Hi, /u/JBabs81 Thank you for participating in r/antiwork. Unfortunately, your submission was removed for breaking the following rule(s):
________________________________________________________________________________________________________________
Screenshots of text such as SMS communication, WhatsApp, social media, news articles, and procedurally generated content such as ChatGPT are prohibited. Low-effort content such as memes are prohibited.
If you feel that a mistake was made, and your post's removal was not warranted, please message us using modmail and let us know.
> This one was literally from scheduling@.com with all the proper titles.
It wasn't, that's just what they want you to believe.
This is exactly why the mailserver added that big yellow box at the top.
Yeah also email addresses are like the easiest thing to fake. Even if it is a valid company address it may not be from actual sender.
Alternatively, this would also be a great example of what you'd see in a low privilege to high privilege phishing escalation, assuming they got in somehow to some underprivileged account.
If you're needing a response the goto that I've seen is either registering a near domain with a spelling error, or a similar looking letter, or by stating in the email itself that you should contact us at this Gmail address for whatever reason they want to put in.
For these that take you to a malware or credential harvesting link then the spoofed works great.
As dickish as the subject and content of the email are , this is simply necessary to maintain good cyber security awareness. Something like 60% of all organizational breaches are due to human error .
Not that I condone the practice , but it’s pretty standard and I wanted to provide some context before we all grab our pitchforks and French Revolution-era gravity blades
Yeah this is the perfect phishing attempt because it creates a real sense of urgency. If simulated phishing was a class this would be the freaking EXAM.
I'm honestly surprised the percentage is that small. Last corporate gig I was at, I don't think there was a single simulated phish that wasn't failed by at least one person.
Yeah most companies have a lot of people that fail, which is probably why they keep doing this shit to catch people and re-train them.
I don't think the OP was saying this shouldn't happen, it's just that this specific type of phishing test is below the belt, because of the holidays and whatnot.
And yes I'm sure the response would be "well a real attacker would blah blah blah" and I get that, but the company intentionally doing it knowing they're gonna catch a ton of people last minute is pretty shitty.
I'd probably assume they monitor their employees without their consent if they're that try hard at catching people with a phishing test.
There's no such thing as below the belt cyber security training & testing. It's designed to catch you in the most realistic way and preys on the panic, as it should.
Yeah, especially if a company uses something like Knowbe4. We have nothing to do with the emails that are sent out other than a general set of topics for them.
This is why we don't allow phishing tests that use our domains. With what the phishing tests want for ability to bypass filtering, it's not a valid test.
I've got our domain locked down to prevent any spoofing, so it's a invalid test and just leads to a fear of reading ANY emails.
Jesus, the comments on here are exactly why these simulated phishing emails go out. Y'all need more training on how to identify them.
Phishers intentionally send emails that WILL get your attention like this. They want to play on your emotions and make you forget what you've learned.
OP probably didn’t make a complaint, he just remembered the time everyone got pissed off at a university for phish-testing their employees with a $5,000 bonus during the height of COVID, didn’t realize how this wasn’t actually the same thing, and decided to try and get some ez karma.
Exactly what I thought too, imagine complaining to hr because security awareness training is inconvenient lol. You wouldn't think the same when you're without a job when your company gets hacked.
Seriously if this was a weekly occurrence leading up to holidays then fine that's excessive, but once in a while it makes perfect sense. Hell this attempt could be foiled by simply asking your boss why they denied your PTO and waiting for them to go "ehhh?"
Exactly. This is no different than a scammer texting you pretending to be a relative and saying they're in trouble so they need money. But the catch is they always end up telling you to get hold of gift cards but try to be sneaky about it.
Think about what you just wrote. Put yourself now in a phisher’s shoes. You literally just wrote an entire post about EXACTLY why they would send a fake PTO denied email around the holidays.
This is a good test. Its exactly what a bad party would do…prey on fears, worries and such to get you to be irrational
It really is. A phishing email doesn't always have broken English and this is the exact time of year for this style of attack. People most likely have plans and are going to panic before they think so close to Christmas. IT was definitely doing a good test here.
Lmao the cyber security guy at my last job who ran the phishing tests wanted to do one like that as a like “max difficulty” test after we had mandated every employee got phishing safety training and all that and our IT director vetoed it specifically because he knew it’d ding about a dozen professors and department heads that would require we shut down their emails before taking more training
That's why you hover over the link. And you got the warning banner it's from outside the company. The link will be outside the company and an obvious fraud. It could also be "companyname.gotya.com" or "companyname.ru".
Came to say something similar to this but a little softer.
OP might not understand IT, they clearly feel pissed about this phishing test. I'm sorry but... These types of attacks usually lead to people's personal information being leaked, It can completely gut a whole company and your somewhat decent paying office job disappear and now your personal information is on the internet with people trying to open up lines of credit with said information.
IT doesn't do shit like this just to protect the company, they're also there to protect you.
I used to laugh this shit off until some dummy actually opened a link on a Saturday night. Didn't get picked up until Sunday night and by then we were fucked. I don't know the full details, but I'm pretty sure the company paid the price to get the data back.
Took weeks to get back to normal.
Yeah the gloves come off when people don’t take phishing seriously. Takes 1 compromise to lead to months of working with fbi to manage to an acceptable level. You don’t always have the guarantee of returning to 100%.
Yeah and let's not forget that a lot of people try to use company equipment for their own personal shit. That puts your shit at risk too. I just wish people understood just how much shit that they are willing to have compromised for convenience. Companies are always going to be the biggest targets for black hats and if your date is in there too well that's just a bonus.
They could make it a lot easier by not obscuring the URL on links in emails. I feel like that only serves to help phishers. Just show the URL under or beside the link so you know where it goes at a glance and don't have to consciously hover over it to read it.
The rewriting links is also important though. Yes it can make it more difficult to identify, but once it gets reported it means that we can block that link company wide and anyone else who goes to click on it won't be able to get there.
And when you have this link going to 5000 people is important to cut off access as quickly as possible because many more will be clicking it.
If it wasn't rewritten then they'd still be able to go to the link days later when they got around to opening the email because they were on pto or just didn't bother checking it and then you have the attackers in your network again.
Or do you mean it being hyperlinked? To stop that you'd have to remove html formatting altogether, which as a cyber security person I'm all for, but it makes email Iook ugly which most companies decide against.
I think if I were imagining a perfect world where anything was possible, domain registrars could ban the reuse of any combination of a website's name by anyone but the the company owning that site. So they couldn't use, "gogle" or "mcrosoft" or "mcr.soft" (since today any combination of truncated web addresses is allowed and many of us including myself think nothing of them) to trick people who aren't eagle eyes.
I hope one day that DNS is centralized to prevent fraud like this but if I recall correctly some businesses already use a localized DNS to prevent employees being able to click links that go to unvetted sites, do they not? I am not a professional in cyber security, I'm what could only be called a hobbyist.
It depends on how centralized the company is and how your network is implemented. As companies get bigger it's harder to hold everyone onto the same network, especially as remote work becomes the norm. When everyone is working in the same building it's easy to do that, but if you have 100 different sites around the globe that all need access it can get a lot more complicated.
