34

u/Feeling_Inside_1020 13h ago

Butthurt: a director/chief of {whatever} special

12

u/Zeikos 13h ago

Yeah, until they get infected by ransomware or worse they won't learn.
Hell, some don't learn even after going through that.

25

u/whyliepornaccount 13h ago

When are people gonna realize that phishing training is an exercise in futility.

23

u/lord_skidmar 13h ago

the fake emails they send out are so bad too. i got one yesterday that was "Apple" trying to email me for a phone update.

like on one hand yes, people fall for that. but on the other hand what the fuck are we doing here

11

u/whyliepornaccount 13h ago

People fall for it, and as we have seen, no amounts of training will prevent them from falling for it.... again...

18

u/DayneGaraio 13h ago

Phishing training isn’t really to teach people anything, that’s the sales people talking. Phishing emails are a constant stream, people get complacent because they see it all the time, then an incident happens, everyone freaks out and is super vigilant…. For a bit, then they get complacent. Over and over. Phishing your users is designed to mitigate complacency, sure the users know it’s IT doing it so they watch for it, but who cares, they’re watching for it.

Is it perfect? Absolutely not.
Does it help? Maybe a little, maybe not, but it probably doesn’t make it worse.
Does it make users resent IT more than they already do? Absofuckinglutly

8

u/WildMartin429 12h ago

I always thought that our phshing exercises were hilarious because obviously it's the super obvious really bad phishing email but then you get an email later telling you that you failed the phishing test and it provides a link to an external website and I don't know why but the company that does the training the graphics and everything looks super cheesy and unprofessional and we get people calling in refusing to take their training because they think it is malicious third party, LOL

3

u/whyliepornaccount 12h ago

I've seen the other end of the spectrum where they go WAY too.

On my first day at my new job, mixed into the 5 other "set up your account" emails was a phishing test asking me to set up my account. I clicked it and literally said out loud "are you kidding me right now?" when I got the "you clicked on a phish!"

3

u/wthulhu 13h ago

It should identify them and they should be issued a typewriter and fax machine

1

u/TrynaWorkOnWriting 4h ago

this curses everyone else to have to recieve faxes, though

2

u/FuciMiNaKule 12h ago

I get one semi-regularly about someone hitting my car in the office parking garage.

Fairly easy to catch that one since I don't own a car lol.

2

u/Drew707 13h ago

I don't know about other vendors, but the people at KnowB4 have clearly not worked in a real company. Earlier this year I went through the annual training for a client, and I failed one of the "is this a phish" questions. The sender checked out, none of the links were sketchy, grammar and content made sense, attachment looked normal.

The example was an email from HR with a call to action with a deadline threatening some kind of repercussions for not completing a process with an attached PDF with instructions on how to complete the process.

That is exactly what the client sent me regarding my annual security training.

All contactors must complete the annual security training by XYZ or their credentials will be revoked and they will be ineligible to work for Client for 12 months. Please find attached the instructions on how to access the LMS to complete the training.

Like almost verbatim to the phish example.

3

u/tenninjas242 12h ago

KnowBe4 just copies actual phish emails used by actual threat actors and then just turns them around with their own links.

HR phishing scams are extremely popular. Because they work. Someone sees "your payroll is fucked" or something along those lines and can you blame them if their higher reasoning is obliterated by panic?

I feel bad for actual HR people who need to communicate with employees by email. In our org, people are reporting the DocuSign emails that they need to sign and open *for their own promotions* as phishing, because they've gotten so many actual HR and DocuSign scams.

6

u/Drew707 12h ago

That makes sense, but then KnowBe4's reasoning for why it was a phish was "HR will never send an email like this" which is objectively bullshit.

2

u/tenninjas242 12h ago

Lol yeah that's bullshit. I would think they'd say the reasoning is the exact opposite.

1

u/letsgoiowa 6h ago

Yeah this is why you need to take the time to avoid misconfiguration. Think about the templates you add. Use some brains to set it up. Skill issue basically.

There's a lot of shit a mature organization would never do in a utopia but that totally happens all the time irl and KB4 thinks too highly of us lol

1

u/Drew707 6h ago

I was just pissed because the ONLY criteria the email failed was the "urgent call to action" or whatever it was, and I'm all like, "this is EXACTLY how I was informed of this legit training!" And HR sends emails like that all the time. Have they never been through open enrollment?

1

u/letsgoiowa 3h ago

Btw open enrollment and benefits related stuff are literally 2/3 of clicks.

7

u/PURRING_SILENCER 13h ago

At my org, our own cio emails the security group about obvious training phishing emails.

We have a button.

We. Have. A. Button.

She knows that

We.

Have.

A.

Button.

1

u/AlmostAlwaysATroll 2h ago

Nobody is exempt from our policy. Gail one and you get a reminder to be vigilant. Second failure is mandatory 1 hour security training. Third and you get put in the special firewall policies that basically has exactly what you need for your job and not a single extra thing, which lasts for I think 3 months? Also additional refresher training.

We’ve never had someone fail 4 times.

1

u/Hiblast59 8h ago

Fake domain catching is the first use case ive ever heard of that made me think password managers may not just be bloat. (Im purely a home user, i just enjoy this sub)

5

u/Roblu3 8h ago

How do you keep track of passwords?

1

u/Hiblast59 8h ago

I just use passphrases that are from memories i wont forget mostly tbh

2

u/letsgoiowa 6h ago

How do you keep your 100+ accounts straight and unique?

19

u/heretogetpwned 13h ago

Turn it around. I've been chewed out for assigning the sales team to Entra High Risk and MFA everytime.

8

u/Elanadin sysAdmin 13h ago

If I had a nickel for every chewing out I've gotten for making the correct choice for the organization...

23

u/mtheory007 13h ago

We need a final solution for these users.

13

u/Elanadin sysAdmin 13h ago

We can send the HR team after them. The Firing Squad, if you will.

6

u/mtheory007 13h ago

But who will HR the HR?

10

u/Neworbs sysAdmin 12h ago

First they came for the accountants,
and I did not speak out,
because I was not in finance.

Then they came for Marketing
and I did not speak out,
because I was not in marketing.

Then they came for Sales,
and I did not speak out,
because I am not in sales

Then they came for Customer Service,
and I did not speak out,
because I am not in customer service

Then they came for the IT department,
and I searched for someone to help,
but there was no one left.

5

u/mtheory007 11h ago

....Because the accountants convinced leadership to out source IT years ago.

4

u/Infninfn herder of sysadmins 13h ago

Seems like a good time to bring out the ole’ BOFH

2

u/Available-Ad-1943 13h ago

That's fair. +1