There's some weird games happening to try to get people to fail to prove that people aren't paying attention. In addition to the issues in this article, I have seen some other really bad tests....
There's some weird games happening to try to get people to fail to prove that people aren't paying attention. In addition to the issues in this article, I have seen some other really bad tests.
One test linked to a page hosted on the company intranet. There was no reason to believe that it was any kind of test, and it wasn't like checking the URL would have helped because it was a totally legitimate site. After this test, usage of the intranet went down to near zero and HR struggled to get people to actually sign up for things.
There was another test that checked if an image preview was loaded from the server, and was considered a failure if it did load. The problem, though, is that the server was whitelisted on the default Outlook rules for the company and most people using company defaults failed by virtue of having their email client open regardless of whether they clicked through.
It's like they're trying to get a high score at the world's worst game.
Along similar lines, I failed a phishing test because I tapped and held a link specifically for the purpose of checking the URL, and it so happens that the default behavior in Outlook for iOS is...
There was another test that checked if an image preview was loaded from the server, and was considered a failure if it did load. The problem, though, is that the server was whitelisted on the default Outlook rules for the company and most people using company defaults failed by virtue of having their email client open regardless of whether they clicked through.
Along similar lines, I failed a phishing test because I tapped and held a link specifically for the purpose of checking the URL, and it so happens that the default behavior in Outlook for iOS is to download that page and render it in a little preview window. If clicking links is so dangerous, why would Outlook load the page when you're trying to see what the link is? How are users supposed to do the right thing when faced with UX design that is, at best, inconsistent?
On some level it depends on the objectives of the phishing test. As a security consultant, that information is still valuable and a useful metric of the organization's phishing risk, if not yours...
On some level it depends on the objectives of the phishing test. As a security consultant, that information is still valuable and a useful metric of the organization's phishing risk, if not yours individually.
That'd be fine and dandy if the organization set out to engage with the user to understand what happened and learn how to improve things together. But if the user just gets an automated notice...
That'd be fine and dandy if the organization set out to engage with the user to understand what happened and learn how to improve things together. But if the user just gets an automated notice that they failed an exercise and now have 5 days to complete some generic remedial training course that lectures them on the dangers of phishing as though they're the only problem here, then what actual use would such a metric serve other than to strike fear in your client to assure your renewed contract lol
Some random things from my last workplace’s phishing tests. I am a curious bet skeptical user. Even if I know something is phishing, I kinda want to click it anyway, to see how good the phishing...
Some random things from my last workplace’s phishing tests.
I am a curious bet skeptical user. Even if I know something is phishing, I kinda want to click it anyway, to see how good the phishing attempt is. Also, the email itself doesn’t always have enough information to tell if it is phishing. There is, as I understand it, very little risk to clicking a link in an email, assuming all your software is up to date. The scammer would have to burn a zero day exploit on you, and I personally am not worth it. So I don’t see a problem from just clicking the link. If it opens sharepoint.com and my password manager logs me in, the email might be legitimate. If it opens sharepoint.com.definitelymicrosoft.pl, I am hoping out of there. But the phishing tests only check if you click the link, which isn’t the part that matters. Anyway, that is how I failed my first phishing test and had to take the stupid class. I take umbrage with the 4% click through rate cited in the article for this exact reason. A 4% CTR is not the same as a 4% password phish rate.
My company used a service called know before for their phishing tests. All the phishing links are long URLs at kb4.io. So I just set up an outlook filter to send everything with that string to the spam folder and never had to deal with those test emails again. I purposefully did not tell my tech illiterate coworkers how to do that, but I did hint at my solution to my more technical coworkers. I figured if they could figure out outlook filters to filter those to spam, they probably wouldn’t have been phished by those emails.
At one of my companies, I received an obvious phishing email and was similarly curious, so I ran a whois on the domain – that was somehow enough to fail me on the test and required me to retake...
At one of my companies, I received an obvious phishing email and was similarly curious, so I ran a whois on the domain – that was somehow enough to fail me on the test and required me to retake the online training.
How would that even work? I wonder if you accidentally opened a preview of the link somehow. I do that sort of thing all the time on mobile… since I can’t hover over a link to see its URL on iOS,...
How would that even work?
I wonder if you accidentally opened a preview of the link somehow. I do that sort of thing all the time on mobile… since I can’t hover over a link to see its URL on iOS, I have to long-press the link to get the contextual menu where I can copy it. Then I suddenly remember that action also opens a little preview view of the link, meaning it already fetched it and the damage is done. Something similar happens if you just paste a URL into some messaging platforms, they’ll “helpfully” transform it into a preview card with the link title and thumbnail.
I’m curious like you, but some of this software makes it too easy to trip the alarm.
Ah, I specifically avoided doing that after "failing" the previous phishing test (apparently even right-clicking in Outlook to copy-link made a request). I think their traffic analysis was just...
I wonder if you accidentally opened a preview of the link somehow.
Ah, I specifically avoided doing that after "failing" the previous phishing test (apparently even right-clicking in Outlook to copy-link made a request). I think their traffic analysis was just extremely aggressive and included the plaintext TCP 43 traffic. But yeah, after that second strike, I did exactly what the parent comment did and started auto-dumpstering all emails that had non-Proofpoint links, because those phishing test URLs are the only ones that didn't get proxied by URL defense for some reason…
We also use Knowb4, its so bad. The training videos are annoyingly long but at least you can watch them on mute and just take the quizzes at the end by answering questions like "should you give...
We also use Knowb4, its so bad. The training videos are annoyingly long but at least you can watch them on mute and just take the quizzes at the end by answering questions like "should you give the person who called you on the phone all of your company secrets yes or no"
Agree, what I don't like about knowb4 is that some tests deliberately include ambiguous questions that makes you fail. I suppose to create a impression that people need to learn about security?
Agree, what I don't like about knowb4 is that some tests deliberately include ambiguous questions that makes you fail. I suppose to create a impression that people need to learn about security?
I failed my first phishing test recently and it genuinely bothered me, despite the seemingly low stakes. I've always considered myself security-conscious, so being part of the "record-breaking 14%...
I failed my first phishing test recently and it genuinely bothered me, despite the seemingly low stakes. I've always considered myself security-conscious, so being part of the "record-breaking 14% CTR" at our school district was particularly frustrating for me.
What's more concerning is the complete absence of any security awareness training at our institution. No onboarding materials, no periodic briefings, not even a notification that we'd be subject to these tests, aside from the failure reports. It feels fundamentally unfair to assess employees on practices they haven't been trained on.
It's a bit concerning though, and perhaps I lack knowledge on the subject. But as a lower-level employee, the fact that I could potentially compromise our systems through a phishing link suggests the real vulnerability isn't just employee awareness - wouldn't it be inadequate access control and system hardening? Ideally, a low level employee email account should be setup in such a way that it could be phished every day without any concern for privilege escalation.
I have a phishing training setup for on boarding and a yearly refresher, it's a course that's easily less than 30 mins and I have to work to get above 50% competition rate, even with email...
I have a phishing training setup for on boarding and a yearly refresher, it's a course that's easily less than 30 mins and I have to work to get above 50% competition rate, even with email reminders and good ratings from people who have taken it. It would be nice to have someone who wanted to learn about phishing.
phished every day without any concern for privilege escalation
Getting access to one account lets you try that password in other places, sometimes which include remote access. Or if the phish was a malicious PDF you can get direct access. Endpoint protection isn't 100% reliable on picking up threats. From that PC you can maybe grab passwords of other users (admins) who have logged in or scan the network for spreading.
