.

    • Reminds me of my credit card company's fraud-notification emails... that have masked links pointing to a third party domain.

      WHY THE FUCK ARE YO LINK TRACKING EVERYTHING, MASKING THE LEGITIMACY OF YOUR MESSAGE?

      At worse, host your own bloody link tracker or setup a CNAME.

  • You may have in-house TSA. If the password policy were sane and each phishing mail individualized with good context spear content as opposed to dumbass spamming. At best, this might be just some bullshit some PHB dreamed up, and IT BOFH being in malicious compliance. Just try make peace if it's that. Worst case, it's a cargo cult process, one of the worst kind of incompetent, Just fire your whole IT comprising of raging teenagers or something.

  • No community support is going to undo the reality that they are performing "fire drills" at work, and that you failed. No, it is not out of line that they perform these types of drills. It is protecting the corporate asset, which (in today's world) is all that matters to humans' well-being.

  • Its a great training tool (Score:5, Informative)

    by Nuitari The Wiz ( 1123889 ) on Tuesday April 27, 2021 @11:39PM (#61322466)

    I'm part of the IT department where I work and I can tell you this, they wouldn't do it if it didn't work.
    There are a few companies out there selling security training that includes phishing tests. We decided to run a trial run to get an idea of the landscape.

    The results were far worse then what we imagined, with the worse being an employee that replied to one of the emails with his SIN number!

    Needless to say, we got approval to roll it out on a permanent basis. We have regular tests, a button that users can use to report suspicious emails and also run out one time tests. I'd much rather deal with an overly paranoid user that asks me to check if an email is suspicious first then with the fallout of a compromise. And if someone reports a phishing email that went through the filters, we can take action to delete similar emails from other user's mailboxes.

    We know for a fact that the training prevented the CEO's email address from being taken over through an oauth authorization email (if I remember, it was some sort of password expiry reminder email). That email was sent to 5 other C level executive.

    As for MFA, it isn't a cure to anything when it comes to phishing. Its trivial to add the MFA field to the page then to use it to compromise the real account. MFA fixes passwords being leaked, not people entering it on bad actor's pages.

  • IT departments make this problem worse when they outsource crucial parts of their infrastructure. Suppose you get an email asking you to login to "www.BenefitsCompany.com / MYCOMPANYNAME ? userid=MY_EMAIL_ADDRESS". That looks totally like a phish! But it is legit because BenefitsCompany really is contracted to do this. To make it worse, the IT email system obfuscates links in emails so they are all "check.issecure.com ? LINKID=12345" so we can't even tell where they actually go! If the link is legit, t

  • All training requires a workload. If the employee is trained to think about, and potentially check mentally or otherwise if this makes sense, they won't make mistakes that easily.

    While I think that these emails are too easy to detect, I am pretty sure that these have a positive effect...

    (We have actually a "Repoert Spam" Button, and if people press it on these emails they are being thanked)

    • Re: (Score:2)

      by gweihir ( 88907 )

      Indeed. And the training is done because it pays off. Sure, the "slave holder" type of capitalist never wants to spend anything on training, because they think workers are their property and generally "Untermenschen" and you should never, ever do anything that may help them as well. Just squeeze them to the max, same as a lemon. But these people are not capitalists at all, just vicious morons. Any good capitalist understands that only investments keep you competitive and training costs are are investments.

      A

  • Unfortunately. As long as the prevalent email and document processing software is hugely vulnerable (the crap MS pushes out and will likely never get fixed), users are part of the defense system any company needs. Users are not security experts, not risk-management experts and generally have no clue how dangerous phishing actually is. Hence you need to train them on real examples and keep that up. And failing due care must eventually have consequences and weed those out that cannot do it or are unwilling to

  • Reminds me of a few years ago a company I worked for did this practice and sent out a fake IRS phishing email. Well someone within the company forwarded it on to the IRS thinking it was a real phishing email. Let's just say that the IRS had a "friendly" visit with the IT folks.

  • sadly necesary (Score:4, Informative)

    by Tom ( 822 ) on Wednesday April 28, 2021 @05:02AM (#61322998) Homepage Journal

    Information security is full of things that nobody really wants and that impact productivity, but that are sadly necessary. This is one of them.

    Phishing is one of the things where no effective technical protection exists. Filters can catch a certain percentage, but don't get close enough to 100% to rely on them alone. So the humans receiving those mails need to be trained. For two reasons, this cannot be done in one training or an occasional reminder:

    One - phishing strategies change over time, so people would encounter phishing mails that look nothing like the ones they were taught in training

    Two - there is a considerable difference between reading some slides about phishing and actually being the target of a phishing attack.

