I reported the test phish (the only phish we ever got) and laughed at coworkers who had to take the training only to turn around and see I needed to take it too
Most of them are phishing test emails (where the org sends out fake “phishing” emails which have a UUID link tied to your email address) so they KNOW who clicks on these and who reports them. Until I stopped giving a fuck, I had reported 100% of them and clicked on 0. But since that doesn’t let you “test out” of the 45 minute quarterly security awareness training, I stopped wasting my time and just delete them
About 9 years ago I wrote a script that looked for links to domains registered to wombat (the company that most companies seem to use for phishing simulation) and would autoreport and delete them. So just never saw them.
Isn’t the big difference that they have to take it everytime they fail and open one they shouldn’t? At least thats how it is at my place. They get a lecture, and then retake the course. Everyone else does it once a year along with all the other mandatory training we need to do for compliance.
Its also not about the individual. The company is doing an assessment of their security and vulnerabilities. If your company has any sort of restrictions on email attachments or methods of sharing files, theyre probably a result of people failing these tests
I came to say the same thing
I reported the test phish (the only phish we ever got) and laughed at coworkers who had to take the training only to turn around and see I needed to take it too
Yep.
Most of them are phishing test emails (where the org sends out fake “phishing” emails which have a UUID link tied to your email address) so they KNOW who clicks on these and who reports them. Until I stopped giving a fuck, I had reported 100% of them and clicked on 0. But since that doesn’t let you “test out” of the 45 minute quarterly security awareness training, I stopped wasting my time and just delete them
About 9 years ago I wrote a script that looked for links to domains registered to wombat (the company that most companies seem to use for phishing simulation) and would autoreport and delete them. So just never saw them.
Still had to do the training. Every six months.
One of my former managers had this habit of setting up email rules for known phishing simulation domains whenever he started somewhere new.
Microsoft domains listed in a table here for anyone else unfortunate enough to have to use their products within your org.
Isn’t the big difference that they have to take it everytime they fail and open one they shouldn’t? At least thats how it is at my place. They get a lecture, and then retake the course. Everyone else does it once a year along with all the other mandatory training we need to do for compliance.
Its also not about the individual. The company is doing an assessment of their security and vulnerabilities. If your company has any sort of restrictions on email attachments or methods of sharing files, theyre probably a result of people failing these tests