Even if you can only get to the email, that email can be used to send phishing emails to other employees, which is automatically more trustworthy because it's from an internal email address.
You ideally have several layers of protection since none of them are foolproof.
You're right, almost all of the time. The problem is the rest of the time. There have been exploits that could compromise a machine solely from a webpage visit that were used in the wild. They're...
So I don’t see a problem from just clicking the link
You're right, almost all of the time.
The problem is the rest of the time. There have been exploits that could compromise a machine solely from a webpage visit that were used in the wild. They're increasingly rare, because of course software companies have learned from those mistakes, but it's not safe to say it will never happen again. Future vulnerabilities are a given, as are undiscovered current ones.
We definitely don't want people to think it's ok to click suspicious links. Not only because of the (admittedly low) chance of an immediate exploit, but because it increases the chance of that second click, which has much better odds of compromising you. Companies are absolutely right to discourage clicking links in questionable emails, or anywhere else. And we should keep telling our elderly not to click!
True generally. But if you host a phish page on sharepoint, you might get a real login and then sent to a fake login (image) that says invalid password, which would fool a lot of people. I think...
If it opens sharepoint.com and my password manager logs me in, the email might be legitimate
True generally. But if you host a phish page on sharepoint, you might get a real login and then sent to a fake login (image) that says invalid password, which would fool a lot of people. I think with SSO people are used to getting redirected a lot of times during a login.
If it was a phish then your email could be verified as someone who clicks on links which isn't great anyway.
Knowbe4 does have the option for a (customizable) landing page that has a login forum, but they have the option of so many different phishing approaches that they'd each need their own login page. To use that feature you need to narrow down the types of phishing that you're targeting users with. Clicks are easy to measure and apply to every phish type. It would be nice though to get more options there.
All the phishing links are long URLs at kb4.io
By default the phishing link domain is random. If you want to filter emails from knowbe4 you'll get more success by filtering on the default "X-PHISHTEST" header that might still be enabled, or the Reply-To domain which you have to change on the admin panel.
Care to elaborate? The only thing I have seen in this thread is that the phisher knows you clicked the link. What can a malicious website do without me interacting with it? Especially if it’s in...
Care to elaborate? The only thing I have seen in this thread is that the phisher knows you clicked the link. What can a malicious website do without me interacting with it? Especially if it’s in iOS’s long press preview window which is sandboxed and not interactive.
Long press from iOS might not be a problem for a variety of reasons (but are you willing to bet you're up to date enough to know if it becomes one?), but there's plenty of harm that can occur from...
Long press from iOS might not be a problem for a variety of reasons (but are you willing to bet you're up to date enough to know if it becomes one?), but there's plenty of harm that can occur from actually clicking on the link and navigating to the page. There's lots of potential issues, but the most severe is if the link just navigates to a download and installs something from the click.
Again device depending and what not, but I would absolutely never even consider clicking on such a link unless i'm in some sort of controlled and easily disposed of environment. It's not quite as bad as the classic "Oh look a USB i found, let me plug it in", but it's still plenty dangerous, and quickly as well.
If a website tries to download something, my web browser asks if I want to allow the website to download something and I just click "no". If it does somehow download something there is no way to...
If a website tries to download something, my web browser asks if I want to allow the website to download something and I just click "no". If it does somehow download something there is no way to automatically run that download, at least on the operating systems I use.
A website is significantly more secure than a random usb drive. Windows by default executes untrusted code directly from the usb drive. If it didn't (or if you use an operating system that doesn't do that), it would be much safer to plug in a random usb drive.
I think Window's poor history of security has trained many people to be scared of certain things. They aren't inherently scary; they are just scary because of Windows. Using modern Windows makes these things much safer, and ditching Windows entirely makes them even safer than that.
I get this isn’t actually important to your point, but modern versions of windows have autorun disabled by default (actually it may be completely removed, but i’d have to check). I believe modern...
I get this isn’t actually important to your point, but modern versions of windows have autorun disabled by default (actually it may be completely removed, but i’d have to check). I believe modern windows now has a pop-up which asks how you’d like the program to be dealt with
Yeah autorun has been off by default for a while. You can still get to it with the right click menu or something. But malicious USB drops these days can emulate a keyboard and run a macro to press...
Yeah autorun has been off by default for a while. You can still get to it with the right click menu or something.
But malicious USB drops these days can emulate a keyboard and run a macro to press Win+R then type in a powershell command to download and run more code, so autorun isn't needed to run code.
You're making a lot of assumptions about what should happen and seem to be unaware of exploits that have happened. Even on things like MacOS or Linux (hell LOTS of linux since it's a ripe target...
You're making a lot of assumptions about what should happen and seem to be unaware of exploits that have happened. Even on things like MacOS or Linux (hell LOTS of linux since it's a ripe target for a couple of reasons).
I also didn't have time earlier but this-
The scammer would have to burn a zero day exploit on you, and I personally am not worth it
is just wrong. The question is "is your company worth it" because if some scammer is considering burning a 0 day (hyperbolic in the extreme as there's plenty of non zero day's that take time to get reported and patched), they're probably more than happy compromising everyone they can, at any level.
Every account you have access to is more ability to impersonate someone, exfiltrate data, and escalate privileges. Either through direct exploits, more exposed data (say better knowledge and access to the intranet), or some privileged escalation exploit.
Finally
I take umbrage with the 4% click through rate cited in the article for this exact reason. A 4% CTR is not the same as a 4% password phish rate.
Yes it is. The number of people doing what you're doing, even if everything I've said is 100% wrong, is so small as to be less than a rounding error/confidence interval/whatever. In the data set size they're dealing with, someone "clicking to see what happens but wouldn't get phished" is probably less than a 100th of a percent, if not smaller.
This is kind of what I wanted to bring up as well because you're absolutely right. Case in point, the iMessage vulnerability (or vulnerabilities?) that allowed Pegasus to work. Apple knew about it...
is just wrong. The question is "is your company worth it" because if some scammer is considering burning a 0 day (hyperbolic in the extreme as there's plenty of non zero day's that take time to get reported and patched), they're probably more than happy compromising everyone they can, at any level.
This is kind of what I wanted to bring up as well because you're absolutely right. Case in point, the iMessage vulnerability (or vulnerabilities?) that allowed Pegasus to work. Apple knew about it and let that exist for a few years before getting it fixed. Anyone who thinks having the latest updates patches/updates will keep them safe needs to take a hard look at the (not too distant) past for examples like this.
Also... is all your company's infrastructure actually up to date and properly configured? How do you know that when you click on a link from some random phishing email.
@Weldawadyathink do you have a car with anti-collision braking? Do you text on your phone while driving because your car will stop for you? I hope not, because its there for accidents, not to allow you to be willfully careless and it may not work 100% of the time.
My compay uses the same administrator for our phishing tests and securities. Even if you leave the message unread in your inbox, people in my company have been flagged. This doesn't make sense to...
My compay uses the same administrator for our phishing tests and securities.
Even if you leave the message unread in your inbox, people in my company have been flagged. This doesn't make sense to me since the understanding is you have to follow the link to fail.
My company also published some metrics, some of which weren't supposed to be seen, Including, delivered, flagged, phished.
Don't include social engineering in penetration tests. Ironically, my experience with phish tests is that the emails are very formulaic, and so they effectively train people to recognize phish...
Ironically, my experience with phish tests is that the emails are very formulaic, and so they effectively train people to recognize phish tests, but not necessarily the wide universe of actual phishing attempts. Combine that with companies outsourcing more-or-less all of their internal operations to external services, and egregious shit like this, and employees are in a no-win situation.
