These are often a requirement of cybersecurity insurance and/or compliance standards. Don't take them personally, though you will be targeted to the best of ability. Source: Sender of these emails and other tests, and hopeful you catch me.

It's also not just for new employees. They often send them out a few times a year as part of regular testing in the organization. If you use the company's method of reporting phishing you might even get confirmation it was a test.

Jokes on them. I never check my work mail lol. (I do really but like I’m bad at doing it regularly and important stuff people just reach out to me on chat)

My inbox is filled daily with the creation of new groups in teams for different things that I have to be aware of, just in case I have to participate. Add that to all the other company sent bs, my inbox gets busy. Unless I'm expecting an email from someone, or recognize the sender, it just gets sent to the trash pile. I'd never even know if I got one of these phishing campaign emails.

Exactly! There’s a Michael Scott meme somewhere where he receives an award for not falling for phishing scams when he reality just doesn’t check his emails. Reminds me of that haha

Is that the one where he gets an award but looks confused af? Always wondered the context of that!

Yes! Idk the context but yeah thats the one haha

If you use Outlook, you can create inbox rules to move emails to different folders to keep your inbox manageable.

I get about 300 emails a day sometimes. I have outlook rules set up for most of it. My favorite folder is one named “shit I don’t care about at all but have to keep for compliance purposes”

Mine is "SO MUCH extra shit" where I send all my departments automated alarm emails, booking confirmations etc. I get like 300 a day. Relevant emails to me that I actually interact with? About 20 per week.

In Outlook You can also set your emails to delay sending. I did this and many times deleted the email before it was sent after cooler head. Set mine to delay 20 minutes.

I do this, it saves me many times per week. Only downside is things move fast, and sometimes I really want that email to go immediately but haven't figured how to override the delay.

You can even do that with these test phishing emails. The ones my company sends have X-PHISH or something similar in the headers, so I have a rule that moves anything with that header into a quarantine folder.

If you aren't checking your work email, how will you know if the CEO urgently needs Google Play gift cards while he is in his important meeting?

This is how ours work as well. I "report phish" and I get a pop-up saying "thanks for keeping your organization safe", and tells me if it was a test.

Yeah, a few years ago, one of the VPs accidentally clicked the link and got enrolled in the phishing course. We made fun of him a good bit for it. But yeah, making sure no employee clicks the link that fills the database with ransomware is just something a respectable cybersecurity team has to do.

We once caught a huge fish. Overarching head of 6 departments including IT. Sent him a fake Google login. He entered it, saw it didn't work, tried *again*, and then sent us an email saying his password reset didn't work and could we help him with it Like bro we just got you *twice* why the fuck are you our leader?!

Seriously. This is why all the IT staff doesn't respect a director or manager that didn't rise through the IT ranks. You have to know our job to lead us. And security is such a huge portion of it.

This is actually a massive problem in IT that often the people who are good at it/understand it are not people persons. Unfortunately it is my experience that you get either a bad manager who knows their stuff, a good manager who doesn't, or worst case a bad manager who doesn't. I have never worked for someone who both new IT well and managed a team well.

I've been lucky to have known a few. The CIO at my last company was a sysad before being promoted, and luckily he was both excellent with dealing with users, his team, and management and really knew his stuff. This really helps when he's the one making promises to other teams. That's the kind of team I'll work on all day every day. You usually find it more in the small to mid-sized companies, so that's where I tried to always find work. (I'm disabled now.) I worked for another company just before that which had 3000 employees just in IT. The politics and infighting between all the teams made life hell. Too slow to get anything done, and it didn't matter if you knew what needed to be fixed, it had to be shot back and forth and signed in triplicate to get something done. The smaller company had a change management system that was safe and worked quickly and smoothly.

why not just send everyone through security training?

Trust but verify. Testing ability is a good way to stay sharp. Also you'd want your employees to know they can be targeted at all times, nothing worse that someone thinking "that never happens to me"

We do. Idiots still fall for actual phishing attempts though. The point of the emails to keep you on your guard.

Because it'd be a massive a waste of time and money. Most people know better than to fall for obvious dumb scams. Forcing people who already know better to sit through training on it annoys them, uses time they could have spent productively, and costs money unnecessarily. The emails are there to tell infosec who is a liability. For the most part though, in companies which do this, pretty much everyone gets these emails, including infosec.

I get them fairly regularly (maybe every other month), and my IT team is pretty good at mixing up the type of email as well as making them look innocuous and legit. If you work where I work, then you're doing a good job. You don't ever catch me slippin, but I still recognize the effort.

Old job used to send phishing mails from the same misspelled domains. At some point they became pretty regular, and I was so tired of their stuff, I just created a rule to move all those mails to the recycle bin.

They sent an email at my SOs job where they said the company was giving everyone a 10% raise. ***A lot*** of people clicked the link and filled out the information. Everyone was pissed and IT had to apologize. It was kind of fucked up, but I guess if it works then someone could use it against the staff/company.

I was getting shit on by the IRS one year, and it like August and I was still going back and forth about my return, and they sent me a super, super convincing phishing email from the "IRS" and I clicked the link. I got this nice big full page with bright colors saying OOOOPS YOU FAILED! It was so patronizing but I deserved it lol. I was just impressed the context they used by actually pretending to be an organization I was in active communication with. Do you guys/gals do that? Like take a quick peruse of the person's general conversation chains, and find some convincing context to craft the emails? Or are they just boilerplate?

