we do monthly phishing tests and some of our people are so bad that we put in the test email "this is a phishing email, do not click sign in" above and below the sign in box and they still give creds

[–] GreenKnight23@lemmy.world 9 points 15 hours ago (1 children)

seccomp sent pre-notice emails out about the phishing tests that were coming.

75% of the company reported the pre-notice email as phishing (even the CEO).

we did it mostly because the seccomp team was a huge thorn and caused so many unnecessary delays due to them injecting themselves into every single process.

the CSO quit soon after and some of their lackeys with them. we then hired a competent leader that worked with the org to meet compliance and regulatory requirements instead of being a blocker.

[–] Honytawk@feddit.nl 2 points 58 minutes ago

People see the word "phishing" and automatically remember that phishing mails exist, so their first reaction is to report them, not read them.

Had to setup a fake phishing system as well.

Before the training was setup, people rarely reported mails. But the moment we send out mails about the phishing training, a ton of those got reported.

If phishing mails actually told you they were phishing, we wouldn't need training.

[–] rustydrd@sh.itjust.works 14 points 18 hours ago

"Blah blah blah... 'click sign in'... Okay, gotcha!"