And, uh, most office workers aren't total idiots, and will recognize that the group with any control over this no-win situation is IT. Y'know what really, really, really sucks? Trying to manage the tech of a bunch of employees who are somewhere between highly suspicious and outright combative. Just more fuel on the "corporate IT are a bunch of incompetent ninnies" fire, I guess.
I really don't agree with the first blog post. First, practically nothing the author lists in their negative examples should be categorised as social engineering. Also, simulating the results of a...
I really don't agree with the first blog post.
First, practically nothing the author lists in their negative examples should be categorised as social engineering.
Also, simulating the results of a successful social engineering is certainly very useful, but it doesn't replace actual tests.
It isn't about knowing that people fall for social engineering, it's about how many fall for them. If half of your staff can't differentiate a legitimate email or call from a (spear) phishing attempt, you should know that and try to take appropriate action.
Publicly humiliating people because they fail an exercise is not an appropriate reaction, it's simply terrible leadership. It has absolutely nothing to do with social engineering, it could have happened with any type of exercise.
I can comment on this with a little more data and info because I run my organizations cybersecurity program. Were a large public sector organization with a lot of sensitive data, and a lot of...
I can comment on this with a little more data and info because I run my organizations cybersecurity program. Were a large public sector organization with a lot of sensitive data, and a lot of uneducated users, which is kind of the prime candidate for a phishing simulation program.
With a lot of journalism about a lot of stuff, there's a tendency to frame the authors viewpoints as a win/win (we can eliminate fossil fuel emissions AND have cheap power if just we build nuclear plants! We can reduce food insecurity AND develop more land if just we do vertical farming. And in this case we can reduce annoying users emails AND at least keep the same level of cybersecurity if just we got rid of phishing simulations!)
The real world rarely works that way. Most things that are commonly done have tradeoffs. Before we instituted a phishing simulation program, users would click through just about every email they saw. We had an education program when they got hired on, and regularly afterwards, but understandably, most people just didn't pay attention to it because they're busy with other things. As a result, we had many, many clickthroughs to attacker controlled sites. Our web filter would catch most of them, the EDR and firewall would catch most of the rest, but we still had credential theft, malware, and ransomware incidents that started with phishing emails.
Since instituting a phishing simulation program, our clickthrough rate went from over 10% to just under 3% now. Users have a 15 minute training course they must complete it they click a phishing email. They're not named and shamed, which I think is degrading and counter productive when I've heard of it happening, but they are forced to spend some time reviewing what we've told them.
I've gotten feedback that at times, some of the simulated emails are cruel (sometimes it's an email offering an employee an award for good performance), but my response has been, and continues to be, we use emails that look like that because they're enticing, and enticing emails are exactly what attackers use to execute successful phishing campaigns. My job isn't to be nice, unfortunately. It's to protect my organization from attack.
The simulated emails look just like an attacker email would. They're marked as external emails from our email filtering system, they come from an outside domain, if you hover over the links in them (which we train users to do), they direct users to domains that we don't control. I'm very confident that if a user clicks a phishing simulation email, they would have clicked on a real phishing email. A more impactful result: since instituting the program a few years ago, we haven't had a single security incident that started from a phishing email.
Because of all of these things, the program is valuable to me and my organization, and I have no intention on changing it.
Large peer reviewed studies are great and all, but I have real data from my specific organization proving that the program is valuable. I have no idea what the implementations look like at the organizations that took part in the study the story references looks like. I don't know what the simulated emails look like, what happens if you fail, how often users are tested, and so on. I do know that the program works in my case though. So even though it might annoy a few users each month, or result in some of them feeling dumb or bad for a little bit, it's a small price to pay for potentially avoiding a massive cybersecurity incident that will cost the public tens of millions of dollars.
As others have noted, this is a significant part of what makes a good phishing test. It's also very far from what many people receive. For comparison, the phishing tests I receive at a...
The simulated emails look just like an attacker email would. They're marked as external emails from our email filtering system, they come from an outside domain, if you hover over the links in them (which we train users to do), they direct users to domains that we don't control.
As others have noted, this is a significant part of what makes a good phishing test. It's also very far from what many people receive.
For comparison, the phishing tests I receive at a Microsoft-handled university email are not even actual emails sent through the mail server. They don't have valid headers; they're just put into my inbox directly. The links in them go to Microsoft-registered domains, with valid Microsoft certificates, on IPs that are validly Microsoft's. When I first received one, I spent the morning assuming that our email system had been compromised.
The emails linked to a typical user-and-password collection scheme. It appears to be connected to a short training course that teaches users to ignore SSL certificates, and instead judge whether a domain asking for a username and password is valid on whether it has "onmicrosoft" in the domain name; rather unusual advice when the university's mail system also mangles all links in emails so that most users can't actually see the URLs.
I now just have my email client route emails that don't have any Received headers to a special spam folder.
Meanwhile, the actual phishing scams we get are usually impersonation-based emails that try to route the users onto phone calls, texts, or an email conversation, usually with the goal of getting fraudulent payments made. They don't involve links at all. And of course, there is no IT training about this at all, despite it actually being a problem for some of our staff.
I'm surprised to hear about all of the IT departments apparently attempting to roll their own phishing simulation programs. It's a deceptively difficult thing to do correctly and actually...
I'm surprised to hear about all of the IT departments apparently attempting to roll their own phishing simulation programs.
It's a deceptively difficult thing to do correctly and actually reinforce the behaviors you want to reinforce, while simultaneously being a pretty affordable service to purchase from a number of vendors that specialize in it, and who are guaranteed to do a better job than 99% of the homegrown stuff most IT teams could cook up.
Glad to see this perspective put out there. I feel like a lot of the answers in this topic are "well I wouldn't ever do this so it's a waste of time". The tech literacy in the modern age is...
Glad to see this perspective put out there. I feel like a lot of the answers in this topic are "well I wouldn't ever do this so it's a waste of time".
The tech literacy in the modern age is abysmal (in part due to education on it being basically self taught since few education programs do it right, or even identify what needs to be done), and since all it can take is your weakest link to literally compromise and kill an entire company, yeah you need to train and vet for this stuff.
My company uses hoxhunt, and it seems fine? I'm sure we could tune it to be a pain in the ass, but the process is pretty simple. When you see a phishing email, you're supposed to click their icon (built into outlook) and report it. Not reporting the email is seen as less ideal, and that's probably correct. You need people to be active about this stuff (at least until we reapproach how email access even works) because it also means they'll report phishing emails that AREN'T test cases.
Further it's helped educate the tech illiterate to some extent. Some people are truly hopeless (I'm aware of at least one person somewhere else who is CONSTANTLY clicking on and responding to shit that is clearly phishing, and in a super sensitive position for it), but a lot of these people have just never had the chance to learn, and giving them some education helps a ton because you quickly find out just how many people want to do the right thing, are capable of it, and just didn't know how.
Sometimes online, especially in places with a large community of software developers or other tech role where you don't interact with non tech roles much (like tildes) people get in a bubble...
Sometimes online, especially in places with a large community of software developers or other tech role where you don't interact with non tech roles much (like tildes) people get in a bubble regarding the tech literacy of the average worker.
It's bad out there. Organizations give users access to and require they use an extremely powerful tool that if misused, can spell doom for the entire organization. We don't require that they have any special certificates or training to use this tool either.
It's like if we required Mabel from accounting to hop on and operate the 800' tower crane downtown to update her direct deposit info. That's how much risk a large organization is assuming by giving users unfettered access to an internal computer and network without decent controls in place. It makes sense to make sure she's as well prepared as possible to avoid a really expensive mistake.