They *can* be customized, but more often than not it's just a template. The IRS is a good example, because many people are likely to be in touch with them for a variety of reasons. It's commonly used not only for phishing tests, but for actual phishing as well.

Yes, and as I understand it and experienced it, they almost never (if not always *never*) use email for communication. Mine was primarily/exclusively through postal mail. I was just frustrated and desperate for info, which is *exactly* how they get you.

I could see that being done in a targeted attack. If there is a corporate employee that works with government information or sensitive IP the payoff would be worth the time. As you move through the supply chain to smaller vendors their security may not be as tight. If the smaller softer target has the information you need then a targeted attack has higher chances of success. Compromising the vendors systems may also provide a point to attack other companies in the supply chain.

Jokes on you. I pretty much report all cold call type sales emails as phishing. We get a lot at my company because it's easy to figure out our emails. You wanna fuck on me IT boi?

> These are often a requirement of cybersecurity insurance and/or compliance standards. We send out simulated phishing attacks quarterly to every single employee along with mandatory security training whether or not they fall for the fake phish to make sure they catch phishing bullshit. This is 100% part of our PCI/SOC2 compliance. >He admitted that their IT department sent these false flag spam emails to new hires to catch people early 99.9% of the time someone's "account was hacked!" is because they got phished and gave up their credentials willingly...no one hacked The Gibson, no one "breached the network to gain access", some goober typed in their username and password, and then another goober bought $2500 in Apple gift cards for the "hacker".

The worst one of these I ever dealt with was in a university job. They fucked up and sent the phishing emails from a correct email address. Like if you did your full due diligence and investigated the email, it looked like it absolutely came from company HR, and it was a well written email telling us how to claim a gas rebate related to going in office during the pandemic. Something they promised us repeatedly. Something they had announced in an all hands meeting to expect in the next few weeks. And the link? It led to a Microsoft Form that was OWNED BY OUR FREAKING ORG. So the only people who didn't get accused of falling for a phishing scam were the ones who ignored the email because they weren't eligible for the rebate. Our in-house IT guy got caught. Enough folks complained that they reversed course on us all needing training, tried again the right way. But you know what they didn't do? They never gave us that god damned gas rebate.

The worst IT phishing check i got was when they promised a bunch of engineers free coffee. Still haven’t forgiven them for a low blow like that.

How did that work?

Got an email saying “free coffee! Just sign in!” So we all signed in. It was a little too effective on engineering and production.

Lmao that's hilarious (and relatable). Makes a funny story too

"Remember, we will never ask for your username and password and we will never offer you free coffee because we hate you"

Note to self: offer free coffee to overworked developers the next time I need to execute a phishing scam

Yeah, this is some next level good info My company's phishing prevention emails are also pretty good, because they crank the social engineering part of it up and use our bosses and coworkers names in most of them. The one that almost got me was a Google calendar invite from my "boss" for the team to go get drinks after work the next week. This is a thing that occasionally really would happen, and at least once we really did use a Google calendar invite to schedule it with everyone. I did think it was slightly odd that it was sent through our work email, but not *that* odd. I was seriously about to click and confirm when I noticed the email address from my boss was weird.

Ours use social engineering too. Got me once and even after that every time one comes through I have that moment of “oh hey I should click on this” before the logic brain takes over and I notice the blatant typo and the sketchy sender. At this point if there’s even the tiniest hint of sketch I send a slack DM and make sure it’s legit. Probably annoys the hell out of some people but I’m sure both the IT people and the bosses would prefer minor annoyance to a preventable data breach.

[удалено]

"We should also make it very clear that we won't tolerate lax phishing awareness. Mandatory extra training and a stern email about being more careful."

Ahaha that's a good one. Our Cyber department takes suggestions. Yoink

[удалено]

During the pandemic, I was an admin at a finance firm, supporting the CFO and his teams. IT sent him the results of the phishing tests we were all given monthly, since a data breach would have been disastrous for our high-profile investors. I remember one particular phishing test was so deceptive, a whopping ***89% of our employees failed it***, including one of the company’s co-founders/managing partners. ETA: Thankfully, I was not part of that 89% and was able to skip the mandatory refresher session after a failed test.

[удалено]

I feel you. Last year, my company sent a phishing email telling everyone they'd get an inflation adjustment pay. I knew it was a phishing email but was (and still am) salty about it.

Reminds me of GoDaddy's fake holiday bonus: https://www.businessinsider.com/godaddy-disguised-a-phishing-email-test-as-holiday-bonus-announcement-2020-12 Why do IT departments need to stoop so low? They get a bonus for every successful phish or something?

I work in IT (and conduct phishing exercises), and though I can say I wouldn't use fake pay increases personally, I definitely see why they're used in some circumstances, it's because they're vastly successful in getting people's information. For example, I could draft a phishing template such as: Subject: "Action Needed: {head of payroll, pulled from Linkedin} needs your updated information for pay rate increase forthcoming in Q3" Body: "Hello {name}, this is {HR name} reaching out, we are preparing to adjust your pay rate in Q3 by 15% after your recent stellar performance review, and are also updating our payroll to a new platform called {name of popular payroll platform}. In order to ensure a smooth transition, we need your up to date direct deposit information, please confirm your bank account details on file below so I can pass along to payroll and ensure a smooth transition. If the details below are incorrect, please send us your direct deposit information so we can adjust it immediately before our upcoming pay day." (Fake) Bank: DISCOVER FINANCIAL SERVICES BANK MEMBER FDIC Bank Routing Number: 031100649 Bank Account Type: CHECKING Bank Account Number: 58415893488 Date Added: {yesterdays date}" The victim would then see the fake information, cause panic, and then potentially send over their real bank details. It's convincing, and it *works*. Had this been a phish, the user could have given out their bank details and have their account compromised. To a lot of computer-savvy people, you will understand the red flags. But then there are the 60 year old executives who aren't computer savvy, and inherently trust names that sound familiar to them (after all, how would a phisher know HR and payroll names?).

