You have got to be kidding.

[Capt. Geoffrey Thorpe]

Got this in the mail today:

"Last week, IT Services ran an internal phishing security test to determine our vulnerability when real phishing attacks happen at [deleted to protect the guilty]. The subject line of the simulated phishing attempt was "Password Check Required Immediately." Out of 655 recipients 28.7% clicked on something within the email and 25 entered login credentials."

 

[JOhnH]

I wonder how many were AVPs and above. Execs are the usual suspects in instances like this.

 

[AKiss20]

I wonder how many were AVPs and above. Execs are the usual suspects in instances like this.

To be fair, higher ups are more likely to be targets as their credentials are more valuable to steal, and it’s more of a story when the VP gets phished, so you’re more likely to hear about it when they get phished over bob or mary in the mail room. I wonder what the distribution of successful phishing attempts percentage is across different positions. (That being said I have a pretty low expectation of most execs so I wouldn’t be surprised if they in fact get successfully phished a higher percentage of the time).

 

[eman1200]

I wonder how many were AVPs and above. Execs are the usual suspects in instances like this.

truth. watching management try to accomplish something as simple as scheduling a meeting, or rescheduling that meeting, makes you wonder how a business can run successfully.

 

[Shepherd]

I used to say, "The most dangerous person in any modern corporation was a manager with access to a keyboard."
The second most dangerous thing was the invention of the portable storage device.
Take it home, plug it into a non-corporate, non-secure family machine, and it comes back into the building filthy with viruses.

 

[Ted]

Got this in the mail today:

"Last week, IT Services ran an internal phishing security test to determine our vulnerability when real phishing attacks happen at [deleted to protect the guilty]. The subject line of the simulated phishing attempt was "Password Check Required Immediately." Out of 655 recipients 28.7% clicked on something within the email and 25 entered login credentials."

I've heard it's pretty common to have poor results at the first automated phishing eMail from IT, and that's why they end up sharing the results and then doing it more regularly.

A lot of people don't understand this stuff, which I don't get in this day and age. But then again I grew up on the internet.

 

[wsuffa]

I know of a top level exec that used to use his "deleted items" bin in Outlook as a filing cabinet for storing items he wanted to keep. Had folders set up and all.

Until IT decided to purge everyone's "deleted item" bin to save space on the server.

 

[vkhosid]

I know of a top level exec that used to use his "deleted items" bin in Outlook as a filing cabinet for storing items he wanted to keep. Had folders set up and all.

Until IT decided to purge everyone's "deleted item" bin to save space on the server.

That makes me inexplicably happy...

 

[wsuffa]

//www.dilbert.com/strip/2018-11-20?utm_source=dilbert.com/share-email&utm_medium=email&utm_campaign=brand-loyalty

 

[jrcox19]

I know of a top level exec that used to use his "deleted items" bin in Outlook as a filing cabinet for storing items he wanted to keep. Had folders set up and all.

Until IT decided to purge everyone's "deleted item" bin to save space on the server.

Everybody knows you use the "Drafts" folder for that. Seemed to be a common practice at some companies, especially since automatic deleting of emails after 30/60/90 days was common

 

[Kenny Phillips]

Got this in the mail today:

"Last week, IT Services ran an internal phishing security test to determine our vulnerability when real phishing attacks happen at [deleted to protect the guilty]. The subject line of the simulated phishing attempt was "Password Check Required Immediately." Out of 655 recipients 28.7% clicked on something within the email and 25 entered login credentials."

We do this several times a year ("phishing for phools"). I used to put in nasty words for login and password, but I got called out on that. I now warn my team that it's coming, but nobody is dumb enough to fall for it anyway.

 

[JOhnH]

We do this several times a year ("phishing for phools"). I used to put in nasty words for login and password, but I got called out on that. I now warn my team that it's coming, but nobody is dumb enough to fall for it anyway.

Famous last words!

 

[chartbundle]

One of my previous employers did test phishing attacks, they were blatantly obvious but the best part was they had a mail header 'X-Phish-Test: xxxxxx' so, I just added a mailbox rule to just mark them as spam automatically and then told all my coworkers.