If I can share an example of tech illiteracy: I worked as solo IT for a small non-profit for many years. Mostly Boomers and Millennials, with a smattering of GenX and at least one Zillennial. Good...
If I can share an example of tech illiteracy: I worked as solo IT for a small non-profit for many years. Mostly Boomers and Millennials, with a smattering of GenX and at least one Zillennial. Good age range of folks. A lot of what I did was end user support, naturally.
We were having some issues ascertaining the true number of members (customers) that we had. The canonical database would say one number, but folks in one department would argue different numbers. Sometimes off like 10-20 members. The web dev (also technical) and I were very confused. If that database is canonical, and we all agreed it was, then that's the authority. By definition, everything else is wrong. So that's one level of tech illiteracy.
OK, so where are these folks deriving their membership numbers from? Turns out, it's everyone's favorite pastime: "secret" Excel spreadsheets. This one department tracked membership numbers and rosters on their own in various Excel spreadsheets. My web dev and I then wanted to know how they were arriving at different numbers, and how the knew their lists were "correct."
Well, it was simple. They would export a list from the database. Open it in Excel and sort A-Z on the name. Then they would open their department list(s) in Excel and also sort A-Z on the name. Then they would print each list out. Like 40 pages each. Then the two of them would get some rulers, highlighters, and colored pens. Then they compared line by line on physical paper.
They told us it took about 2 days to do it. So 8hrs x 2 people x 2 days is 32hrs. And they did this at least once a month, as the membership numbers fed a monthly executive summary. Sometimes more often if the numbers really weren't jiving.
My webdev and I were speechless. Because my coworker and I knew that using formulas in Excel, or even built-in comparison features, that that could be done in minutes by one person. In the end, it was their spreadsheets that were wrong. And they never thought to ask us for help (and we were nice and always willing to help improve processes).
Anyway, that was another level of tech illiteracy. And this was only like 3yrs ago. I cannot imagine my coworkers are special in this way.
I will say though, the staff was pretty damned good about identifying phishing emails and asking me about suspicious emails. You win some you lose some. ¯\_(ツ)_/¯
It's crazy how many hours of mind numbing, monotonous work people are willing to do in order to avoid having to learn something by spending half an hour googling a better way to do things. I had a...
It's crazy how many hours of mind numbing, monotonous work people are willing to do in order to avoid having to learn something by spending half an hour googling a better way to do things. I had a coworker (in it no less) that did something similar every week. Probably six hours of work eyeballing excel spreadsheets instead of googling for an hour how to write a function or macro to do it instantly for him from then on. I almost admired him for it. It would be literally impossible to get myself to concentrate on a task like that for that long.
Thanks for your perspective. I agree, phishing simulations are annoying but necessary. I think this is an important point. Others in the thread have talked about how their IT departments whitelist...
Thanks for your perspective. I agree, phishing simulations are annoying but necessary.
The simulated emails look just like an attacker email would. They're marked as external emails from our email filtering system, they come from an outside domain, if you hover over the links in them (which we train users to do), they direct users to domains that we don't control.
I think this is an important point. Others in the thread have talked about how their IT departments whitelist the simulated emails and that doesn't make any sense to me. IMHO, if a pretend phishing email is going to serve any educational purpose, it needs to be indistinguishable from real phishing emails. No telltale giveaways. Real attacks are unscrupulous... an adversary isn't going to avoid getting employees' hopes up with promises of free stuff, or threats of legal action or whatever, so why should simulations shy away from those?
A company I used to work for had laughable simulation emails full of sketchy details like broken English and misspellings. Somebody from the IT team confided in me that those were intentional because making them too good would be unfair. But the bad guys are gonna be unfair, and their techniques get more sophisticated every day. Now that they have LLMs, the days of obviously non-native English emails are over. We need simulations that are perfectly and professionally written, manipulative, underhanded, and every ounce as effective as the real deal.
The article's framed like phishing simulation is a scourge but honestly, in my experience we need more of it and higher quality too. Flood inboxes with it so people get the point. Let the legitimate phishing emails be drowned in the noise of all the fake ones that everyone has learned to disregard.
I think as with most things in technology, the implementation is everything. You can make the same arguments against multifactor authentication, encryption, data classification, network...
I think as with most things in technology, the implementation is everything.
You can make the same arguments against multifactor authentication, encryption, data classification, network segmentation and so on. There are ways you can implement them so that it's nothing but a massive pain in the ass for your users without actually making you more secure, and there are ways you can implement them so that they get out of your users' way or even help them get their jobs done while greatly reducing the likelyhood of a devastating incident. You just need to be careful about it and ask the right questions when you're considering your controls as a whole.
This sounds good, but I wonder if you’re optimizing the right metric? The question is whether clicking on a link in an email (perhaps out of curiosity) should fail the test, even if the user takes...
This sounds good, but I wonder if you’re optimizing the right metric? The question is whether clicking on a link in an email (perhaps out of curiosity) should fail the test, even if the user takes no further action. It seems like that should be safe, and if it’s not, it’s a browser bug.
It’s close to the right metric, though, so maybe that’s good enough?
It should be safe, just like our EDR should catch any malicious code executing or abnormal behavior from an application, and our web filter should block the http request to the malicious site, so...
It should be safe, just like our EDR should catch any malicious code executing or abnormal behavior from an application, and our web filter should block the http request to the malicious site, so they wouldn't even get anywhere if the link was clicked anyway, except the mail filter should make all of that a moot point anyway because it should catch phishing attempts before they're even delivered to users.
In reality, none of these controls are 100% effective, which is why we layer them. The spam filter catches around 95% of phishing attempts, the web filter stops maybe 70% of the malicious URLs, the EDR does quite a good job and stops 99% of the garbage users manage to download, but all it takes is one getting through.
There have been quite a few zero click browser exploits out there in the wild. They're very scary and very rare, but once a new useful zero day is unleashed, it's a race against the clock for every single threat group to exploit it as quickly as possible, and every single vendor to patch it as quickly as possible. The organizations are downstream of those vendors, so they'll always be behind the attackers, and my organization is no different unfortunately. That gap of time between disclosure and vulnerability remediation is prime striking ground for an attacker, and the best line of defense against a well crafted attack using a novel weakness (other than your normal security baselines) is users who pay attention.
I've heard a lot of arguments against security controls (often from my own department) that usually go something like "why do we even have to do x (some control) if we already have y (some different control that mitigates the thread somewhat, but in a different way))" the answer is usually because the risk isn't reduced to an acceptable level without x. That's the case with any other security control + phishing simulations (at least for my organization).
Edit to add some more thoughts to what you were saying: Realistically, you're right 99.99% of the time. Most phishing attacks are either an attempt to compromise an identity (token theft, fake logon) or an attempt to install malware via a download (office macros, DLL side loading, etc). These require further interaction from a user. From what I've found however, if a user is willing to click on a random link, there's a good chance they're willing to put their credentials in a popup or download a file from that link too. Either way, that .01% risk of a zero click browser exploit does also exist and has taken down companies before as well.
When the consequence is needing to do a 5-15 minute online video/text course, and nothing else, I'm not sure how important it is to avoid overreaching. I found it obnoxious when the obviously-fake...
The question is whether clicking on a link in an email (perhaps out of curiosity) should fail the test, even if the user takes no further action.
When the consequence is needing to do a 5-15 minute online video/text course, and nothing else, I'm not sure how important it is to avoid overreaching.