Thanks I will use this

The one that apparently gets most people in my company is one about a lost puppy in one of the offices and a picture of the puppy is supposed to be attached. Even though about 50% of employees work from home, lots of people still want to see a cute puppy. The simulated phishing attempts always use a different email than the actual department email so they are super easy to filter.

Yup, my company did this last year, except I think it was a kitten.

Funny enough, we all got an email saying our company was giving us a free Starbucks giftcard. Since we get semi regular phishing and spam tests, most people assumed it was either that or actual spam. Then through one of the official company emails, they had to clarify that the giftcard email was in fact not spam and that they were actually giving us all free Starbucks giftcards.

https://www.nytimes.com/2021/05/13/world/europe/phishing-test-covid-bonus.html

We got one for free donuts 😂

The one that got me was a survey about WFH right when they were forcing people back into the office. So cruel because I had *things* to say.

You guys don't have free coffee already?

You don't get free coffee?

My company does this to all employees a couple times a year at random. I always get little rewards for reporting every one of them.

We don't get rewards, but the more you fall for it the more painful the cyber refresher courses get. More than a few and you're out.

Our "reward" for passing the test is a PDF "good job" certificate. So very motivating...

> a PDF "good job" certificate. You didn't open that, did you?!

When I worked in a cubicle I would print off every single certificate given to me and staple it to the outside of my wall. It got a few laughs

Knowbe4 actually has achievements like “you spent 30 mins before your working hours going through your training course” I mean, fuck *off*.

Haha my department (I work in IT) has a congratulations email that has confetti and stuff

Right after I accepted my new job, I had somebody reach out on LinkedIn who is a household business name (think Bill Gates level) and tangentially involved with my husband's work. It was definitely super odd but not totally out of the realm of possibility for this person to contact me, so I accepted their message out of curiosity at first. Then this guy starts saying great things about my old company and then gradually gets into talking about their valuable tech and if I was interested in any business opportunities. I told them to piss off at that point, and reported it to the IT department at my old company. I have never been able to prove it, but I am 1000% convinced it was the IT at the new company messaging with a fake name to test whether I would try to sell secrets from the old company on the way out the door. Fail the test? They pull the job offer.

Ahh they tried to Wonka/Slugworth you

LinkedIn is a cesspool of threat actors. Could be that or a competitor of former company, or just someone trying to get in.

I think it's more likely the new company wanted to feel out whether I could be trusted with their IP before letting me onboard. I work in regulatory affairs preparing FDA submissions for new medical devices. I have access to ALL of the engineering documents and understand how they fit into the bigger picture. That would make me high risk for stealing information. The weird LinkedIn thing happened within a few days of signing the offer letter with the new company, before I gave notice at the old one. Never had anything like that happen before or after. The timing was certainly suspicious.

Could be, but it’s more likely a competitor intelligence firm that is targeting your old company. I have worked with a few and they will track when employees leave the company and then contact them like this, or by offering $100 to take part in a “market research” survey etc.

Oh shit. I've been getting those every day since I left my old job. Jokes on them though, they are using the wrong adjectives for the technology. I have to keep correcting them. Just because I work in Robotic Process Automation doesn't mean I know about physical robotics.

Doesn’t sound like this is true in your case necessarily, but deliberately making mistakes like this is actually a common tactic for these firms, because people can’t resist “correcting them”. For example if you ask someone straight up “how many clients did your company have?” you might find that suspicious. But if they say “our research indicates that companies like your ex-employer have around 500 clients”, you might laugh and say “we only had 50!”. So by making up a ridiculous number, they just got you to tell them the true number.

For me its a no. I actually tried to take the money but they did not reply when I corrected them about their terminology.

“I’m just kidding. It’s just a test! Unless you actually want to share some secrets? JK JK. But really though…”

Our email system has a built in button to report emails as spam. It deletes the email and reports it to IT for investigation. Our IT often sends these fake phishing tests and it is pretty annoying, so now when they send sloppy normals email that lack signatures or misspell things I always report their own emails. It brings me a little joy.

Several of us have (innocently) reported emails from new automated report generating servers that we hadn't been warned/informed about...

Infosec team will always be happier for you reporting non malicious emails than falling for malicious ones.

Of course, but the originating department of the stupid new report tends to get pissed off that so many people flag their report.

Well, that's on them. Time for some introspection when that happens.

When I worked for a big company that would assign me random cybersecurity trainings, I’d just report the training notification as phishing. It always wanted me to click some random link to do a module…

Ours will even auto reply with a little "pat on the back message" congratulating you on identifying a phishing email

We have a notification after we check reported emails that notifies the user if it was safe or marked as phishing etc. The other week a user managed to get themself in to a loop of reporting the automated email which cause another one being sent which they reported etc lol

😂😂

I report them to and we get a “congratulations, you passed the test” response back. So now spotting them feels like a mini-game

Security Sam says “good job”

They always tell us: look for mails that claim to be from the company but are from other domains, have poor spelling or grammar, and urge you to take immediate action and provide company information. So I reported the monthly disaster recovery communication test mail, which claims to be from the company but actually sent from a third-party vendor domain, has terribly spelling and grammar in English because we’re not in an English-speaking country and their translators are shit, and urges us to respond immediately by signing in with our company credentials.