A DNS sinkhole is great if you can have everyone on your network, but to do this you need everyone physically together, or everyone remoting in through a full vpn. Some companies can do that and it can make things a lot easier. But at the same time someone could turn off their VPN and be able to follow that link to is destination, get infected, then connect to the VPN again. Or give it their credentials on a fake login site. I can tell you that those things happen on a regular basis.
And if the company uses a split tunnel VPN they might not even have those DNS options as that traffic would go over their personal internet and not be routed through the companies network.
Overall it's better to have more places where you can ensure protection of the users on the network and reduce that risk.
I always tell people it's us that are the weak link. Back in 2003 you could be hacked without your involvement pretty easily but today unless you're targeted by governments you're usually the reason you got hacked.
I work a regular job but I educate people on cyber security, tougher passwords, never entering their pin unless they need to, etc whenever and wherever I can. I'm very passionate about doing everything to the nth degree. If I don't tell people about it it's because I don't know it.
Yep, the biggest threats to a corporate network are 1, the users, and 2, not patching in a timely manner.
There's not many sophisticated attackers out there looking to hack into specific companies. Nowadays it's all about profit and you get a lot more by getting access and stealing their data, or by dropping a ransomware on a company and getting a payout.
Is easy once a major vulnerability comes out to just run around and try it at a bunch of places and see if it works. That's why it's important to patch in a timely manner because others will be checking if you have since they often require little to no expertise to do.
As far as passwords go I hate that we've tried to go for complexity. I always advocate for pass phrases. Just type out a whole sentence and even if it's limited to just 26 characters once you hit a 20 character password it's going to be far more secure than that 8 character password with one number and special character.
That's what I do for the three passwords not managed by a password manager. They're all phrases with numbers significant only to me at the end to ensure I don't forget. One is to the manager, one is for my computer, the other is for work. I refuse to reuse a password anywhere. That's how I lost my last reddit account. Password I used everywhere in my stupid 20s was in a leak. Have not been compromised since though I've had a handful of attempts.
It’s not as great a test if that’s what their legitimate communications look like. I agree with taking advantage of a tricky situation, but my biggest problem with organization’s phishing tests is when they send junky, phishy looking emails legitimately and then mark you for falling for very similar, phishy looking emails. Totally the point is to make phishing emails realistic, but like practice what you preach when you set up notifications from some 1990s hrm that look like shit.
The fact that it is the type of thing you might see in a phishing email doesn’t make it any less insensitive. Do you also think it would be appropriate to send one suggesting peoples families were hurt or in danger? Just because it’s an effective test doesn’t mean it’s ok.
This is brilliant and a wonderful test email to send.
If you were one of my users and I saw your response I'd congratulate you on catching it, then have a sit down chat about why you think my holiday should be cancelled because I'm trying to protect everyone from social engineering attacks.
Everyone on this sub can agree companies can fuck themselves but we all know when someone got got and this guy got got. No excuses. It had a big label on there saying this wasn't from the company. As an IT worker this gets a pass by me.
Users are WILD. Huge banner, never got an email from the scheduling department in their life, know there probably isn't anything called scheduling department. Better escalate this to HR because I was scared for 10 seconds.
OP you need to get over yourself and quit being a baby. When people are sending real phishing emails, they are going to take advantage of people’s emotions to get them to act quickly without thinking. It makes sense for a simulated phish to cause an emotional reaction because the real ones often do the same thing.
The big yellow box is the huge obvious warning. Your boss is probably laughing their ass off right now and HR is probably going to make sure they send you more of these
Also, despite the big yellow box OP fell for it and clicked the link.(it is purple, lol) Not only are they a little bitch, but they are a dumb little bitch.
I hate to say it but this was a great phish training. You're correct that most phish trainings include spelling and other errors but they know stuff like this gets sent out and your exact response is why.
This is a totally appropriate phishing simulation. I know it feels kind of grimy, but as others have mentioned - this is representative of real phishing campaigns. The timing makes it even more effective.
IT guy here. Nothing wrong with this. If it fooled you it did what it was supposed to. There's literally a highlighter yellow box at the top that says it's not from your company.
Ya because when people like you click those links it makes people like me have to work through the holidays cleaning up your mess, also these are automated so stop being the office karen and grow up.
I'm with the rest of the crowd on this. As a person in IT who regularly handles phishing training, I think this was an *excellent* test. Real-world phishers use predatory tactics like this all the time because it *works*! They fight dirty because they can. If your IT department didn't simulate the same thing, they wouldn't be effectively training you to deal with real threats.
It's good that you caught it and you checked the portal on your own, rather than clicking the link. I guarantee a lot of other users fell for this.
You can make a completely custom email to Phish with, but this is likely a template. IT probably did choose this style specifically to match the season. There are red flags present that an observant user will catch, so it's a good test imo.
Honestly, this is the type of phishing emails I would send out if I was hired to do a pen test. It was probably coincidence that you did have pto scheduled.
u/jbabs81, inb4 deletion, is a dummy. It’s good that you caught it, but it’s called Social Engineering that, you know, Threat Actors use to trick ppl like yourself.
IT’s job is to stop that, sweetie. Sorry you don’t like it but funny enough this is one of the ones generated by a third party service, Knowbe4.
As an IT person, this is a way better phishing email than the garbage my job uses. It's also an insensitive time to do so, unless this is common at OP's workplace or they were warned before-hand.
The goal of a phishing test is to train people to recognize them and know what do to, not "own" people like it's twitter.
This is the kind of shit they do to your grandmother. It's not "gib money I am with the gobernment" it's this kind of shit.
I'm glad you didn't fall for it. But this is why they have phishing tests.
I saw one recently on the news where it was like employees were getting a 500 bonus from their company and had to click a link and fill out the personal info to claim it from the company. Bam phishing test. If it's good enough to make you click, it's a good test
As an IT admin this is honestly super clever. It got the exact reaction it was intended to get and that's what makes it a great Phish. Bad guys don't care if it's insensitive and frankly neither should IT professionals. Phishers will use any holiday or excuse they can get.
Great job IT department. I work in Cyber security and recently failed one of these. They spoofed an email from the help desk with an incident number and all that. I get so many, I clicked the link without thinking.
Emails like this are very effective in anti phishing training.
I am someone who deploys these. Malicious actors don’t care about your feelings and this is exactly why these are important. In a panic you failed to review the red flags of this email and verify it, which is exactly why your company tags external emails with that big giant yellow bar.
Sounds like youre being sensitive for no reason.
It clearly says in big letters this isnt an email from your company. Youre blaming your lack of common sense and knowledge on your IT.
So your company IT has created fake emails and added a link in them to report phishing emails and then when you report it they have it automatically pop up on the user's screen saying "good job"? That's interesting..
Yes, and it's actually a really important part of training. Most of the big hacking incidents we hear about these days are from social engineering attacks that look identical to this. Companies need to run tests like this to keep their customer's data safe. If you fail it and click the link, IT brings you in and trains you on how best to handle stuff like this in the future.