I found it obnoxious when the obviously-fake (not even real emails with valid headers) tests used out our university, to a department with some security researchers, counted going to the link via Tor in a VM as failing the test. But ultimately, spending 5 minutes watching a course wasn't that bad, and it was good to know the bad advice being given in it.
IT departments are crafting increasingly sensational ruses in what they say is a necessary response to increasingly sophisticated scams. Employees say they sow chaos, confusion and shame. Safety is one thing. Tricking a worker into thinking there’s a lost puppy in the parking lot is just cruel.
Right around Christmas this year my company used a phishing test that alluded to layoffs and the link was for cut positions. The previous year was offering us our winter gift card bonus that had...
Right around Christmas this year my company used a phishing test that alluded to layoffs and the link was for cut positions.
The previous year was offering us our winter gift card bonus that had been previously offered but pulled that year.
The year before that during a phishing test, we filed IT tickets and directly asked if it was a legitimate phishing attempt and they said yes and that they were helpless against it.
I don't interact with anyone outside the company for my work and a lot of our communication is done over Teams, it was already a more reliable method of getting a hold of someone before most of us...
I don't interact with anyone outside the company for my work and a lot of our communication is done over Teams, it was already a more reliable method of getting a hold of someone before most of us production workers reacted similarly and stopped emailing. So the email is mainly corpo news blasts, people asking for software licenses other users were supposed to relinquish, and IT bulletins.
I'm not on all the appropriate mailing lists despite multiple requests, so even checking my email doesn't keep me informed or get me important HR emails. So I already had to assume any important info would be passed to me during one of my too many weekly meetings.
Here's how I detect work phishing test emails: It is from an external domain, but somehow does not have the [E] marker that our email system puts on all external messages (because our IT bypassed...
Here's how I detect work phishing test emails:
It is from an external domain, but somehow does not have the [E] marker that our email system puts on all external messages (because our IT bypassed it)
It is from a external domain and has the gmail warning that it bypassed the usual security controls (because otherwise it would have been filtered to spam)
It claims to be internal and requests any action whatsoever (because we use slack for that) rather than being like a JIRA notification or whatever
So these markers are all things our IT department have done to make it more believable which real phishers do not have access to. As a result, they seem to be measures to optimise the phish test click through rate so the phish test can claim a higher click through rate, to justify its continued existence at the expense of making it a less accurate representation of phishing emails.
I suspect this is also why they haven't tried impersonating a JIRA notification yet. They know basically nobody clicks them even if they managed to convince people it was a real JIRA notification.
Company I work for uses proof point for the simulated phishing emails. Proof point publishes a list of all of the domains they use so that IT can allow them thru. Unrelated: it's possible to...
Company I work for uses proof point for the simulated phishing emails. Proof point publishes a list of all of the domains they use so that IT can allow them thru.
Unrelated: it's possible to create Outlook actions/filters based on domain names.
Has anyone figured out the best (not necessarily, perfect) way to do phishing awareness and prevention? I loathe having to send out phishing test emails. I don't want to make folks sit and watch...
Has anyone figured out the best (not necessarily, perfect) way to do phishing awareness and prevention? I loathe having to send out phishing test emails. I don't want to make folks sit and watch training videos. Phishing is a very real problem for many companies, but not a problem you can fix by just turning on the spam filter.
Phishing tests at my work are pretty tame compared to the wild schemes described in the WSJ article. We also get ~monthly training videos by Ninjio. Pretty annoying if you're tech literate but I...
Phishing tests at my work are pretty tame compared to the wild schemes described in the WSJ article.
We also get ~monthly training videos by Ninjio. Pretty annoying if you're tech literate but I understand the need as most of my colleagues don't know what phishing is and how it can affect everyone.
I do think the system should be better regulated to ensure they don't setup elaborate social engineering schemes. Possibly some work for our works council.
There's some weird games happening to try to get people to fail to prove that people aren't paying attention. In addition to the issues in this article, I have seen some other really bad tests.
One test linked to a page hosted on the company intranet. There was no reason to believe that it was any kind of test, and it wasn't like checking the URL would have helped because it was a totally legitimate site. After this test, usage of the intranet went down to near zero and HR struggled to get people to actually sign up for things.
There was another test that checked if an image preview was loaded from the server, and was considered a failure if it did load. The problem, though, is that the server was whitelisted on the default Outlook rules for the company and most people using company defaults failed by virtue of having their email client open regardless of whether they clicked through.
It's like they're trying to get a high score at the world's worst game.
Along similar lines, I failed a phishing test because I tapped and held a link specifically for the purpose of checking the URL, and it so happens that the default behavior in Outlook for iOS is to download that page and render it in a little preview window. If clicking links is so dangerous, why would Outlook load the page when you're trying to see what the link is? How are users supposed to do the right thing when faced with UX design that is, at best, inconsistent?
On some level it depends on the objectives of the phishing test. As a security consultant, that information is still valuable and a useful metric of the organization's phishing risk, if not yours individually.
That'd be fine and dandy if the organization set out to engage with the user to understand what happened and learn how to improve things together. But if the user just gets an automated notice that they failed an exercise and now have 5 days to complete some generic remedial training course that lectures them on the dangers of phishing as though they're the only problem here, then what actual use would such a metric serve other than to strike fear in your client to assure your renewed contract lol
Some random things from my last workplace’s phishing tests.
I am a curious bet skeptical user. Even if I know something is phishing, I kinda want to click it anyway, to see how good the phishing attempt is. Also, the email itself doesn’t always have enough information to tell if it is phishing. There is, as I understand it, very little risk to clicking a link in an email, assuming all your software is up to date. The scammer would have to burn a zero day exploit on you, and I personally am not worth it. So I don’t see a problem from just clicking the link. If it opens sharepoint.com and my password manager logs me in, the email might be legitimate. If it opens sharepoint.com.definitelymicrosoft.pl, I am hoping out of there. But the phishing tests only check if you click the link, which isn’t the part that matters. Anyway, that is how I failed my first phishing test and had to take the stupid class. I take umbrage with the 4% click through rate cited in the article for this exact reason. A 4% CTR is not the same as a 4% password phish rate.
My company used a service called know before for their phishing tests. All the phishing links are long URLs at kb4.io. So I just set up an outlook filter to send everything with that string to the spam folder and never had to deal with those test emails again. I purposefully did not tell my tech illiterate coworkers how to do that, but I did hint at my solution to my more technical coworkers. I figured if they could figure out outlook filters to filter those to spam, they probably wouldn’t have been phished by those emails.
At one of my companies, I received an obvious phishing email and was similarly curious, so I ran a
whoison the domain – that was somehow enough to fail me on the test and required me to retake the online training.How would that even work?
I wonder if you accidentally opened a preview of the link somehow. I do that sort of thing all the time on mobile… since I can’t hover over a link to see its URL on iOS, I have to long-press the link to get the contextual menu where I can copy it. Then I suddenly remember that action also opens a little preview view of the link, meaning it already fetched it and the damage is done. Something similar happens if you just paste a URL into some messaging platforms, they’ll “helpfully” transform it into a preview card with the link title and thumbnail.
I’m curious like you, but some of this software makes it too easy to trip the alarm.