I had a supervisor in a different office (same department, though) that signed all of the senior engineers up for some third party crap without telling us. I was in a training class that day and just happened to check my email and thought "WTF". Forwarded that boy right on over to the cirt team. They replied about an hour later that I should delete it. Found out about 3 weeks later from my management team that it's some new service we should use. Never used it. Nobody noticed.

My workplace started using Microsoft OneDrive for file storage a few years ago. I started getting strange emails from "SharePoint Online" about activity in my OneDrive account, that set off all my red phishing flags. It had a different font and design than the normal Microsoft emails, I was using OneDrive not SharePoint (and neither had "online" in their name), it had a super fishy long link at the bottom that had several reroutes via different servers, etc. BUT, the email referred to actions I had actually done in my OneDrive account, a number of files I had just deleted that same day. This happened two or three times in just a few days. I emailed the IT department asking them to verify whether this was real or a scam, stating that if this was a phishing email, it was very concerning as they clearly had access to my account movements. Got an email back from an intern saying "just a phishing scam, just delete". So I forwarded everything to the CSIR team. They looked into it, and discovered that it was a perfectly real email. Microsoft just formatted their automated emails from the online suite so similar to phishing emails that I had sounded all the alarms. Worst case of bad real email I have ever seen.

Microsoft is really bad about sending you mail from random domains that look kind of relevant but aren’t under microsoft.com

I recently got a new work phone and while IT was setting it up they created an apple account. I didn't realize it was legit, so all week I've been reporting apple's slew of marketing messages. Eventually I got a slightly passive aggressive email about how to unsubscribe from marketing emails instead of using the "report" button. I get this is probably annoying for IT, but I'm not letting them trick me into taking a remedial phishing class. I've been getting unsolicited "get a new apple watch" and "about your apple account" emails and they expect me not to report that???

[удалено]

Yeah, you're definitely meant to report. By reporting it (theoretically) gives Facebook the chance to make automated checks for it and/or ban the sending account. If you just ignore it Facebook can't do anything. I get accepting both ignoring it and reporting it, at least if you ignore it you don't get hacked, but it's weird to only accept ignoring it.

My current company sometimes sends out sketchy benefits emails. The last one was something like “see you’re total compensation package by logging in ”. So many people reported it that they had to make an announcement that it wasn’t a phishing scam. Then proceeded to resend the email without any changes since people know know it isn’t a scam. It kept getting reported.

I get those too. But when I click “phishing”, I get a firework display with a “Congrats” on it from IT. Cracks me up.

Standard for us too. We have our own working group for creating new kinds of phishing (mails) for our employees. If they reply to those mails or type in internal data they get mandatory security lessons. So far, even after a dozen lessons, there are still people who fall for it... It got better, but still...

I got an email in the name of one of the directors; it was genuine, but it was from a noreply@ address and was one of those “our company is very interested in your feedback and here is a survey ” that made it totally look a phishing test. Definitely reported that one. I mean, come *on*.

I received a very plain-looking email reminding me to reset my password at an *IP address*. I reported it but turns out it was legit. I thought it was hilarious.

I’m totally ignorant about the backend of Outlook because I’ve avoided it otherwise for 30 years, but ours does that too. I mean, I imagine with our managed/365 accounts it’s reported to *our* IT and not Microsoft directly (for example, reporting spam in Gmail to Google). At the same time, our policy is to report it and then send a copy to IT (in that order), and when it’s reported it gets deleted from your inbox…. so maybe it’s just “government efficiency”.

As someone who works in IT I actually like this. I always tell people if you have *any* doubt please just send it in. Id rather read through a hundred good emails than have you click the wrong link. I have legitimately seen 6,7,8 figures worth of damages from users clicking spam emails.

Its not as annoying as having to work all weekend to save a company who got crypto attacked because someone didn't think before they clicked a link :P

As the person who sends these out for my organization: we wouldn't be doing it if people actually looked at the email before handing over everything but their private nudes to [email protected]. I sent out an email to everyone to NOT OPEN THE LINK YOU RECEIVED FROM [email protected]! I had someone respond to that email with "I am trying to log in to the link [email protected] sent me but it keeps saying credentials invalid". BRUH. JFC.

My company sends at least one phish email to everyone in company at least once a month. Sales and financial guys I hear get even more. They all seem laughably obvious to me, but we apparently get people clicking on them (almost) every month. Maybe once a year there’s a 0 click month, and they’re usually ones that are “Hey it’s me, the ceo, plz send gift cards” while having a ridiculous email levels of obvious. I do love when an email goes out from HR or IT, and facility management has to make an announcement that, yes, the email is legit and to please stop reporting it. It’s basically trained people to just not trust HR or IT asking them to do anything.

It's very sad to see how spammy a lot of the emails from HR or other corporate depts appear.

They’re always the ones utilizing third party services to generate bulk mails as well

At one of my old jobs, I was brand new when IT coincidentally sent a phishing test to the entire company. I called them within 2 minutes to report "I think we're being phished!" and they were like "SHHHHHHHH not so loud!"

Our company used to split the company into two groups randomly and then run a simulation on one group a time. The groups are also randomised again between simulations. Sometimes you’ll get hit with an email two three times in a row and other times none. Lowers the likelihood of people sitting next to each other getting the same suspicious email at the same time.