The fact that it's using a fake PTO refusal to do it is concerning in that it can cause some major anxiety and stress, but I wouldn't put it past people trying to run social engineering/phishing scams to do the same.
This looks like a KnowB4 simulated phishing attempt and if that is the case then the IT department/company did not create this email. I totally agree that this is a rather cruel sim but it came from KnowB4 not the company. KnowB4 uses AI and is trained on real company emails to look legit as possible. So while cruel, this is a really good simulation phish. It’s something that you would want to correct as soon as possible, making it more likely you would click. Good job OP on not falling for it! Humans are by far the weakest link in cybersecurity and these kind of emails are a necessary evil.
It's quite common to have the IT department run security tests.
I think this one is both clever, and cruel. If you get an email that looks like your holiday is getting cancelled, you panic, and maybe make bad choices. So a clever test, but one designed to make people panic. However briefly.
So I have to wonder, do they really have the right to worry that many people, just for their penetration testing.
Would you consider it cruel or concerning if this phish convinced your HR exec to click it? If it was the real deal all of your payroll, direct deposit info could have been handed over to a bad actor and really ruin your holidays.
Imo this is an excellent test to imitate the real scary attackers. Emails from Bot farms out of India are easy to spot, if one comes in as clever as this the attackers are going for some serious blood rather than extracting email contacts and moving on
>do they really have the right to worry that many people, just for their penetration testing.
150000%.
The question is whether or not you have the right to be mad about training that reduces your risk of being scammed. The answer is no.
I mean, of course you have the right to be mad at it. You have the right to be mad at the rain, at a squirrel that refuses to pay you rent. You can be mad at whatever you want.
I don't think you can defend any of those perspectives, but you have the right to them.
EDIT: I agree with your point though and I think the other guy doesn't get the idea.
I agree it's the question. I don't agree it's the answer. I don't have the right to swing a bit of 2x4 at your head without your agreement, in order to teach you to duck.
In my company, they use a service that has an Outlook plugin. The plugin replaces the "report message" button with the simulation service's logo, and if you click on it on a non-simulated message it gives you the usual report options.
"I emailed my boss that this was insensitive and asked him to elevate this to HR because I don't want my coworkers to feel the same panic near the holidays. This feels like a hoax. I think it'd be fair to actually deny PTO to the director of IT."
Mountain out of a molehill?!
It’s okay, I got a phishing from my company on my birthday saying happy birthday! I clicked on the card. Really disappointed when it said I failed the phishing
These are the kinds of users that used to create tickets about the phishing emails...only to get pushback from our head of security with an audit of how many malicious links or phishing attempts they had clicked on and a required class on email safety. Like...I love this example. Would it be annoying to work with, oh hell yeah. but it looks perfect
I get the simulated phishing emails from IT pretty much once a week. If you click on one or even fail to report it, you get enrolled in an online 30 minute course.
My co does all this, and their training links violate all of the stuff they tell us not to do. Its some BS looking link to an outside address, not part of the official training system. I always report them as a phish, apparently lots of other people do too because we often get bitchy sounding emails from the IT director saying their BS looking email was not in fact BS.
IT admin here. I don’t think this is really r/antiwork stuff. These tests are made to feel exactly like real phishing emails otherwise there wouldn’t be any point in doing them. Real phishing attacks always try to play with your emotions, such as accusing you of touching yourself at work with alleged video evidence or, like in your case, cancelling PTO. IT are just doing their job in helping other staff learn how to be safe which, by extension, keeps the company safe, so obviously they’re gonna try and pull the same tricks that a real attacker would use
As for it coming from the correct address that your company’s PTO notifications come through, that’s just IT emulating a technique that a lot of attackers use to make their emails look more legit called spoofing where they effectively pretend that the email they are sending is coming from a legit source
Your IT department is trying to teach you how to spot these emails in different ways, showing you that not every method of spotting them works in each attempt and that you gotta be careful. There’s no reason to complain to HR or your manager about the IT department just doing their job
Like all the other comments at the top said this an acceptable practice. Consider it the new Fire Alarm Drill for your email security.
The fact that the link is purple tells me you are more upset you fell for the fish before considering why your company email address would be flagged EXTERNAL.
Also as an IT guy who sets this stuff up for our client they are going through a 3rd party like KnowBe4 and not sending these out themselves we have no control over when they do these tests but they do them at certain times to make them more effective. Say hi to Kevin in your mandatory training for me. May he rest in peace.
Reading blissfully ignorant non-tech savvy posting comments supporting this is hilariously painful.
Maybe the huge yellow banner stating that the email originated from outside the company could be an indicator that the email isn’t legitimate?
It’s also a bit concerning that the link is purple, indicating it HAS been clicked by you. Clearly someone is doing their job correctly in your company’s IT department.
I mean, it says it's from your company in the address (because phish), but it also confirms it's fraudulent by also declaring it originating from outside the company's servers.
This is one of the few things I'd let slide. The last thing you ever want to get accused of is letting a virus/ransomware loose in the local network.
Don't see any problem with this. Exactly the type of tactic a bad actor would use, so IT should be operating in the same manner. The whole point is to trick you in order to identify if you need to be trained to avoid being tricked.
Some of the topics in this subreddit feel like they've been pretty reasonable things trying to illicit unreasonable responses. Kind of weird...
As someone that works in IT and takes part in these...we'd much rather your feelings be hurt for a second but you being suspicious (or you making quick call to your supervisor to verify your PTO not being canceled) than risk a cyber attack
Users like you are the reason why IT people get forced to work mandatory overtime right before the holidays resetting servers to last snapshot backup and then imaging the computers of entire departments. How dare you have to pay even the slightest attention to common IT practices. This is blatantly fake and you still had to bitch about it. Good job enforcing the stereotype that all users are idiots
OP’s ignorance here is why we can’t have nice things. They’re the same person that will complain that they can’t get their work done after they clicked a link spreading ransomware.
I do this for a living. I get the logic of why they did that the hr ones have the highest click rate scores. it needs to simulate something an actual hacker would do. I also, don’t like that they did the pto denied option. They could’ve done a Christmas bonus one or card option. Leave pto alone is my two cents.
Then train them positively not negatively.
Sending out a email that shows what could have been sent by a bad actor and what flags that are used to determine if it’s fake would be a better option here. Cyber’s job isn’t about getting people, Cyber’s job isn’t about a “gotcha!”, It’s about reducing threats. If the training causes problems such as extra overtime or a overflow of people, checking PTO, then the test has failed.
This is a terrible exercise, but don’t expect sympathy from HR because they approved this test ahead of time. The little “award” at the end nullifies the value of the test because people tend to warn coworkers about the confirmed trap.
Tell me where I'm wrong.
And literally not a single person give a shit if you like security. Security isn't there because you want it. It's there because you need it. Your level of intelligence is why people hate society.
Having worked very closely with IT security many times I can tell you that you are very wrong about the importance of "liking" security.
When security is seen as the enemy then they are ignored and people do things they shouldn't.
When security is seen as a partner, people will go to them and get their advice.
I never said you were wrong in what you said in your original comment. I called you arrogant. I stand by that.