Ah, I specifically avoided doing that after "failing" the previous phishing test (apparently even right-clicking in Outlook to copy-link made a request). I think their traffic analysis was just extremely aggressive and included the plaintext TCP 43 traffic. But yeah, after that second strike, I did exactly what the parent comment did and started auto-dumpstering all emails that had non-Proofpoint links, because those phishing test URLs are the only ones that didn't get proxied by URL defense for some reason…
We also use Knowb4, its so bad. The training videos are annoyingly long but at least you can watch them on mute and just take the quizzes at the end by answering questions like "should you give the person who called you on the phone all of your company secrets yes or no"
Agree, what I don't like about knowb4 is that some tests deliberately include ambiguous questions that makes you fail. I suppose to create a impression that people need to learn about security?
I failed my first phishing test recently and it genuinely bothered me, despite the seemingly low stakes. I've always considered myself security-conscious, so being part of the "record-breaking 14% CTR" at our school district was particularly frustrating for me.
What's more concerning is the complete absence of any security awareness training at our institution. No onboarding materials, no periodic briefings, not even a notification that we'd be subject to these tests, aside from the failure reports. It feels fundamentally unfair to assess employees on practices they haven't been trained on.
It's a bit concerning though, and perhaps I lack knowledge on the subject. But as a lower-level employee, the fact that I could potentially compromise our systems through a phishing link suggests the real vulnerability isn't just employee awareness - wouldn't it be inadequate access control and system hardening? Ideally, a low level employee email account should be setup in such a way that it could be phished every day without any concern for privilege escalation.
I have a phishing training setup for on boarding and a yearly refresher, it's a course that's easily less than 30 mins and I have to work to get above 50% competition rate, even with email reminders and good ratings from people who have taken it. It would be nice to have someone who wanted to learn about phishing.
Getting access to one account lets you try that password in other places, sometimes which include remote access. Or if the phish was a malicious PDF you can get direct access. Endpoint protection isn't 100% reliable on picking up threats. From that PC you can maybe grab passwords of other users (admins) who have logged in or scan the network for spreading.
Even if you can only get to the email, that email can be used to send phishing emails to other employees, which is automatically more trustworthy because it's from an internal email address.
You ideally have several layers of protection since none of them are foolproof.
You're right, almost all of the time.
The problem is the rest of the time. There have been exploits that could compromise a machine solely from a webpage visit that were used in the wild. They're increasingly rare, because of course software companies have learned from those mistakes, but it's not safe to say it will never happen again. Future vulnerabilities are a given, as are undiscovered current ones.
We definitely don't want people to think it's ok to click suspicious links. Not only because of the (admittedly low) chance of an immediate exploit, but because it increases the chance of that second click, which has much better odds of compromising you. Companies are absolutely right to discourage clicking links in questionable emails, or anywhere else. And we should keep telling our elderly not to click!
True generally. But if you host a phish page on sharepoint, you might get a real login and then sent to a fake login (image) that says invalid password, which would fool a lot of people. I think with SSO people are used to getting redirected a lot of times during a login.
If it was a phish then your email could be verified as someone who clicks on links which isn't great anyway.
Knowbe4 does have the option for a (customizable) landing page that has a login forum, but they have the option of so many different phishing approaches that they'd each need their own login page. To use that feature you need to narrow down the types of phishing that you're targeting users with. Clicks are easy to measure and apply to every phish type. It would be nice though to get more options there.
By default the phishing link domain is random. If you want to filter emails from knowbe4 you'll get more success by filtering on the default "X-PHISHTEST" header that might still be enabled, or the Reply-To domain which you have to change on the admin panel.
That's a large assumption for a lot of reasons, and I'm not even sure the underlying stance is true.
Care to elaborate? The only thing I have seen in this thread is that the phisher knows you clicked the link. What can a malicious website do without me interacting with it? Especially if it’s in iOS’s long press preview window which is sandboxed and not interactive.
Long press from iOS might not be a problem for a variety of reasons (but are you willing to bet you're up to date enough to know if it becomes one?), but there's plenty of harm that can occur from actually clicking on the link and navigating to the page. There's lots of potential issues, but the most severe is if the link just navigates to a download and installs something from the click.
Again device depending and what not, but I would absolutely never even consider clicking on such a link unless i'm in some sort of controlled and easily disposed of environment. It's not quite as bad as the classic "Oh look a USB i found, let me plug it in", but it's still plenty dangerous, and quickly as well.
If a website tries to download something, my web browser asks if I want to allow the website to download something and I just click "no". If it does somehow download something there is no way to automatically run that download, at least on the operating systems I use.
A website is significantly more secure than a random usb drive. Windows by default executes untrusted code directly from the usb drive. If it didn't (or if you use an operating system that doesn't do that), it would be much safer to plug in a random usb drive.
I think Window's poor history of security has trained many people to be scared of certain things. They aren't inherently scary; they are just scary because of Windows. Using modern Windows makes these things much safer, and ditching Windows entirely makes them even safer than that.
I get this isn’t actually important to your point, but modern versions of windows have autorun disabled by default (actually it may be completely removed, but i’d have to check). I believe modern windows now has a pop-up which asks how you’d like the program to be dealt with
Yeah autorun has been off by default for a while. You can still get to it with the right click menu or something.
But malicious USB drops these days can emulate a keyboard and run a macro to press Win+R then type in a powershell command to download and run more code, so autorun isn't needed to run code.
You're making a lot of assumptions about what should happen and seem to be unaware of exploits that have happened. Even on things like MacOS or Linux (hell LOTS of linux since it's a ripe target for a couple of reasons).
I also didn't have time earlier but this-
is just wrong. The question is "is your company worth it" because if some scammer is considering burning a 0 day (hyperbolic in the extreme as there's plenty of non zero day's that take time to get reported and patched), they're probably more than happy compromising everyone they can, at any level.
Every account you have access to is more ability to impersonate someone, exfiltrate data, and escalate privileges. Either through direct exploits, more exposed data (say better knowledge and access to the intranet), or some privileged escalation exploit.
Finally
Yes it is. The number of people doing what you're doing, even if everything I've said is 100% wrong, is so small as to be less than a rounding error/confidence interval/whatever. In the data set size they're dealing with, someone "clicking to see what happens but wouldn't get phished" is probably less than a 100th of a percent, if not smaller.
This is kind of what I wanted to bring up as well because you're absolutely right. Case in point, the iMessage vulnerability (or vulnerabilities?) that allowed Pegasus to work. Apple knew about it and let that exist for a few years before getting it fixed. Anyone who thinks having the latest updates patches/updates will keep them safe needs to take a hard look at the (not too distant) past for examples like this.
Also... is all your company's infrastructure actually up to date and properly configured? How do you know that when you click on a link from some random phishing email.
@Weldawadyathink do you have a car with anti-collision braking? Do you text on your phone while driving because your car will stop for you? I hope not, because its there for accidents, not to allow you to be willfully careless and it may not work 100% of the time.
My compay uses the same administrator for our phishing tests and securities.
Even if you leave the message unread in your inbox, people in my company have been flagged. This doesn't make sense to me since the understanding is you have to follow the link to fail.
My company also published some metrics, some of which weren't supposed to be seen, Including, delivered, flagged, phished.
Employees are flagged for not opening them? What's the correct solution then? Right click, Report to IT?
My organization has a "Phish alert" plug-in which allows me to report attempted phishing emails for them to look into. So, yeah, report to IT.
Yup. You HAVE to report it.
Don't include social engineering in penetration tests.
Ironically, my experience with phish tests is that the emails are very formulaic, and so they effectively train people to recognize phish tests, but not necessarily the wide universe of actual phishing attempts. Combine that with companies outsourcing more-or-less all of their internal operations to external services, and egregious shit like this, and employees are in a no-win situation.