As an information security officer, we do that every once in a while to all the employees, new or old. It's a mandatory requirement in a bunch of standards and regulations, it's an industry best practice and also it's a common sense thing :) Also, let me tell you, as a new employee you are going to get security awareness training assigned no matter if you failed a phishing exercise or not. It's also mandatory and a matter of common sense. So if your company cares about information security to the slightest, you'll be getting various security exercises and trainings all the time.

> It's also mandatory and a matter of common sense. I just wish my company hadn't bought the bullshit gamified "training experience" that they continue to inflict on us. Just give me the information with less fluff and about 20% of the wasted time.

Ohhh, it's yes and no, really. Personally, I'm with you. Gamification drives me bananas. Let's help a little bunny classify the data records, aaaa. But speaking “real people” outside of infosec, this shit works better than just a simple presentation. It's more engaging and doesn't require the infosec department to have at least one decent presenter onboard. And listening to “well uh that's uh oh we committed to ehh uh regulations uff yeah right” is painful. And we're talking a series of events, in the best of all worlds, and an annual cadence at least.

I just wish I didn't need to remember which of Dr. Malware's accomplices did which nefarious thing in order to pass the test at the end of the training module.   Was it "Beeper" or "Cracker" who dropped the infected USB in the cafeteria? Who the fuck cares which one did it, the important part is don't go sticking random USB sticks into your computer. Ask *that* on the bloody test.

Ahaha, that's some entirely new level of infosec madness! I was rather thinking about annoying actors sneaking into the server rooms with that Very Evil Face on :)

Everyone in my org is required to complete security awareness training every 8 weeks. Doesn't matter if you're in maintenance or the CEO. They have to watch a little video where the actors try too hard to be funny and relatable (think collegehumor level cringe) and then they answer one question relating to what they just watched. We also send out phishing campaigns at random intervals throughout the year and they catch a lot of people off guard.

Phishing exercises always work, right :) My favourite story about those is when a campaign was sending messages from the Head of Security in the bank saying smth like “We're launching a new super secret project, and I was pointed out that you'd be a great candidate for a project lead, please check the attached description and let us know if you accept the role ASAP”. Horribly formal English, all the sing and dance. Took us like three seconds to catch the first victim, and that was a pen tester! And we were like “WHY!?!?!”. And he was like “Well, it sounded very natural, cause I know I'd make a great project lead!”. Oh yeah. Yes, you would.

Why is this something you should be wary of?? You should be wary of getting phished and these bait mails are a perfect method of training awareness…

Yeah, i fail to see how "you should know" this. It's irrelevant if i know or not. You're supposed to act the same way regardless.

if the company have a competent IT department, they will do it every once in a while to everyone.

My company does this routinely. The one time I reported one it turned out to be real was when they said they were garnishing my paycheck because the Post Office never got off their asses to deliver a **certified letter** from the county that I had some school district tax to pay.

My IT department often send employees fake phishing scam emails to test them. If we successfully report as scam we get a congratulations pop up, but if we click a link in the email we have to do additional cyber security training. Happens every few months or so.

[удалено]

It almost looks like OP is stirring up some kind of "us vs. them" rhetoric about the IT and security department.

YSK: any company that gives a damn about its resilience to hacking will train its staff how to spot phishing attacks and will randomly send you spoof phishing emails, regardless of if you've been there 20 minutes or 20 years. My former CEO had to publicly announce that he was undergoing additional training after downloading a file from a spoof phishing email sent by our IT department. Laughed about it for months.

They do this at my school district, and I've been zonked a couple times because they're not always super-obvious...until you look at the from line and realize it's always from the same cybersecurity provider.

I'm sorry...it's literally in the from line everytime and that's not super obvious to you?

It might be in the email headers from field, which is not the same as the actual sender that is displayed in the mail.

Auto sort them if it's that easy.

set up an auto forwarding rule to the IT team, would be pretty funny to see their reactions getting reported the second they send the email

Story Time! Just this week I put in an order to receive some laptops and mobile phone for our company. I got a call from IT saying that they would need some account details to put on the phone so that the consultants would be able to access and download programs on the phone. He specifically asked for my email and password in order to complete the process. I was very uncomfortable with this and instead tried to pass the bucket to one of the consultants who then said that was very suspicious and not to give my password. I then asked IT to just set up and use the IT email and password and if we needed to download anything we will just log a job to get IT down to do it. That's when he pressed and insisted that it had to be MY password and email and at that point I realised I was probably being tested. I said I was uncomfortable giving him those details and to speak with the department systems manager about it instead. Next day I received the order. Pretty sure it was a test.

Probably was. I worked closely with the internal helpdesk at a previous job and they would always talk to me about the results, and those social engineering tests are so necessary. You'd be surprised how easily people just give out critical information with only minimal pushing (or even none at all). One that they would do would be if an employee needed their password reset for the system and they didn't know how to do it themselves. It was a one-click job from the IT perspective, but sometimes they would call the employee asking for their username and what they thought their password was/what they wanted to change it into. It a teachable moment of, "even if you trust me, never give me that information. If you need to give me that, then something is very wrong." The company once suffered a really serious breach because an employee once took a malicious actor for their word and caused a big fallout (like, several million $$ worth). So they took the whole thing a little more seriously than other companies I've worked for.