I briefly thought about all of us routing them to a sandbox VM and using some code to pretend click on all the links so it looked like all my team were incompetent morons.

 

[Craig]

Almost as bad as the morons that click on "Reply to All" and don't realize that the email was sent to the entire system address list... 3 days later, our IT guys had already deleted over 4 million emails and had to lock down the system and halt any replies to any email until the account holder had clicked on a link signifying that they had read and understood to stop using "Reply To All", unless the email came from someone in their direct contact list.

 

[Zeldman]

 

[Tantalum]

 

[Tantalum]

Also.. I like how 90% of hacking is *not* some dude in a hoodie typing away at a matrix terminal but just clever social engineering.. or just raw guesswork

 

[asicer]

Also.. I like how 90% of hacking is *not* some dude in a hoodie typing away at a matrix terminal but just clever social engineering.. or just raw guesswork

Like when public figures use YahooMail or the like...

tab#1: "Password recovery page for andrewcuomo@yahoo.com: In what city were you born?"
tab#2: "Wikipedia.org/Andrew_Cuomo#early_life"

 

[AKiss20]

Like when public figures use YahooMail or the like...

tab#1: "Password recovery page for andrewcuomo@yahoo.com: In what city were you born?"
tab#2: "Wikipedia.org/Andrew_Cuomo#early_life"

Canonical example of this: https://www.wired.com/2008/09/palin-e-mail-ha/, https://en.wikipedia.org/wiki/Sarah_Palin_email_hack

 

[Palmpilot]

Almost as bad as the morons that click on "Reply to All" and don't realize that the email was sent to the entire system address list... 3 days later, our IT guys had already deleted over 4 million emails and had to lock down the system and halt any replies to any email until the account holder had clicked on a link signifying that they had read and understood to stop using "Reply To All", unless the email came from someone in their direct contact list.

We have that problem in CAP too.

 

[Ghery]

I used to say, "The most dangerous person in any modern corporation was a manager with access to a keyboard."
The second most dangerous thing was the invention of the portable storage device.
Take it home, plug it into a non-corporate, non-secure family machine, and it comes back into the building filthy with viruses.

I remember decades ago that in the Army it was said that the most dangerous thing was a 2nd Lieutenant with a map.
Given that I was one of TWO cadets who passed the map reading test in my platoon at ROTC summer camp I can see where this could be true. BTW, I thought the map reading test was dirt simple.

//www.dilbert.com/strip/2018-11-20?utm_source=dilbert.com/share-email&utm_medium=email&utm_campaign=brand-loyalty

I've said it before and I'll say it again. Dilbert is not a comic strip. Dilbert is a documentary.

 

[Capt. Geoffrey Thorpe]

Dilbert is a documentary.

Except the names have been changed.

 

[weilke]

Almost as bad as the morons that click on "Reply to All" and don't realize that the email was sent to the entire system address list... 3 days later, our IT guys had already deleted over 4 million emails and had to lock down the system and halt any replies to any email until the account holder had clicked on a link signifying that they had read and understood to stop using "Reply To All", unless the email came from someone in their direct contact list.

This is only outdone by IT dimwits who set up the mail system in a way that:
- doesn't restrict the use of mailing lists like 'everyone' and 'all_north_region_associates' to use by folks who have a legitimate use for them.
- doesn't ignore replies sent to the 'everyone' mailing list so a company wide announcement to 3000 participants doesn't create 300 subsequent messages consisting of an 'out of office' reply (followed by multiple admonisments to 'everyone' to 'stop replying'.

 

[Kenny Phillips]

This is only outdone by IT dimwits who set up the mail system in a way that:
- doesn't restrict the use of mailing lists like 'everyone' and 'all_north_region_associates' to use by folks who have a legitimate use for them.
- doesn't ignore replies sent to the 'everyone' mailing list so a company wide announcement to 3000 participants doesn't create 300 subsequent messages consisting of an 'out of office' reply (followed by multiple admonisments to 'everyone' to 'stop replying'.