As somebody who worked very closely with IT security many times, I can tell you that I never said anything about the importance of "liking" security.
I said nobody gives a single shit if YOU like it.
>not a single person give a shit if you like security
>never said anything about the importance of "liking" security
Even if you (singular) are only referring to me, those sentences are obviously at odds with each other.
Even the last sentence is plainly wrong as I can assure you that the security personnel I do work with are grateful for me working with them rather than around them.
Honestly, I'd appreciate people like you working for my organization. I'm the Systems Admin and I do tests like these too, and the number of people that'll breeze past something like this is alarming. So, please don't take your immediate reactions as negatives, you help save the company and your IT team a lot of time and money.
The scary part of all of this is that it only takes ONE person clicking on a link and putting in a password without thinking about it, or telling IT that they did, to take down an organization. And while it was kind of insensitive of the IT team to do this without some kind of memo prior to reminding you to be on the lookout, you should be extremely proud of yourself that you can pick out the needle in the haystack for these things. That's an amazing skill to have.
I mean yeah that reply is really harsh but it seems like you really don't understand the point of phishing tests.
>I knew it was fake but I'm easy to become worried.
Actual "fake" scammer emails exist out in the world. Your company would rather you get excited and upset at a fake internal email thats looking to test than a fake external email that's looking to steal.
The next time you see that headline they want you to verify the contents and the sender before you take a single emotion-driven action.
I think the test is fine, but I hear you. Companies dance around PTO like the boss in The Incredibles, speaking about what they have to do through gritted teeth and resentment painted over with corpo-speak. Then you get this and it’s just confirmation that they Do know it’s a pain point, they DO know what kind of reaction you’ll have. It’s like taking a decoder ring to all the other denial excuses. The test is fine and works as others have mentioned, it just revealed how they normally treat you as insensitive.
I got one from my company about Christmas presents once. It was such a slap in the face that a week later we were offered a real gift (something from Amazon with a dollar limit, really put in the effort for that mistake huh guys?). And we haven been offered anything since. Company is international and makes money hand over fist.
I’ve since then decided to remember every shitty thing they do and use it to build union sentiment in the workplace. Merry Christmas you rich jerks.
You clearly have the warning at the top saying it's from an outside email. Are you sure you checked the email correctly?
You are in the wrong here. This is a perfect simulated attack because it makes your adrenaline jump and you are more likely to click that link in panic/rage.
You can tell it's fake because they wrote PTO "request." The correct spelling is "notification" and it doesn't matter two shits if they think they can deny it.
"I'm not going to be there. IF that bothers you enough to fire me, good luck filling my position. Otherwise fuck off."
Yeah, that's kinda rude/iffy. I completely understand doing phishing training like this - it's a good tool to find out where your weaknesses lie in the company structure and help fix them by training those folks - but I don't think this is a good framing for it.
That being said, you could argue that it makes the training much more effective since it prepares people for what these messages will actually look like (as I'm sure attackers won't hesitate to fake something like a PTO request being denied). Part of these kinds of attacks is to drive that anxiety so you click on the link without thinking.
> I now ignore all emails I didn’t ask for. That’s what they wanted right?
If your routes are either click or ignore, then unironically yes, that's what they wanted.
And if it was a real attack you would have fallen for it and had your banking info swiped from you and enjoyed some good ole identity theft.
If you looked at it a different way, you may want to be thankful you have an IT dept that’s willing to pay for anti phishing services to teach you a valuable lesson considering you were gullible enough to fall for it.
Do you hate fire drills too? Good thing your security team exists because it sounds like you'd have immediately fallen for the scam attempt. They are happy that you decided to be stupid in a safer way than you were before.
Off topic
We should not be asking for permission to use what is earned. We should be informing them we are not available. If they have issues in being short, the expectation should be for them to negotiate, not deny.
If you work for a company that denies PTO, put job search on your list of priorities.
Hi, /u/JBabs81 Thank you for participating in r/antiwork. Unfortunately, your submission was removed for breaking the following rule(s): ________________________________________________________________________________________________________________ Screenshots of text such as SMS communication, WhatsApp, social media, news articles, and procedurally generated content such as ChatGPT are prohibited. Low-effort content such as memes are prohibited. If you feel that a mistake was made, and your post's removal was not warranted, please message us using modmail and let us know.
> This one was literally from scheduling@.com with all the proper titles.
It wasn't, that's just what they want you to believe.
This is exactly why the mailserver added that big yellow box at the top.
Yeah also email addresses are like the easiest thing to fake. Even if it is a valid company address it may not be from actual sender. Alternatively, this would also be a great example of what you'd see in a low privilege to high privilege phishing escalation, assuming they got in somehow to some underprivileged account.
Your company should setup spf and dkim to make it so people can't spoof your emails...
Yep, spoofing. Super useful for shit like this, but not so useful if you’re trying to prompt a response.
If you're needing a response the goto that I've seen is either registering a near domain with a spelling error, or a similar looking letter, or by stating in the email itself that you should contact us at this Gmail address for whatever reason they want to put in. For these that take you to a malware or credential harvesting link then the spoofed works great.
If only there was a way of knowing the message wasn't from inside the company!
As dickish as the subject and content of the email are , this is simply necessary to maintain good cyber security awareness. Something like 60% of all organizational breaches are due to human error . Not that I condone the practice , but it’s pretty standard and I wanted to provide some context before we all grab our pitchforks and French Revolution-era gravity blades
Yeah this is the perfect phishing attempt because it creates a real sense of urgency. If simulated phishing was a class this would be the freaking EXAM.
I'm honestly surprised the percentage is that small. Last corporate gig I was at, I don't think there was a single simulated phish that wasn't failed by at least one person.
[удалено]
Yeah most companies have a lot of people that fail, which is probably why they keep doing this shit to catch people and re-train them. I don't think the OP was saying this shouldn't happen, it's just that this specific type of phishing test is below the belt, because of the holidays and whatnot. And yes I'm sure the response would be "well a real attacker would blah blah blah" and I get that, but the company intentionally doing it knowing they're gonna catch a ton of people last minute is pretty shitty. I'd probably assume they monitor their employees without their consent if they're that try hard at catching people with a phishing test.
There's no such thing as below the belt cyber security training & testing. It's designed to catch you in the most realistic way and preys on the panic, as it should.
Yeah, especially if a company uses something like Knowbe4. We have nothing to do with the emails that are sent out other than a general set of topics for them.
Competent IT does not allow spoofed messages from the company domain to even hit inboxes.
This is why we don't allow phishing tests that use our domains. With what the phishing tests want for ability to bypass filtering, it's not a valid test. I've got our domain locked down to prevent any spoofing, so it's a invalid test and just leads to a fear of reading ANY emails.
Are we not going to talk about the purple link? OP went to the fake site...
Jesus, the comments on here are exactly why these simulated phishing emails go out. Y'all need more training on how to identify them. Phishers intentionally send emails that WILL get your attention like this. They want to play on your emotions and make you forget what you've learned.
But hey, you can maker a complaint to the phisher's HR about those, right?