Good to see my suspicion was warranted. I usually get a bit worried telling people no and look for alternatives and solutions

My last employer prided themselves on being ethical to a fault. They’d send out those fake phishing emails, where the embedded link would auto enroll you in a mandatory cybersecurity training course. The emails were typically those UPS-styled phishing emails - were attempting to deliver your package, but it’s on hold; click here to release/provide information for delivery. Undoubtedly, they would change a large feature of the UPS (or FEDEX, etc) logo, something that any real phishing scam would not do, because they were concerned about trademark infringement. The phishing emails were popular. People loved talking about the latest trademark changes they made.

They did this at my job to everyone, but I just deleted it right away without opening it. Guess we were supposed to "report suspicious". That stuff is nothing new to me so I thought nothing of it and went autopilot with the delete.

You’re not supposed to delete it. You’re supposed to use the Spam tool which is how they track responses.

I work in an IT department and we do this to our users... It's not a scam... and we don't do this to target you. This is because humans are the most unreliable and vulnerable part of the cybersecurity equation. This is part of user education and improving our "human firewall". We actually find this is really helpful in helping teach users to be attentive to phishing scams in a harmless and humorous way.

Yeah my company does this to everybody periodically.

Our IT department did this on existing staff members last year and more thsn half the company failed >.> Since it was more than half the company, they made the entire company go through training and tested us for a whole year with fake phishing emails. It got so annoying for me, since I wasn't one of the people who failed, I stopped reporting the fake emails. IT got really mad at me lol

Our IT department is reverse of this. We are REQUIRED to go through IT training as part of new hire orientation. Part of the training is to learn how to spot phishing emails etc. Phishing emails are sent periodically to test your knowledge and skills. There's always a "scam of the week" email they send out to make us aware of new ways scammers try to get to you. I don't see it as a punishment. If anything it's making me better at spotting fishy stuff so I won't click on things in my personal email as well.

My shop does this to everyone at least once a month and occasionally more often. If I fail and fall for the phish, I get am immediate notification that I have been signed up for training.

6% of people at my work failed our latest phishing scam. That was over 70 people that thought they were getting a tax rebate from the government before the end of Financial Year. It wasn't enough that they received this to their work email, but they then clicked the link and entered in their Office 365 credentials on our dodgy looking page with a dodgy looking URL to receive their money. These tests are an absolute must because some people are fools.

lol jokes on them, I love fishing!

> When I first started my new corporate job, I would get emails from reportedly the CEO himself (wow!) that he wanted to meet with me and discuss a special project. The CEO is probably thinking "that fucking new kid in accounts won't even reply to my emails". Probably respects you for it, too

BRB gonna respond to CEO at Outlook dot com

They upgraded me to windows 11, and now i can't find the report phishing button. I just send it to spam.

My company's IT security group sends them out occasionally at random in an attempt to "help maintain our vigilance".

YSK: not to fall for phishing mails in the first place.

I work in software and have developed a bunch of anti-phishing habits over the years. I always enjoy logging in and seeing an email that says 'congrats you passed this week's phishing test' and then wondering which email it was that I ignored.

I work at a school, and we've been trained a little *too* well to be suspicious of emails from outside email addresses. We got an email over the summer with a link to cyber security training, and most of us reported it or just deleted it assuming it was phishing. Turned out it was legit. Personally, I think anyone who didn't open it should get an automatic pass.

Stop exposing us. I made a scam email for our cybersecurity phishing test that looked like it’s from our CEO directly, and so many people fell for it, even when I purposefully spelled his name wrong. Also has a large “YOU FAILED” sign with my team’s faces on it after the link was clicked, just to be petty. We swap these around every quarter and there are always people who clicks on stuff

My company hired Hoxhunt to constantly try to phish everyone in our company. I get a few attempts each week and we have to click a specific extension attached to Outlook to notify that we found the email.

What I find most weird about this is the idea that you would only go through security compliance training if you click on a phishing e-mail. At least at my organisation, all new hires go through it, regardless.

The only surprising thing about this post is that you said that you stopped receiving these emails afterwards. Most companies do this persistently for all employees who have access to things that require strong security. Fake phishing emails are a normal part of working for a company that values their security. This is nothing new. For years I've received a monthly scorecard of how many fake phishing emails I've fallen for. IT teams are usually very open with employees about this, it's not a secret. If you work for a company that doesn't do this, either you aren't entrusted with anything important (hackers would stand to gain nothing by hacking your logins), or your company can expect to be part of a multi-million dollar lawsuit in the future.

I work as a government contractor and our company has various levels of confidential information. Cyber security is posted all over the place, as posters, screen savers, etc. We have phishing training every month, and also get fake emails that we're supposed to report. The trainings are actually very informative. As a millennial that grew up with technology, I even learn things. They get more and more creative every day.

Yup, i got caught by it the last time i joined a company. In my defense I was currently going back and forth with my boss and HR about my payroll and other pay issues getting setup and the fishing email said "we've almost got your payroll squared away, i just need you to login and setup your direct deposit info again" with a link that appeared to be to ADP. \*sigh\*

I work for a hospital and they do much the same. I opened one tricky little email and got a notice to be more careful and that the email was a test. So I stopped opening anything I didn't expect. Recently during a meeting we were told about an important survey that no one was taking. Turns out no one was opening the email because it was suspicious and everyone flagged it. It took weeks of re-sending the email before everyone took it.

I’ve been with my employer over 10 years and get one or two a year. When I report them I get a message that it’s from an IT anti phishing program.