Having been an IT dimwit, if you start with total lockdown, and then back it off as needed, there will be no cleanup required. If you start with an open system, and add locks as needed, you get the system used by certain of our armed forces.

 

[Tantalum]

if you start with total lockdown, and then back it off as needed, there will be no cleanup required. If you start with an open system, and add locks as needed

...for a minute I thought I drifted back onto one of our many COVID threads! hahah

 

[asicer]

Almost as bad as the morons that click on "Reply to All" and don't realize that the email was sent to the entire system address list...

That's actually not so bad.

Worse is when everyone uses "Reply All" to tell everyone else not to use "Reply All". And then there's the additional waves of people that use "Reply All" to tell everyone else not to "Reply All" when telling everyone else not to "Reply All", ad infinitum.

 

[wilkersk]

I'm sitting here watching "The Feed" on Amazon Prime. Laughing at the thought of a future where all your memories are uploaded to the cloud. I suspect the human race will have eliminated itself before that becomes reality.

 

[smv]

Almost as bad as the morons that click on "Reply to All" and don't realize that the email was sent to the entire system address list... 3 days later, our IT guys had already deleted over 4 million emails and had to lock down the system and halt any replies to any email until the account holder had clicked on a link signifying that they had read and understood to stop using "Reply To All", unless the email came from someone in their direct contact list.

Who is more at fault? The moron who hit "Reply All" or the moron that sent a system address list wide email without using BCC?

 

[murphey]

That's actually not so bad.

Worse is when everyone uses "Reply All" to tell everyone else not to use "Reply All". And then there's the additional waves of people that use "Reply All" to tell everyone else not to "Reply All" when telling everyone else not to "Reply All", ad infinitum.

Department of Redundancy Department.

 

[smv]

Department of Redundancy Department.

Would you like to be a Charter Member of the Alliance to Abolish, Eliminate, Stamp out, and Banish Redundancy?

 

[denverpilot]

Out of 655 recipients 28.7% clicked on something within the email and 25 entered login credentials."

I wish I could say that was high, but I’ve seen worse. And know of a major financial company everyone would recognize that was double those numbers.

However. The old flight instruction / teaching / training side of this is important. If you did this test without telling them not to do it, testing their knowledge level, telling them again, and telling them once more... it’s shock and awe to build a budget and not a legitimate learning process.

Additionally, humans respond better to positive than negative feedback. If you’re only publishing how naughty they were, and didn’t praise and reward those who did it right, you only did half of the job.

The IT security personality often is a nerd who loves sitting in their office, monitoring, writing docs, doing all the techy stuff, and they never once get out of the chair, and walk their ass down the hall with a big ass bag of assorted candy and treats to personally hand to the staff that did good. Or whatever. You get the idea.

...but the best part was they had a mail header 'X-Phish-Test: xxxxxx'

Oh FFS. Just fire the contractor sending those immediately. LOL. Gah.

Also.. I like how 90% of hacking is *not* some dude in a hoodie typing away at a matrix terminal but just clever social engineering.. or just raw guesswork

T’is true! I’ve often thought Red Teaming would be fun, but you literally have to think like a criminal. That can twist you a bit over time.

But there’s so many easy and effective social engineering hacks that’ll get you exactly what you want, it’s not funny. People intrinsically want to help and treat others well and trust strangers for the most part. It’s largely the biggest weakness of any organization. If I can convince someone I need help desperately it’ll turn off warning signs in many many brains and they’ll get the keys and open the server room door for me. LOL.

I've said it before and I'll say it again. Dilbert is not a comic strip. Dilbert is a documentary.

Scott Adams was an ISDN engineer at Pacific Bell. It truly is.

 

[Larry in TN]

Almost as bad as the morons that click on "Reply to All" and don't realize that the email was sent to the entire system address list

"Please take me off this list!"

 

[Craig]

SMV: Let’s put it this way, due to security reasons, for certain email networks, BCC does not exist, and all recipients can be seen. Certain types of accounts have the ability to bypass general email protocols and have very specialized traffic rules.

