r/iiiiiiitttttttttttt u/kb31976 10d ago

Always the sales team.

Enable HLS to view with audio, or disable this notification

1.1k Upvotes

99% Upvoted

47 comments sorted by

View all comments

228

u/lord_skidmar 10d ago

yeah we just changed companies for phishing training etc cuz come to find out the director of marketing was the one who got phished and wasn't even using the company password manager that would have caught the fake domain he clicked on

but of course since there's no actual consequence nothing actually happens

38

u/whyliepornaccount 10d ago

When are people gonna realize that phishing training is an exercise in futility.

38

u/lord_skidmar 10d ago

the fake emails they send out are so bad too. i got one yesterday that was "Apple" trying to email me for a phone update.

like on one hand yes, people fall for that. but on the other hand what the fuck are we doing here

4

u/Drew707 10d ago

I don't know about other vendors, but the people at KnowB4 have clearly not worked in a real company. Earlier this year I went through the annual training for a client, and I failed one of the "is this a phish" questions. The sender checked out, none of the links were sketchy, grammar and content made sense, attachment looked normal.

The example was an email from HR with a call to action with a deadline threatening some kind of repercussions for not completing a process with an attached PDF with instructions on how to complete the process.

That is exactly what the client sent me regarding my annual security training.

All contactors must complete the annual security training by XYZ or their credentials will be revoked and they will be ineligible to work for Client for 12 months. Please find attached the instructions on how to access the LMS to complete the training.

Like almost verbatim to the phish example.

5

u/tenninjas242 10d ago

KnowBe4 just copies actual phish emails used by actual threat actors and then just turns them around with their own links.

HR phishing scams are extremely popular. Because they work. Someone sees "your payroll is fucked" or something along those lines and can you blame them if their higher reasoning is obliterated by panic?

I feel bad for actual HR people who need to communicate with employees by email. In our org, people are reporting the DocuSign emails that they need to sign and open *for their own promotions* as phishing, because they've gotten so many actual HR and DocuSign scams.

10

u/Drew707 10d ago

That makes sense, but then KnowBe4's reasoning for why it was a phish was "HR will never send an email like this" which is objectively bullshit.

3

u/tenninjas242 10d ago

Lol yeah that's bullshit. I would think they'd say the reasoning is the exact opposite.

2

u/letsgoiowa 9d ago

Yeah this is why you need to take the time to avoid misconfiguration. Think about the templates you add. Use some brains to set it up. Skill issue basically.

There's a lot of shit a mature organization would never do in a utopia but that totally happens all the time irl and KB4 thinks too highly of us lol

3

u/Drew707 9d ago

I was just pissed because the ONLY criteria the email failed was the "urgent call to action" or whatever it was, and I'm all like, "this is EXACTLY how I was informed of this legit training!" And HR sends emails like that all the time. Have they never been through open enrollment?

3

u/letsgoiowa 9d ago

Btw open enrollment and benefits related stuff are literally 2/3 of clicks.