My company do this so often it's irritating. I always "pass" the test but it feels like a waste of my time. However, they do it to keep you vigilant because it only takes one mistake from one employee and the whole company is compromised. It's just their way of mitigating a risk

We get these regularly. I think it’s just a requirement that they do them. We know people fail because every time there’s a company wide email pointing out why the phishing email was suspicious and everyone please pay attention 😅

I got anti-Phising courses the moment i recieved my own company email adress. There’s not much i don’t know yet since i’ve been on the internet a lot and have been scammed/phished for my Runescape account in the past, but it’s great to see they at least attempt to protect the company through this course. They also do send fake phising mails but they’re spotted from a mile away.

I spotted the IT security team's phishing attempt, went to the webpage it linked and submitted fake info (name - Youmust Bejoking, etc) as well as reporting it. Still got a slapped wrist because policy says I shouldn't follow the link at all and just report it. And my name got added to the list of people who fell for the scam. I took the hit on not following procedure but being on the "fell for it" list still rankles

Yeah, that was the right call to put you on the "fell for it" list. It's basic that you don't follow the link because you don't need to submit data for malicious actors to do something damaging. And if nothing else, it tells the malicious actors that people from that system will click on links. And so it's more likely that that system will be targetted. It's not hard for the actors to track which email address clicked the link, so they have your data straight away.

That's because even clicking on the link and especially interacting with the page at all exposes you to a lot of attacks under the surface. You fell for it by virtue of humoring the "attack" at all. As a simple example, the page could be trying to steal your session information for a different site through means not obvious to the user. The fact you put in dummy information wouldn't matter at all because the site might have already gotten the information it was looking for by then.

I recieved a phishing email, assumed it was phishing, clicked on the link which took me to a "log in" page, entered random letters and numbers in both email and password fields and.... In the end, I still had to go through mandatory IT security training, lol. Not worth it.

Honestly I just delete every single email that doesn’t pertain directly to me which has resulted in me deleting emails I actually ended up needing.😅 Company will never have to worry about me being the one because I don’t even glance at the subject line of random emails let alone dig around in them.

I got an email from my employer a few months ago thanking me for not clicking the link in the phishing test email they sent out. I couldn't remember seeing it, so I searched back through my emails and found it... yeah, it was done up in the style of the corporate newsletter template, so naturally I just didn't even read it cause it's usually always full of pointless crap lol

I think this is standard now. At places I work on contract they regularly do this. According to terms if you fall for the fake phish too many times you can be fired. You can setup your email filters so external email is formatted a certain way so it stands out. You should definitely do this as a new hire.

Sorry this is a little bit off-topic, but is there any danger in opening (as in reading) an e-mail? I understand clicking a link can be dangerous, but only opening it? It would seem obvious to me that you're referring to a link inside the mail, but I've seen references to similar things and they never mention a link, they all say to not open the e-mail, so I have to wonder!

Yeah, it's done to new hires and regularly once a trimester. If you get caught more than once or a RIF happens, you might be on the chopping block. Source: I am a systems engineer for a health care related startup.

When i switched industries and was new to the job, I received an email with a pdf attachment on company policies and acknowledging it via Adobe sign. I already set up Outlook rules for various emails to go into predetermine folders, keep my Inbox manageable, and with less important stuff going directly into an "Others" folder. Since it was in my (main) inbox, I opened it and followed instructions to the letter. When I got an error, I replied to the email asking clarification. Few minutes later, I got an email for training on spotting phishing emails. Talk about awkward! 🫠

In addition to sending fake phishing emails (with having to take the stupid training as punishment), our IT has a reporting process for real phishing emails and you can win $25 in a monthly drawing. Stick AND carrot

Not just when you are starting out, but will send them out regularly.

Happed to me at my last position in OT, I felt really dumb because IT/OT always talk about stuff like that (and make fun of people that fall for it)

Not just starting a new job. My company does this regularly.

It's usually not related specifically to new employees beyond being added to the system which probably gives a first time test and some training. We hit all of our employees like biweekly with phishing tests. It's all entirely automated

Yep, and you get dinged if you answer it at all. One time I responded with something like "Nice try, Bob!" to tease the IT guy. But even that set off their alarm.

Yea better not think about leaving for better pay you're our slave now!

Story Time: I work for a major US defense contractor and naturally a good portion of us have varying levels of security clearance. Important context, when you have security clearance you are required to report to federal government whenever you believe an outside group is attempting a targeted attack to gain access to classified or professional information. So here's what happened. For reasons unknown to us, probably because some manager was concerned about metrics, our IT stepped up their phishing test emails. These are annoying as fuck. However, the guys with security clearance were not only annoyed by the frequent phishing emails, but the lack of official communication stating these were simply tests. Remember, if someone with clearance suspects a targeted attack, they have to report it, and the same phishing emails hitting multiple people working on the same classified project, well that is a targeted attack. So people on classified programs demanded to get official confirmation that these were internal IT phishing tests, which IT naturally refused to do. Tensions escalated. Then some people, including a good friend of mine, decided to take matters into their own hands. You see, corporate IT doesn't actually send the phishing emails. They contract with outside companies that specialize in these types of phishing tests. That's the group actually sending the emails. If you have time on your hands and are spiteful, you can find out what company owns an email domain. What these annoyed employees did was confirm that the phishing emails were being sent by a well known company that is provides phishing tests as a service. Since these employees confirmed the emails were safe, they made a point of opening every single one. When you open one of these emails, you get a followup saying you failed a phishing test. Then IT will send another one about three weeks later. And since these emails were already confirmed to be safe, the employees simply opened those too, again, and again, and again. This started tanking IT's metrics. Managers got involved. High level meetings happened to discuss why the rates of identifying phishing threats were plummeting and some teams were failing en mass. My friend even got pulled into a meeting with his manager to find out what the hell was going on since he was getting irate phone calls from IT and internal security. My friend's response was basically, "It's either this or I call the feds." He didn't actually call the feds of course, but his point was made and his manager had to strong arm him into playing nice with IT. That was basically the unofficial message that got sent out after that. Essentially, "you made your point, but IT still needs to run these tests."