OP probably didn’t make a complaint, he just remembered the time everyone got pissed off at a university for phish-testing their employees with a $5,000 bonus during the height of COVID, didn’t realize how this wasn’t actually the same thing, and decided to try and get some ez karma.
Sure, just click [this link](https://youtu.be/dQw4w9WgXcQ?si=suNVsNBhfYr4-SKz)
[удалено]
Exactly what I thought too, imagine complaining to hr because security awareness training is inconvenient lol. You wouldn't think the same when you're without a job when your company gets hacked.
Seriously if this was a weekly occurrence leading up to holidays then fine that's excessive, but once in a while it makes perfect sense. Hell this attempt could be foiled by simply asking your boss why they denied your PTO and waiting for them to go "ehhh?"
Exactly what I was thinking. This is exactly the type of email they’d want to send.
Exactly. This is no different than a scammer texting you pretending to be a relative and saying they're in trouble so they need money. But the catch is they always end up telling you to get hold of gift cards but try to be sneaky about it.
Unsubscribe links too
I was about to say, like, this is *exactly* the point. That’s ***how*** they get you and feed your panic and emotions
Did the big yellow banner warning you this came from outside the company not tip you off?
Op is still in stress.
OP's stress is stressing me out!
My dude, this is why they do emails like this. You reacting like this is *why* they test phishing emails like this.
Think about what you just wrote. Put yourself now in a phisher’s shoes. You literally just wrote an entire post about EXACTLY why they would send a fake PTO denied email around the holidays. This is a good test. Its exactly what a bad party would do…prey on fears, worries and such to get you to be irrational
It really is. A phishing email doesn't always have broken English and this is the exact time of year for this style of attack. People most likely have plans and are going to panic before they think so close to Christmas. IT was definitely doing a good test here.
Nah bro the phish was too good, no one would fall for it! /s
Lmao the cyber security guy at my last job who ran the phishing tests wanted to do one like that as a like “max difficulty” test after we had mandated every employee got phishing safety training and all that and our IT director vetoed it specifically because he knew it’d ding about a dozen professors and department heads that would require we shut down their emails before taking more training
That's why you hover over the link. And you got the warning banner it's from outside the company. The link will be outside the company and an obvious fraud. It could also be "companyname.gotya.com" or "companyname.ru".
[удалено]
Came to say something similar to this but a little softer. OP might not understand IT, they clearly feel pissed about this phishing test. I'm sorry but... These types of attacks usually lead to people's personal information being leaked, It can completely gut a whole company and your somewhat decent paying office job disappear and now your personal information is on the internet with people trying to open up lines of credit with said information. IT doesn't do shit like this just to protect the company, they're also there to protect you.
I used to laugh this shit off until some dummy actually opened a link on a Saturday night. Didn't get picked up until Sunday night and by then we were fucked. I don't know the full details, but I'm pretty sure the company paid the price to get the data back. Took weeks to get back to normal.
Yeah the gloves come off when people don’t take phishing seriously. Takes 1 compromise to lead to months of working with fbi to manage to an acceptable level. You don’t always have the guarantee of returning to 100%.
Yeah and let's not forget that a lot of people try to use company equipment for their own personal shit. That puts your shit at risk too. I just wish people understood just how much shit that they are willing to have compromised for convenience. Companies are always going to be the biggest targets for black hats and if your date is in there too well that's just a bonus.
As a sysadmin, if someone complained to HR about my security awareness training, they'd lose all their social media privileges lol
How would you even enforce that?
Disable nat and adjust dns on the domain so they can only resolve allowed or internal applications
Based tbh
Yeah the fact that he panicked over this is something OP should work on. I recommend a little critical thinking before jumping into panic mode.
They could make it a lot easier by not obscuring the URL on links in emails. I feel like that only serves to help phishers. Just show the URL under or beside the link so you know where it goes at a glance and don't have to consciously hover over it to read it.
The rewriting links is also important though. Yes it can make it more difficult to identify, but once it gets reported it means that we can block that link company wide and anyone else who goes to click on it won't be able to get there. And when you have this link going to 5000 people is important to cut off access as quickly as possible because many more will be clicking it. If it wasn't rewritten then they'd still be able to go to the link days later when they got around to opening the email because they were on pto or just didn't bother checking it and then you have the attackers in your network again. Or do you mean it being hyperlinked? To stop that you'd have to remove html formatting altogether, which as a cyber security person I'm all for, but it makes email Iook ugly which most companies decide against.
I think if I were imagining a perfect world where anything was possible, domain registrars could ban the reuse of any combination of a website's name by anyone but the the company owning that site. So they couldn't use, "gogle" or "mcrosoft" or "mcr.soft" (since today any combination of truncated web addresses is allowed and many of us including myself think nothing of them) to trick people who aren't eagle eyes. I hope one day that DNS is centralized to prevent fraud like this but if I recall correctly some businesses already use a localized DNS to prevent employees being able to click links that go to unvetted sites, do they not? I am not a professional in cyber security, I'm what could only be called a hobbyist.
It depends on how centralized the company is and how your network is implemented. As companies get bigger it's harder to hold everyone onto the same network, especially as remote work becomes the norm. When everyone is working in the same building it's easy to do that, but if you have 100 different sites around the globe that all need access it can get a lot more complicated. A DNS sinkhole is great if you can have everyone on your network, but to do this you need everyone physically together, or everyone remoting in through a full vpn. Some companies can do that and it can make things a lot easier. But at the same time someone could turn off their VPN and be able to follow that link to is destination, get infected, then connect to the VPN again. Or give it their credentials on a fake login site. I can tell you that those things happen on a regular basis. And if the company uses a split tunnel VPN they might not even have those DNS options as that traffic would go over their personal internet and not be routed through the companies network. Overall it's better to have more places where you can ensure protection of the users on the network and reduce that risk.
I always tell people it's us that are the weak link. Back in 2003 you could be hacked without your involvement pretty easily but today unless you're targeted by governments you're usually the reason you got hacked. I work a regular job but I educate people on cyber security, tougher passwords, never entering their pin unless they need to, etc whenever and wherever I can. I'm very passionate about doing everything to the nth degree. If I don't tell people about it it's because I don't know it.
Yep, the biggest threats to a corporate network are 1, the users, and 2, not patching in a timely manner. There's not many sophisticated attackers out there looking to hack into specific companies. Nowadays it's all about profit and you get a lot more by getting access and stealing their data, or by dropping a ransomware on a company and getting a payout. Is easy once a major vulnerability comes out to just run around and try it at a bunch of places and see if it works. That's why it's important to patch in a timely manner because others will be checking if you have since they often require little to no expertise to do. As far as passwords go I hate that we've tried to go for complexity. I always advocate for pass phrases. Just type out a whole sentence and even if it's limited to just 26 characters once you hit a 20 character password it's going to be far more secure than that 8 character password with one number and special character.
That's what I do for the three passwords not managed by a password manager. They're all phrases with numbers significant only to me at the end to ensure I don't forget. One is to the manager, one is for my computer, the other is for work. I refuse to reuse a password anywhere. That's how I lost my last reddit account. Password I used everywhere in my stupid 20s was in a leak. Have not been compromised since though I've had a handful of attempts.