And, uh, most office workers aren't total idiots, and will recognize that the group with any control over this no-win situation is IT. Y'know what really, really, really sucks? Trying to manage the tech of a bunch of employees who are somewhere between highly suspicious and outright combative. Just more fuel on the "corporate IT are a bunch of incompetent ninnies" fire, I guess.
I really don't agree with the first blog post.
First, practically nothing the author lists in their negative examples should be categorised as social engineering.
Also, simulating the results of a successful social engineering is certainly very useful, but it doesn't replace actual tests.
It isn't about knowing that people fall for social engineering, it's about how many fall for them. If half of your staff can't differentiate a legitimate email or call from a (spear) phishing attempt, you should know that and try to take appropriate action.
Publicly humiliating people because they fail an exercise is not an appropriate reaction, it's simply terrible leadership. It has absolutely nothing to do with social engineering, it could have happened with any type of exercise.
I can comment on this with a little more data and info because I run my organizations cybersecurity program. Were a large public sector organization with a lot of sensitive data, and a lot of uneducated users, which is kind of the prime candidate for a phishing simulation program.
With a lot of journalism about a lot of stuff, there's a tendency to frame the authors viewpoints as a win/win (we can eliminate fossil fuel emissions AND have cheap power if just we build nuclear plants! We can reduce food insecurity AND develop more land if just we do vertical farming. And in this case we can reduce annoying users emails AND at least keep the same level of cybersecurity if just we got rid of phishing simulations!)
The real world rarely works that way. Most things that are commonly done have tradeoffs. Before we instituted a phishing simulation program, users would click through just about every email they saw. We had an education program when they got hired on, and regularly afterwards, but understandably, most people just didn't pay attention to it because they're busy with other things. As a result, we had many, many clickthroughs to attacker controlled sites. Our web filter would catch most of them, the EDR and firewall would catch most of the rest, but we still had credential theft, malware, and ransomware incidents that started with phishing emails.
Since instituting a phishing simulation program, our clickthrough rate went from over 10% to just under 3% now. Users have a 15 minute training course they must complete it they click a phishing email. They're not named and shamed, which I think is degrading and counter productive when I've heard of it happening, but they are forced to spend some time reviewing what we've told them.
I've gotten feedback that at times, some of the simulated emails are cruel (sometimes it's an email offering an employee an award for good performance), but my response has been, and continues to be, we use emails that look like that because they're enticing, and enticing emails are exactly what attackers use to execute successful phishing campaigns. My job isn't to be nice, unfortunately. It's to protect my organization from attack.
The simulated emails look just like an attacker email would. They're marked as external emails from our email filtering system, they come from an outside domain, if you hover over the links in them (which we train users to do), they direct users to domains that we don't control. I'm very confident that if a user clicks a phishing simulation email, they would have clicked on a real phishing email. A more impactful result: since instituting the program a few years ago, we haven't had a single security incident that started from a phishing email.
Because of all of these things, the program is valuable to me and my organization, and I have no intention on changing it.
Large peer reviewed studies are great and all, but I have real data from my specific organization proving that the program is valuable. I have no idea what the implementations look like at the organizations that took part in the study the story references looks like. I don't know what the simulated emails look like, what happens if you fail, how often users are tested, and so on. I do know that the program works in my case though. So even though it might annoy a few users each month, or result in some of them feeling dumb or bad for a little bit, it's a small price to pay for potentially avoiding a massive cybersecurity incident that will cost the public tens of millions of dollars.
As others have noted, this is a significant part of what makes a good phishing test. It's also very far from what many people receive.
For comparison, the phishing tests I receive at a Microsoft-handled university email are not even actual emails sent through the mail server. They don't have valid headers; they're just put into my inbox directly. The links in them go to Microsoft-registered domains, with valid Microsoft certificates, on IPs that are validly Microsoft's. When I first received one, I spent the morning assuming that our email system had been compromised.
The emails linked to a typical user-and-password collection scheme. It appears to be connected to a short training course that teaches users to ignore SSL certificates, and instead judge whether a domain asking for a username and password is valid on whether it has "onmicrosoft" in the domain name; rather unusual advice when the university's mail system also mangles all links in emails so that most users can't actually see the URLs.
I now just have my email client route emails that don't have any Received headers to a special spam folder.
Meanwhile, the actual phishing scams we get are usually impersonation-based emails that try to route the users onto phone calls, texts, or an email conversation, usually with the goal of getting fraudulent payments made. They don't involve links at all. And of course, there is no IT training about this at all, despite it actually being a problem for some of our staff.
I'm surprised to hear about all of the IT departments apparently attempting to roll their own phishing simulation programs.
It's a deceptively difficult thing to do correctly and actually reinforce the behaviors you want to reinforce, while simultaneously being a pretty affordable service to purchase from a number of vendors that specialize in it, and who are guaranteed to do a better job than 99% of the homegrown stuff most IT teams could cook up.
Glad to see this perspective put out there. I feel like a lot of the answers in this topic are "well I wouldn't ever do this so it's a waste of time".
The tech literacy in the modern age is abysmal (in part due to education on it being basically self taught since few education programs do it right, or even identify what needs to be done), and since all it can take is your weakest link to literally compromise and kill an entire company, yeah you need to train and vet for this stuff.
My company uses hoxhunt, and it seems fine? I'm sure we could tune it to be a pain in the ass, but the process is pretty simple. When you see a phishing email, you're supposed to click their icon (built into outlook) and report it. Not reporting the email is seen as less ideal, and that's probably correct. You need people to be active about this stuff (at least until we reapproach how email access even works) because it also means they'll report phishing emails that AREN'T test cases.
Further it's helped educate the tech illiterate to some extent. Some people are truly hopeless (I'm aware of at least one person somewhere else who is CONSTANTLY clicking on and responding to shit that is clearly phishing, and in a super sensitive position for it), but a lot of these people have just never had the chance to learn, and giving them some education helps a ton because you quickly find out just how many people want to do the right thing, are capable of it, and just didn't know how.
Sometimes online, especially in places with a large community of software developers or other tech role where you don't interact with non tech roles much (like tildes) people get in a bubble regarding the tech literacy of the average worker.
It's bad out there. Organizations give users access to and require they use an extremely powerful tool that if misused, can spell doom for the entire organization. We don't require that they have any special certificates or training to use this tool either.
It's like if we required Mabel from accounting to hop on and operate the 800' tower crane downtown to update her direct deposit info. That's how much risk a large organization is assuming by giving users unfettered access to an internal computer and network without decent controls in place. It makes sense to make sure she's as well prepared as possible to avoid a really expensive mistake.
If I can share an example of tech illiteracy: I worked as solo IT for a small non-profit for many years. Mostly Boomers and Millennials, with a smattering of GenX and at least one Zillennial. Good age range of folks. A lot of what I did was end user support, naturally.
We were having some issues ascertaining the true number of members (customers) that we had. The canonical database would say one number, but folks in one department would argue different numbers. Sometimes off like 10-20 members. The web dev (also technical) and I were very confused. If that database is canonical, and we all agreed it was, then that's the authority. By definition, everything else is wrong. So that's one level of tech illiteracy.
OK, so where are these folks deriving their membership numbers from? Turns out, it's everyone's favorite pastime: "secret" Excel spreadsheets. This one department tracked membership numbers and rosters on their own in various Excel spreadsheets. My web dev and I then wanted to know how they were arriving at different numbers, and how the knew their lists were "correct."
Well, it was simple. They would export a list from the database. Open it in Excel and sort A-Z on the name. Then they would open their department list(s) in Excel and also sort A-Z on the name. Then they would print each list out. Like 40 pages each. Then the two of them would get some rulers, highlighters, and colored pens. Then they compared line by line on physical paper.