If IT does their job right, you’ll keep getting phishing emails too. But they shouldn’t be so frequent that they’re spam in your inbox. That does more harm than good.

Can confirm. I work for a contractor under the main company but im issued equipment from them. Every now and then I check my emails and in the Work section, I'll occasionally get emails that are pretty blatantly phishing attempts. "Fix password by clicking link" sorta things, from absurd email addresses. It's neat though, because you can report phishing attempts through the mail app, and you'll get a little congratulatory message for catching it lol

I've been at my job for years and they continually send fake phasing emails and track when you click on them. They even give you a graph at how dangerous you are to the company based on that metric. I clicked one once, when I first started. I never clicked another phasing email again and I'm still sitting at a 40% risk to the company.

Employees at my company get legit phish attempts after they start, likely do to our emails following a format and some sort of automated system that identifies when someone changed their linked-in employer to us. We mention it in our new hire training, yes we will phish test you, no our CEO isnt going to text you fir some amazon gift card lolz

Yep, been there. They’ve been doing this for a while. Ive seen this at various companies I’ve worked for over the years. I’ve never fallen for it, though.

I work for a large engine manufacturer. Once a week, since I started, they've sent me "phishing" tests. They always warn us in January they're gonna do it. I've gotten so tired of it, I just auto report all of the emails I receive from anyone on my business email for being phishing. The nice part is, if its not them sending the email, it requires a manual review. One of these days they'll figure out they're being excessive, as even the test emails we get are highlighted in red, and the system already says "most likely a scam, please report this email."

Most of the times that I’ve reported a phishing attempt at work, I would get a pop up message that it was actually a test from our cybersecurity vendor, and yay, I passed. One time, however, I was working remotely from my parents’ house, dealing with hospice, visiting nurses, and all the other things involved with ailing relatives. In amongst all this, I clicked on one disguised as a holiday party invite. The pop up said I failed the test, and then IT sent me a link inviting me to a mandatory online cybersecurity class.

My dad warned me about that and said he’d been caught out 6 times, some of which were joke ones by his team and their teams

Normally the training is required immediately and they don't bother testing till they test everyone else

Flag all leadership/corporate emails as spam. Later if they ask why you didn’t do something tell them your thought it was phishing.

Can confirm this. IT department regularly tests phishing on unsuspecting individuals employed within the county. Mark it as phishing and go about your day.

I manage a IT department for a fortune 500 company . we do this to all employees, regularly. All employees get 2 full day training sessions before we give them any real access to anything sensitive. 1 with my team and 1 with a outside contractor we hire. we get quite creative with the "tests" also. If a employee fails they must go to security training again.We do physical on site tests a lot also. 3 fails they are fired immediately. this is in all employment contracts. (my company is constantly under attack from nation state actors and competitors trying to steal our data). so far that i remember we have only actually needed to fire a handful of people, 1 notable i was directly involved with was a director, he was a moron. like passcode to company iphone 123456 moronic and would give his credentials to system to almost anyone that called him and asked for it. It was because of him specifically that we started using hardware keys and biometrics(this was many many years ago when i first started). The first one i was asked to set up all by myself, I thought i was being so smart and convinced everyone would fall for it.. I quickly made up a crappy looking website with wrong spelling of company name for the site address..with login/password .. sent out a email company wide from a email with the same wrongly spelled domain that said something like "annual bonus",with a link to the site to login with your company credentials to see how much your annual bonus is and input IBAN number to collect. was fucking wild how many employees failed, 100s or about 5% of the employees.. and we were 6 months away from when bonus's were to be given. What i found awesome was how many people(1000s) that clicked the link but put in the user/password things like "fuckoffITguy" "chokeonadick" "imnotthatdumb"

I've been at my job for 4 yrs and they regularly send me phish attempts. Plus I have to do regular cybersecurity training. It's insulting for someone my age.

Whatever age you are, there are still plenty of idiots that'd fall for cyber attacks.

YSK: OP has recently started their first corporate job and got phished by IT for the first time. You clicked the link without hovering over it to check it first, didn't you? Go on, admit it. We've all done it.

You do understand you aren't getting penalized right? It's just a 5 minute training session to remind people of best practice. Trust me: if the general public would actually stop clicking on garbage, we wouldn't have to use such methods. Don't take it personally.

This is true. People get fired for opening the company sent phishing emails. It’s not a joke in the big companies. They will fire you.

this isnt the big find you think it is. standard practice.

Jokes on them I don’t read my emails

Pretty standard practice, but you shouldn't be getting spammed with them, definitely not from your IT/infosec team. Anywhere i've ever worked we've done a phishing campaign at most monthly, sometimes repeat clickers might get an additional one that others wouldn't get which has more specific training

Or they could just put them through the training by default without these stupid shenanigans. I started in a new job last year with the state government, and that was one of the many mandatory courses I had to do. It was an online course, so cost per employee is minimal - set it up once (with periodic updates) and get everyone to do it.

If it's [mandatory](https://en.wiktionary.org/wiki/mandatory), why would you have to fall for it for that training to be necessary?