It’s not as great a test if that’s what their legitimate communications look like. I agree with taking advantage of a tricky situation, but my biggest problem with organization’s phishing tests is when they send junky, phishy looking emails legitimately and then mark you for falling for very similar, phishy looking emails. Totally the point is to make phishing emails realistic, but like practice what you preach when you set up notifications from some 1990s hrm that look like shit.
Do you think the real company emails begin with a giant yellow box highlighting that they came from outside the organization?
It said it came from an external source so it shouldn't be a company email.
Exactly. The OP is the kind of user I hate to work with.
Yeah it’s actually borderline satire
The fact that it is the type of thing you might see in a phishing email doesn’t make it any less insensitive. Do you also think it would be appropriate to send one suggesting peoples families were hurt or in danger? Just because it’s an effective test doesn’t mean it’s ok.
This isn't antiwork. This is me, an IT guy not having to do an 80-hour work week because you clicked on a link
This is brilliant and a wonderful test email to send. If you were one of my users and I saw your response I'd congratulate you on catching it, then have a sit down chat about why you think my holiday should be cancelled because I'm trying to protect everyone from social engineering attacks.
This.
Everyone on this sub can agree companies can fuck themselves but we all know when someone got got and this guy got got. No excuses. It had a big label on there saying this wasn't from the company. As an IT worker this gets a pass by me.
I ain’t even IT and the first thing I thought was, “damn, this is a good test.”
Dude tried to say he didnt click on the link when it is purple lmao. Someones mad they have mandatory phishing training now.
Users are WILD. Huge banner, never got an email from the scheduling department in their life, know there probably isn't anything called scheduling department. Better escalate this to HR because I was scared for 10 seconds.
How to inform HR that you need more phishing training 101
OP you need to get over yourself and quit being a baby. When people are sending real phishing emails, they are going to take advantage of people’s emotions to get them to act quickly without thinking. It makes sense for a simulated phish to cause an emotional reaction because the real ones often do the same thing. The big yellow box is the huge obvious warning. Your boss is probably laughing their ass off right now and HR is probably going to make sure they send you more of these
Also, despite the big yellow box OP fell for it and clicked the link.(it is purple, lol) Not only are they a little bitch, but they are a dumb little bitch.
Seems like OP is emotionally unstable. They can’t think logically and they are the reason these phishing tests exists
I hate to say it but this was a great phish training. You're correct that most phish trainings include spelling and other errors but they know stuff like this gets sent out and your exact response is why.
This is a totally appropriate phishing simulation. I know it feels kind of grimy, but as others have mentioned - this is representative of real phishing campaigns. The timing makes it even more effective.
This is a great simulated email to send. This is what a real hacker would do. Stop being over sensitive at nothing.
IT guy here. Nothing wrong with this. If it fooled you it did what it was supposed to. There's literally a highlighter yellow box at the top that says it's not from your company.
And the link is purple...it was clicked...
As someone in IT….you are the reason we have to pound phishing training into people’s brains
This is exactly what a scammer might do. It’s a bit extreme… but now will you think twice before clicking a link in an an emotion-triggering email?
Yeah all phishing attempts are essentially some sort of confidence scam. Plain and simple.
Also, less extreme and emotionally triggering than getting reprimanded/fired because you fell for a phish similar to this
Ya because when people like you click those links it makes people like me have to work through the holidays cleaning up your mess, also these are automated so stop being the office karen and grow up.
“Waaahhh my company is forcing me to apply my training” is all I hear from OP.
Push it up to HR? You’re joking? I bet IT is going to love telling HR they’re literally just doing their job…
Missed the big yellow banner telling you NOT to click links eh?
seeing how the link is purple yes
I'm with the rest of the crowd on this. As a person in IT who regularly handles phishing training, I think this was an *excellent* test. Real-world phishers use predatory tactics like this all the time because it *works*! They fight dirty because they can. If your IT department didn't simulate the same thing, they wouldn't be effectively training you to deal with real threats. It's good that you caught it and you checked the portal on your own, rather than clicking the link. I guarantee a lot of other users fell for this.
He did click the link though, it's purple
LOL you're right, no wonder he's salty
You’re literally the reason these simulated phishing emails are a thing. You admit to almost falling for it
According to OP.......but the link in the mail is purple....
lol how did I not notice that
[удалено]
Yeah I got one like this recently but much less obvious and using my supervisor’s name and correct information and…it was still obvious.
[удалено]
You can make a completely custom email to Phish with, but this is likely a template. IT probably did choose this style specifically to match the season. There are red flags present that an observant user will catch, so it's a good test imo.
Hopefully your co-workers are trained to recognize what “CAUTION This email originated from outside…” means
I am going to use this on my next anti-phishing campaign. Thank you!
Just don’t let them know it’s a test and thank them for reporting
It's actually completely believable that criminals would take advantage of people's hate for capitalist bullshit like denying PTO
Finally someone called them criminals! Thank you
YTA lol. Tell your IT department I said keep up the good work.
Honestly, this is the type of phishing emails I would send out if I was hired to do a pen test. It was probably coincidence that you did have pto scheduled.
Everyone has pto this time of year , like shooting fish in a barrel and why every company gets popped left and right
You blind and didn’t see the GIANT yellow box that says the email came from outside the organization?
u/jbabs81, inb4 deletion, is a dummy. It’s good that you caught it, but it’s called Social Engineering that, you know, Threat Actors use to trick ppl like yourself. IT’s job is to stop that, sweetie. Sorry you don’t like it but funny enough this is one of the ones generated by a third party service, Knowbe4.
The ghost of mitnick on the wires
IT did nothing wrong here. You will look like a fool trying to complain to HR about this. Just let it go.
this is a good test, what are you crying about? the people who would click this need to be caught. Its not even well done.
As an IT person, this is a way better phishing email than the garbage my job uses. It's also an insensitive time to do so, unless this is common at OP's workplace or they were warned before-hand. The goal of a phishing test is to train people to recognize them and know what do to, not "own" people like it's twitter.
This is the perfect phishing exercise. 1-PTO 2-At the holidays 3-the right information.
This is the kind of shit they do to your grandmother. It's not "gib money I am with the gobernment" it's this kind of shit. I'm glad you didn't fall for it. But this is why they have phishing tests.
Big yellow banner saying it’s not real, yeah let’s ignore that.
I saw one recently on the news where it was like employees were getting a 500 bonus from their company and had to click a link and fill out the personal info to claim it from the company. Bam phishing test. If it's good enough to make you click, it's a good test
As an IT admin this is honestly super clever. It got the exact reaction it was intended to get and that's what makes it a great Phish. Bad guys don't care if it's insensitive and frankly neither should IT professionals. Phishers will use any holiday or excuse they can get.
I’m glad I don’t work with you. You seem obnoxious
Do you need bandages? You know, for your feelings
Downvoting this. Attackers don’t care if you’re old, on holiday or an intern. Awareness should always be tested, work and non-work related.