They told us it took about 2 days to do it. So 8hrs x 2 people x 2 days is 32hrs. And they did this at least once a month, as the membership numbers fed a monthly executive summary. Sometimes more often if the numbers really weren't jiving.
My webdev and I were speechless. Because my coworker and I knew that using formulas in Excel, or even built-in comparison features, that that could be done in minutes by one person. In the end, it was their spreadsheets that were wrong. And they never thought to ask us for help (and we were nice and always willing to help improve processes).
Anyway, that was another level of tech illiteracy. And this was only like 3yrs ago. I cannot imagine my coworkers are special in this way.
I will say though, the staff was pretty damned good about identifying phishing emails and asking me about suspicious emails. You win some you lose some. ¯\_(ツ)_/¯
It's crazy how many hours of mind numbing, monotonous work people are willing to do in order to avoid having to learn something by spending half an hour googling a better way to do things. I had a coworker (in it no less) that did something similar every week. Probably six hours of work eyeballing excel spreadsheets instead of googling for an hour how to write a function or macro to do it instantly for him from then on. I almost admired him for it. It would be literally impossible to get myself to concentrate on a task like that for that long.
Thanks for your perspective. I agree, phishing simulations are annoying but necessary.
I think this is an important point. Others in the thread have talked about how their IT departments whitelist the simulated emails and that doesn't make any sense to me. IMHO, if a pretend phishing email is going to serve any educational purpose, it needs to be indistinguishable from real phishing emails. No telltale giveaways. Real attacks are unscrupulous... an adversary isn't going to avoid getting employees' hopes up with promises of free stuff, or threats of legal action or whatever, so why should simulations shy away from those?
A company I used to work for had laughable simulation emails full of sketchy details like broken English and misspellings. Somebody from the IT team confided in me that those were intentional because making them too good would be unfair. But the bad guys are gonna be unfair, and their techniques get more sophisticated every day. Now that they have LLMs, the days of obviously non-native English emails are over. We need simulations that are perfectly and professionally written, manipulative, underhanded, and every ounce as effective as the real deal.
The article's framed like phishing simulation is a scourge but honestly, in my experience we need more of it and higher quality too. Flood inboxes with it so people get the point. Let the legitimate phishing emails be drowned in the noise of all the fake ones that everyone has learned to disregard.
I think as with most things in technology, the implementation is everything.
You can make the same arguments against multifactor authentication, encryption, data classification, network segmentation and so on. There are ways you can implement them so that it's nothing but a massive pain in the ass for your users without actually making you more secure, and there are ways you can implement them so that they get out of your users' way or even help them get their jobs done while greatly reducing the likelyhood of a devastating incident. You just need to be careful about it and ask the right questions when you're considering your controls as a whole.
This sounds good, but I wonder if you’re optimizing the right metric? The question is whether clicking on a link in an email (perhaps out of curiosity) should fail the test, even if the user takes no further action. It seems like that should be safe, and if it’s not, it’s a browser bug.
It’s close to the right metric, though, so maybe that’s good enough?
It should be safe, just like our EDR should catch any malicious code executing or abnormal behavior from an application, and our web filter should block the http request to the malicious site, so they wouldn't even get anywhere if the link was clicked anyway, except the mail filter should make all of that a moot point anyway because it should catch phishing attempts before they're even delivered to users.
In reality, none of these controls are 100% effective, which is why we layer them. The spam filter catches around 95% of phishing attempts, the web filter stops maybe 70% of the malicious URLs, the EDR does quite a good job and stops 99% of the garbage users manage to download, but all it takes is one getting through.
There have been quite a few zero click browser exploits out there in the wild. They're very scary and very rare, but once a new useful zero day is unleashed, it's a race against the clock for every single threat group to exploit it as quickly as possible, and every single vendor to patch it as quickly as possible. The organizations are downstream of those vendors, so they'll always be behind the attackers, and my organization is no different unfortunately. That gap of time between disclosure and vulnerability remediation is prime striking ground for an attacker, and the best line of defense against a well crafted attack using a novel weakness (other than your normal security baselines) is users who pay attention.
I've heard a lot of arguments against security controls (often from my own department) that usually go something like "why do we even have to do x (some control) if we already have y (some different control that mitigates the thread somewhat, but in a different way))" the answer is usually because the risk isn't reduced to an acceptable level without x. That's the case with any other security control + phishing simulations (at least for my organization).
Edit to add some more thoughts to what you were saying: Realistically, you're right 99.99% of the time. Most phishing attacks are either an attempt to compromise an identity (token theft, fake logon) or an attempt to install malware via a download (office macros, DLL side loading, etc). These require further interaction from a user. From what I've found however, if a user is willing to click on a random link, there's a good chance they're willing to put their credentials in a popup or download a file from that link too. Either way, that .01% risk of a zero click browser exploit does also exist and has taken down companies before as well.
When the consequence is needing to do a 5-15 minute online video/text course, and nothing else, I'm not sure how important it is to avoid overreaching.
I found it obnoxious when the obviously-fake (not even real emails with valid headers) tests used out our university, to a department with some security researchers, counted going to the link via Tor in a VM as failing the test. But ultimately, spending 5 minutes watching a course wasn't that bad, and it was good to know the bad advice being given in it.
https://archive.is/D7Bfg
Right around Christmas this year my company used a phishing test that alluded to layoffs and the link was for cut positions.
The previous year was offering us our winter gift card bonus that had been previously offered but pulled that year.
The year before that during a phishing test, we filed IT tickets and directly asked if it was a legitimate phishing attempt and they said yes and that they were helpless against it.
I don't use my work email any more.
How do you avoid not using work email?
I don't interact with anyone outside the company for my work and a lot of our communication is done over Teams, it was already a more reliable method of getting a hold of someone before most of us production workers reacted similarly and stopped emailing. So the email is mainly corpo news blasts, people asking for software licenses other users were supposed to relinquish, and IT bulletins.
I'm not on all the appropriate mailing lists despite multiple requests, so even checking my email doesn't keep me informed or get me important HR emails. So I already had to assume any important info would be passed to me during one of my too many weekly meetings.
Thinking of my company's charity fundraiser that barely got off the ground last year because everyone thought the email was a phishing attack.
Here's how I detect work phishing test emails:
So these markers are all things our IT department have done to make it more believable which real phishers do not have access to. As a result, they seem to be measures to optimise the phish test click through rate so the phish test can claim a higher click through rate, to justify its continued existence at the expense of making it a less accurate representation of phishing emails.
I suspect this is also why they haven't tried impersonating a JIRA notification yet. They know basically nobody clicks them even if they managed to convince people it was a real JIRA notification.
Company I work for uses proof point for the simulated phishing emails. Proof point publishes a list of all of the domains they use so that IT can allow them thru.
Unrelated: it's possible to create Outlook actions/filters based on domain names.
Has anyone figured out the best (not necessarily, perfect) way to do phishing awareness and prevention? I loathe having to send out phishing test emails. I don't want to make folks sit and watch training videos. Phishing is a very real problem for many companies, but not a problem you can fix by just turning on the spam filter.
Phishing tests at my work are pretty tame compared to the wild schemes described in the WSJ article.
We also get ~monthly training videos by Ninjio. Pretty annoying if you're tech literate but I understand the need as most of my colleagues don't know what phishing is and how it can affect everyone.
I do think the system should be better regulated to ensure they don't setup elaborate social engineering schemes. Possibly some work for our works council.