 

[Capt. Geoffrey Thorpe]

If you did this test without telling them not to do it,

Some time ago, we had mandatory training about cyber security, plus we get regular reminders about phishing. No excuse there. Also, a significantly higher percentage of the peeps working here have PHDs compared to other workplaces (which also makes me laugh) (A small private university).

 

[YooperMooney]

I’m not sure if he still runs this way but I’m sure he does: President Trump does not use electronic mail. I found that to be quite shocking when I saw that sworn testimony under oath during a 2016 deposition. Compare this to his predecessor President Obama who was wildly obsessed with his Blackberry and tech equipment. Both Trump and Obama are/was constantly breaking communication security protocols by utilizing unsecure wireless communication devices way too close to the actual secure desk sets. Not to mention the use of social media apps and such, blah blah it’s a recipe for disaster. Regardless, Pres Trump is quite “old school” in the sense he ran his business ops without any e-mail. I still chuckle when I watch my 76-yo dad do the hunt-and-peck to type on a full-size keyboard. I think that’s what made him almost exclusively utilize a smart phone as its still hunt-and-peck but can be taken with him anywhere.

 

[Shepherd]

While I was at IBM, one of our CIOs was responsible for the largest security breach in IBM history when he took a thumb drive home and stuck it in his son's computer.
After weeks of 24 hour days trying to find and fix the damage, we finally got everything back to "normal". Every employee had to install protection on any machine they worked on or owned, and were told to never, ever conduct IBM business on a family owned machine.
Any IBMers here remember having to attend the meeting and signing the security form? Maybe that was just a Research/Headquarters thing.
Less than 72 hours later the same CIO did exactly the same thing. This time he stuck a thumb drive in his wife's computer.
"No one told me I had to have my wife's machine checked."
He "retired" later that day. I ran into him in an antiques shop about 3 years ago. He still blames me because he wasn't specifically told not to use his wife's, or daughter's machines.
Managers with access to a keyboard.

 

[Capt. Geoffrey Thorpe]

Where I used to work, some years ago, but not that many. Sitting in the office of a chief engineer (who was in charge of the companies powertrain software shop). His admin was on vacation and the substitute came in to ask him for his email password so she could print his mail for him. He didn't know.

 

[JOhnH]

. . . He still blames me because he wasn't specifically told not to use his wife's, or daughter's machines.
Managers with access to a keyboard.

Why did you trick him like that?

 

[Tantalum]

But there’s so many easy and effective social engineering hacks that’ll get you exactly what you want, it’s not funny. People intrinsically want to help and treat others well and trust strangers for the most part. It’s largely the biggest weakness of any organization. If I can convince someone I need help desperately it’ll turn off warning signs in many many brains and they’ll get the keys and open the server room door for me. LOL.

True.. and that's a very hard thing to plan towards. Combine people's general willingness to help and the "appeal to authority" fallacy you have a perfect storm. Honestly that's why I like the fingerprint or 2FA stuff (factor authentication, not flight attendants, lol). It makes the whole "I need to confirm your password" thing much harder if you need a fingerprint or to have a random key generated that expires in 30 seconds

 

[Palmpilot]

While I was at IBM, one of our CIOs was responsible for the largest security breach in IBM history when he took a thumb drive home and stuck it in his son's computer.
After weeks of 24 hour days trying to find and fix the damage, we finally got everything back to "normal". Every employee had to install protection on any machine they worked on or owned, and were told to never, ever conduct IBM business on a family owned machine.
Any IBMers here remember having to attend the meeting and signing the security form? Maybe that was just a Research/Headquarters thing.
Less than 72 hours later the same CIO did exactly the same thing. This time he stuck a thumb drive in his wife's computer.
"No one told me I had to have my wife's machine checked."
He "retired" later that day. I ran into him in an antiques shop about 3 years ago. He still blames me because he wasn't specifically told not to use his wife's, or daughter's machines.
Managers with access to a keyboard.

People don't think things through.