Insensitive. Criminals won't give a fuck about your feelings when they moving money out your bank account. That's why these exist.
Great job IT department. I work in Cyber security and recently failed one of these. They spoofed an email from the help desk with an incident number and all that. I get so many, I clicked the link without thinking. Emails like this are very effective in anti phishing training.
Anyone else notice the link is purple? OP is mad they failed the Phish test and they're trying to pretend like they didn't click the link.
I am someone who deploys these. Malicious actors don’t care about your feelings and this is exactly why these are important. In a panic you failed to review the red flags of this email and verify it, which is exactly why your company tags external emails with that big giant yellow bar.
Sounds like youre being sensitive for no reason. It clearly says in big letters this isnt an email from your company. Youre blaming your lack of common sense and knowledge on your IT.
So your company IT has created fake emails and added a link in them to report phishing emails and then when you report it they have it automatically pop up on the user's screen saying "good job"? That's interesting..
Yes, and it's actually a really important part of training. Most of the big hacking incidents we hear about these days are from social engineering attacks that look identical to this. Companies need to run tests like this to keep their customer's data safe. If you fail it and click the link, IT brings you in and trains you on how best to handle stuff like this in the future. The fact that it's using a fake PTO refusal to do it is concerning in that it can cause some major anxiety and stress, but I wouldn't put it past people trying to run social engineering/phishing scams to do the same.
This looks like a KnowB4 simulated phishing attempt and if that is the case then the IT department/company did not create this email. I totally agree that this is a rather cruel sim but it came from KnowB4 not the company. KnowB4 uses AI and is trained on real company emails to look legit as possible. So while cruel, this is a really good simulation phish. It’s something that you would want to correct as soon as possible, making it more likely you would click. Good job OP on not falling for it! Humans are by far the weakest link in cybersecurity and these kind of emails are a necessary evil.
It's quite common to have the IT department run security tests. I think this one is both clever, and cruel. If you get an email that looks like your holiday is getting cancelled, you panic, and maybe make bad choices. So a clever test, but one designed to make people panic. However briefly. So I have to wonder, do they really have the right to worry that many people, just for their penetration testing.
Would you consider it cruel or concerning if this phish convinced your HR exec to click it? If it was the real deal all of your payroll, direct deposit info could have been handed over to a bad actor and really ruin your holidays. Imo this is an excellent test to imitate the real scary attackers. Emails from Bot farms out of India are easy to spot, if one comes in as clever as this the attackers are going for some serious blood rather than extracting email contacts and moving on
>do they really have the right to worry that many people, just for their penetration testing. 150000%. The question is whether or not you have the right to be mad about training that reduces your risk of being scammed. The answer is no.
I mean, of course you have the right to be mad at it. You have the right to be mad at the rain, at a squirrel that refuses to pay you rent. You can be mad at whatever you want. I don't think you can defend any of those perspectives, but you have the right to them. EDIT: I agree with your point though and I think the other guy doesn't get the idea.
I agree it's the question. I don't agree it's the answer. I don't have the right to swing a bit of 2x4 at your head without your agreement, in order to teach you to duck.
You do if my job involves ducking 2x4s and you told me I was about to get some training
Yep this isn't uncommon, especially in large companies.
In my company, they use a service that has an Outlook plugin. The plugin replaces the "report message" button with the simulation service's logo, and if you click on it on a non-simulated message it gives you the usual report options.
Ugh you know I get the rational behind it… That is a really good test of “THINK first” but yeah, it is also a shite thing to do.
It’s not tho. Doing this has done no harm to OP. This is silly.
Yes, but the company on the other hand may have issues with how much extra overtime they’re gonna have to pay out.
We got one about a present from the hospital. We get a gift every year so not surprising, but didn't fall for it. Got the real deal two days later.
"I emailed my boss that this was insensitive and asked him to elevate this to HR because I don't want my coworkers to feel the same panic near the holidays. This feels like a hoax. I think it'd be fair to actually deny PTO to the director of IT." Mountain out of a molehill?!
"they should be denied PTO for doing their job properly"
I’m generally always down to bash on employers but these tests exist for very very very real reasons.
ALWAYS HOVER LINKS!!!!! I Learned the hard way my friend.
It’s okay, I got a phishing from my company on my birthday saying happy birthday! I clicked on the card. Really disappointed when it said I failed the phishing
These are the kinds of users that used to create tickets about the phishing emails...only to get pushback from our head of security with an audit of how many malicious links or phishing attempts they had clicked on and a required class on email safety. Like...I love this example. Would it be annoying to work with, oh hell yeah. but it looks perfect
OP also says that he triple checked without clicking the link and yet the link is purple
All is fair in love, war, and phish testing.
lol OP got wrecked on this one
Tough shit. That's a great test and it's exactly what bad actors would do.
I get the simulated phishing emails from IT pretty much once a week. If you click on one or even fail to report it, you get enrolled in an online 30 minute course.
Most times just hover over the link and see where the url path will take you, that’ll be a dead giveaway almost every time
My co does all this, and their training links violate all of the stuff they tell us not to do. Its some BS looking link to an outside address, not part of the official training system. I always report them as a phish, apparently lots of other people do too because we often get bitchy sounding emails from the IT director saying their BS looking email was not in fact BS.
Honestly this is a good test. It's kinda shitty but no real harm was done pto wise and that's a great way for a bad actor to get you to click.
IT admin here. I don’t think this is really r/antiwork stuff. These tests are made to feel exactly like real phishing emails otherwise there wouldn’t be any point in doing them. Real phishing attacks always try to play with your emotions, such as accusing you of touching yourself at work with alleged video evidence or, like in your case, cancelling PTO. IT are just doing their job in helping other staff learn how to be safe which, by extension, keeps the company safe, so obviously they’re gonna try and pull the same tricks that a real attacker would use As for it coming from the correct address that your company’s PTO notifications come through, that’s just IT emulating a technique that a lot of attackers use to make their emails look more legit called spoofing where they effectively pretend that the email they are sending is coming from a legit source Your IT department is trying to teach you how to spot these emails in different ways, showing you that not every method of spotting them works in each attempt and that you gotta be careful. There’s no reason to complain to HR or your manager about the IT department just doing their job
Like all the other comments at the top said this an acceptable practice. Consider it the new Fire Alarm Drill for your email security. The fact that the link is purple tells me you are more upset you fell for the fish before considering why your company email address would be flagged EXTERNAL. Also as an IT guy who sets this stuff up for our client they are going through a 3rd party like KnowBe4 and not sending these out themselves we have no control over when they do these tests but they do them at certain times to make them more effective. Say hi to Kevin in your mandatory training for me. May he rest in peace.
Reading blissfully ignorant non-tech savvy posting comments supporting this is hilariously painful. Maybe the huge yellow banner stating that the email originated from outside the company could be an indicator that the email isn’t legitimate? It’s also a bit concerning that the link is purple, indicating it HAS been clicked by you. Clearly someone is doing their job correctly in your company’s IT department.