    Internal phishing checks are actually very similar to fire drills. You know, the one where everyone leaves the building in an orderly fashion once a year to have a chat on the parking lot. But ridiculous as it seems, if there's ever a real fire, evacuation will be more smooth and just save lives.

  • In addition to sending out phishing test emails, they also added proofpoint urldefense to our email. Now links that could easily be seen to be harmless, like this one:

    https://www.youtube.com/watch?... [youtube.com]

    become this:

    https://urldefense.proofpoint.... [proofpoint.com]

    Making it harder to read the URL and see if it's going to the site it claims to be going to is NOT good security.

  • Harmful; no Annoying; sure The main issue I see with this, is the same problem modern management seems to have in general, which is they are unwilling or unable to target the people that actually need the training more and instead do the general blanketing 1 person needs more help than others, so everyone gets it. Where I work there definitely are a number of dumbfucks that click on everything, but whenever they do, the rest of us get hit with the punishment as well. I can't fire them and their managemen

    • And you identify the people who need help by...?

      I've seen plenty of smart people fall for phishing attacks. The easiest, least disruptive, and fastest way to identify them is to send out the occasional test email.

  • The "anti-phishing" practice which really hurts are things like "safelinks" or "urldefense" and friends. If you've not had the misfortune of bumping into this, it's mailserver side re-writing of email bodies that replace all URLs in an email with a hashed (and non-human readable) link to a redirect on the service providers website. Where, presumably, they're filtering out phishy links for you.

    Aside from violating the RFC's for what email servers are supposed to do with content (and breaking signatures), t

  • My past company did this so that they could keep a list of people for mass layoffs (Excluding higher ups of course). All HR would need to say is you failed a security test and no other reason was needed. Also would screw people over on unemployment.

  • ... but only when paired with training. We use Knowbe4. It allows us to quantify how secure our users are because it reports back who opened, clicked the attachment or link, etc. It lets us know who clicks when they shouldnt and who should be enrolled in remedial training.

    Heck, they even have the option of auto-enrolling users in appropriate remedial training when they fall for it.

  • At both companies that I worked at that had these campaigns they had to modify our own anti-phishing settings in order to allow the messages to reach us (either by adding the URL to safe links to download images or adding the sender's email to some global address list). Examinations of the headers of these "emails" also shows that they were intentionally whitelisted.

    I went ahead and clicked the links and then forwarded a screenshot of the headers back to my own I.T. department just to show that since they o

  • When someone is taking actions on behalf of the organization, the organization is taking that action. Denise in HR does your hiring paperwork, but she didn't hire you. Your employer did. You convinced your boss to give you a raise instead of your taking higher paying job elsewhere, but he doesn't pay you. The employer does.

    When the IT team sends out phishing tests, Belinda in IT isn't doing an experiment on you. Your employer is testing for key, organizationally-critical skills.

    I'm required to go through a

  • Internal Phishing is the equivalent of routine Fire alarm and evacuation drills. They are annoying, but necessary to ensure people know how to do the right thing when a real emergency strikes.

  • Without training, click rates on these exercises tends to be EXTREMELY high. If the question is, do these exercises help users not click on malicious links, then the answer is YES. That leads us to the second point...

    Phishing exercises can lead to some time spent dealing with the fall out if you do not have sufficient processes to support them (more on that in a moment), but what about the time that goes in to responding to incidents resulting from user actions? Email is the number one vector for threats

  • Guessing tiltowait got caught clicking something they shouldn't at work and is a bit butthurt?

    Anyway, yes, they are worth it. The point of them is to help reinforce cyber security training. Most corporate training is in one ear, out the other, no matter how well written or engaging it is. You need to reinforce it so the users take it seriously. And sometimes a stick works better than a carrot. Joe in accounting might not care (until it happens to him, of course) if a bad guy might try to trick him into ch

  • I love in-house phishing campaigns. It becomes a perfect excuse to report most undesireable emails as SPAM. Unless I get an "all clear" response (50-%), I am REQUIRED to ignore the email and can prove it.

    Only hassle is, where do I charge my time? And don't say overhead, this was called for by the IT dept.

Slashdot Top Deals

It's a naive, domestic operating system without any breeding, but I think you'll be amused by its presumption.

Close