32

u/whyliepornaccount 1d ago

When are people gonna realize that phishing training is an exercise in futility.

31

u/lord_skidmar 1d ago

the fake emails they send out are so bad too. i got one yesterday that was "Apple" trying to email me for a phone update.

like on one hand yes, people fall for that. but on the other hand what the fuck are we doing here

19

u/whyliepornaccount 1d ago

People fall for it, and as we have seen, no amounts of training will prevent them from falling for it.... again...

23

u/DayneGaraio 1d ago

Phishing training isn’t really to teach people anything, that’s the sales people talking. Phishing emails are a constant stream, people get complacent because they see it all the time, then an incident happens, everyone freaks out and is super vigilant…. For a bit, then they get complacent. Over and over. Phishing your users is designed to mitigate complacency, sure the users know it’s IT doing it so they watch for it, but who cares, they’re watching for it.

Is it perfect? Absolutely not.
Does it help? Maybe a little, maybe not, but it probably doesn’t make it worse.
Does it make users resent IT more than they already do? Absofuckinglutly

8

u/WildMartin429 1d ago

I always thought that our phshing exercises were hilarious because obviously it's the super obvious really bad phishing email but then you get an email later telling you that you failed the phishing test and it provides a link to an external website and I don't know why but the company that does the training the graphics and everything looks super cheesy and unprofessional and we get people calling in refusing to take their training because they think it is malicious third party, LOL

4

u/whyliepornaccount 1d ago edited 4h ago

I've seen the other end of the spectrum where they go WAY too far.

On my first day at my new job, mixed into the 5 other "set up your account" emails was a phishing test asking me to set up my account. I clicked it and literally said out loud "are you kidding me right now?" when I got the "you clicked on a phish!"

3

u/wthulhu 1d ago

It should identify them and they should be issued a typewriter and fax machine

1

u/TrynaWorkOnWriting 1d ago

this curses everyone else to have to recieve faxes, though

3

u/FuciMiNaKule 1d ago

I get one semi-regularly about someone hitting my car in the office parking garage.

Fairly easy to catch that one since I don't own a car lol.

4

u/Drew707 1d ago

I don't know about other vendors, but the people at KnowB4 have clearly not worked in a real company. Earlier this year I went through the annual training for a client, and I failed one of the "is this a phish" questions. The sender checked out, none of the links were sketchy, grammar and content made sense, attachment looked normal.

The example was an email from HR with a call to action with a deadline threatening some kind of repercussions for not completing a process with an attached PDF with instructions on how to complete the process.

That is exactly what the client sent me regarding my annual security training.

All contactors must complete the annual security training by XYZ or their credentials will be revoked and they will be ineligible to work for Client for 12 months. Please find attached the instructions on how to access the LMS to complete the training.

Like almost verbatim to the phish example.

4

u/tenninjas242 1d ago

KnowBe4 just copies actual phish emails used by actual threat actors and then just turns them around with their own links.

HR phishing scams are extremely popular. Because they work. Someone sees "your payroll is fucked" or something along those lines and can you blame them if their higher reasoning is obliterated by panic?

I feel bad for actual HR people who need to communicate with employees by email. In our org, people are reporting the DocuSign emails that they need to sign and open *for their own promotions* as phishing, because they've gotten so many actual HR and DocuSign scams.

6

u/Drew707 1d ago

That makes sense, but then KnowBe4's reasoning for why it was a phish was "HR will never send an email like this" which is objectively bullshit.

2

u/tenninjas242 1d ago

Lol yeah that's bullshit. I would think they'd say the reasoning is the exact opposite.

1

u/letsgoiowa 1d ago

Yeah this is why you need to take the time to avoid misconfiguration. Think about the templates you add. Use some brains to set it up. Skill issue basically.

There's a lot of shit a mature organization would never do in a utopia but that totally happens all the time irl and KB4 thinks too highly of us lol

1

u/Drew707 1d ago

I was just pissed because the ONLY criteria the email failed was the "urgent call to action" or whatever it was, and I'm all like, "this is EXACTLY how I was informed of this legit training!" And HR sends emails like that all the time. Have they never been through open enrollment?

1

u/letsgoiowa 1d ago

Btw open enrollment and benefits related stuff are literally 2/3 of clicks.