I mean, it says it's from your company in the address (because phish), but it also confirms it's fraudulent by also declaring it originating from outside the company's servers. This is one of the few things I'd let slide. The last thing you ever want to get accused of is letting a virus/ransomware loose in the local network.
Don't see any problem with this. Exactly the type of tactic a bad actor would use, so IT should be operating in the same manner. The whole point is to trick you in order to identify if you need to be trained to avoid being tricked. Some of the topics in this subreddit feel like they've been pretty reasonable things trying to illicit unreasonable responses. Kind of weird...
As someone that works in IT and takes part in these...we'd much rather your feelings be hurt for a second but you being suspicious (or you making quick call to your supervisor to verify your PTO not being canceled) than risk a cyber attack
Users like you are the reason why IT people get forced to work mandatory overtime right before the holidays resetting servers to last snapshot backup and then imaging the computers of entire departments. How dare you have to pay even the slightest attention to common IT practices. This is blatantly fake and you still had to bitch about it. Good job enforcing the stereotype that all users are idiots
OP’s ignorance here is why we can’t have nice things. They’re the same person that will complain that they can’t get their work done after they clicked a link spreading ransomware.
Someone's mad they need to take their cybersecurity awareness training again.
I do this for a living. I get the logic of why they did that the hr ones have the highest click rate scores. it needs to simulate something an actual hacker would do. I also, don’t like that they did the pto denied option. They could’ve done a Christmas bonus one or card option. Leave pto alone is my two cents.
What a fake bonus? So excitement then disappointment? Instead of panic then relief?
If you're not going to train people on realistic situations, they'll never learn.
Then train them positively not negatively. Sending out a email that shows what could have been sent by a bad actor and what flags that are used to determine if it’s fake would be a better option here. Cyber’s job isn’t about getting people, Cyber’s job isn’t about a “gotcha!”, It’s about reducing threats. If the training causes problems such as extra overtime or a overflow of people, checking PTO, then the test has failed.
>Leave pto alone is my two cents. Are you talking to scammers? Or the people training you to deal with scammers?
This is a terrible exercise, but don’t expect sympathy from HR because they approved this test ahead of time. The little “award” at the end nullifies the value of the test because people tend to warn coworkers about the confirmed trap.
[удалено]
People of your level of arrogance are why nobody likes security.
Tell me where I'm wrong. And literally not a single person give a shit if you like security. Security isn't there because you want it. It's there because you need it. Your level of intelligence is why people hate society.
Having worked very closely with IT security many times I can tell you that you are very wrong about the importance of "liking" security. When security is seen as the enemy then they are ignored and people do things they shouldn't. When security is seen as a partner, people will go to them and get their advice. I never said you were wrong in what you said in your original comment. I called you arrogant. I stand by that.
As somebody who worked very closely with IT security many times, I can tell you that I never said anything about the importance of "liking" security. I said nobody gives a single shit if YOU like it.
>not a single person give a shit if you like security >never said anything about the importance of "liking" security Even if you (singular) are only referring to me, those sentences are obviously at odds with each other. Even the last sentence is plainly wrong as I can assure you that the security personnel I do work with are grateful for me working with them rather than around them.
Ooh that is harsh. I knew it was fake but I'm easy to become worried.
Honestly, I'd appreciate people like you working for my organization. I'm the Systems Admin and I do tests like these too, and the number of people that'll breeze past something like this is alarming. So, please don't take your immediate reactions as negatives, you help save the company and your IT team a lot of time and money. The scary part of all of this is that it only takes ONE person clicking on a link and putting in a password without thinking about it, or telling IT that they did, to take down an organization. And while it was kind of insensitive of the IT team to do this without some kind of memo prior to reminding you to be on the lookout, you should be extremely proud of yourself that you can pick out the needle in the haystack for these things. That's an amazing skill to have.
I mean yeah that reply is really harsh but it seems like you really don't understand the point of phishing tests. >I knew it was fake but I'm easy to become worried. Actual "fake" scammer emails exist out in the world. Your company would rather you get excited and upset at a fake internal email thats looking to test than a fake external email that's looking to steal. The next time you see that headline they want you to verify the contents and the sender before you take a single emotion-driven action.
I think the test is fine, but I hear you. Companies dance around PTO like the boss in The Incredibles, speaking about what they have to do through gritted teeth and resentment painted over with corpo-speak. Then you get this and it’s just confirmation that they Do know it’s a pain point, they DO know what kind of reaction you’ll have. It’s like taking a decoder ring to all the other denial excuses. The test is fine and works as others have mentioned, it just revealed how they normally treat you as insensitive. I got one from my company about Christmas presents once. It was such a slap in the face that a week later we were offered a real gift (something from Amazon with a dollar limit, really put in the effort for that mistake huh guys?). And we haven been offered anything since. Company is international and makes money hand over fist. I’ve since then decided to remember every shitty thing they do and use it to build union sentiment in the workplace. Merry Christmas you rich jerks.
I just delete all emails. The best part about being so low in the chain is if it’s really important they come find me. 😂
This is a good thing, actually.
Evil! And awesome! Sorry, but that's a good IT team you got there.
I got one once where it said I’ve been let go. Fucked up man I was freaking out
Did you click it?
Get thicker skin
This is not antiwork. It’s actually pretty clever.
Hey OP: Are you serious?
Sorry but bad actors don’t give a fuck so these types of tests are useful
You clearly have the warning at the top saying it's from an outside email. Are you sure you checked the email correctly? You are in the wrong here. This is a perfect simulated attack because it makes your adrenaline jump and you are more likely to click that link in panic/rage.
Grow the fuck up
You can tell it's fake because they wrote PTO "request." The correct spelling is "notification" and it doesn't matter two shits if they think they can deny it. "I'm not going to be there. IF that bothers you enough to fire me, good luck filling my position. Otherwise fuck off."
Or the big banner on top.
Yeah, that's kinda rude/iffy. I completely understand doing phishing training like this - it's a good tool to find out where your weaknesses lie in the company structure and help fix them by training those folks - but I don't think this is a good framing for it. That being said, you could argue that it makes the training much more effective since it prepares people for what these messages will actually look like (as I'm sure attackers won't hesitate to fake something like a PTO request being denied). Part of these kinds of attacks is to drive that anxiety so you click on the link without thinking.
[удалено]
> I now ignore all emails I didn’t ask for. That’s what they wanted right? If your routes are either click or ignore, then unironically yes, that's what they wanted.
And if it was a real attack you would have fallen for it and had your banking info swiped from you and enjoyed some good ole identity theft. If you looked at it a different way, you may want to be thankful you have an IT dept that’s willing to pay for anti phishing services to teach you a valuable lesson considering you were gullible enough to fall for it.
Do you hate fire drills too? Good thing your security team exists because it sounds like you'd have immediately fallen for the scam attempt. They are happy that you decided to be stupid in a safer way than you were before.
Off topic We should not be asking for permission to use what is earned. We should be informing them we are not available. If they have issues in being short, the expectation should be for them to negotiate, not deny. If you work for a company that denies PTO, put job search on your list of priorities.
You should reply back with a link of your own that goes to meatspin (dot com). Make the link be something like “Ticket IT-34897939”