Comment on Study concludes cybersecurity training doesn’t work
furrowsofar@beehaw.org 2 days ago
Ironic thing a company I use to work for would send out both email you need to click links to do your job then do training to not click links or even open the same kind of email. Then even test that by seeding in very realistic test email. Total stupidity. Your expected to tell the difference when there is no way to do so. The training was moe CYA then anything.
I’ve “failed” phishing tests because my email client loads images by default. The way they set it up.
I reported the “you failed a phishing test” email as a phishing attempt, and funnily enough they backed off on the “mandatory training”.
Bottom line, don’t set your employees up for failure. Even the tech literate are going to fail if that how you set shit up.
I got some emails about required training from outside the company. I needed to download and complete a PDF, which had links to other forms to complete, all offsite. I do know with certainty that the email was legit, but I reported as phishing. Still haven’t heard back about this critical training attestation, so I assume their tracking is as awful as the process.
It’s not my ass on the audit finding. Fix your shit.
I report emails that I know are legit if it fails the phishing rules. Best example is unprompted emails from third party services that I know my company is using. If I don’t get a real email from a real employee either including the link or warning me that a valid third party link is coming, I’m not going to click it.
Make your shit legit or I’m not gonna do it.
This is exactly it. Out sourced stuff that there is no way to verify. I stopped clicking on this stuff too unless I had to.
It’s also such a dumb metric because most of people’s jobs are to click on links elsewhere on the internet, yet when it’s in an email, it’s bad? Unless you’re running an old browser or there is a 0 day, simply opening a link isn’t going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don’t account for that.
Clicking the link hypothetically confirms to the spammer that yours is a valid and monitored email address, and that you’re a sucker suitable for more targeted phishing.
Of course, it seems like every random user will also happily type their password into any text box that asks for it, too.
Unless the email client is blocking external images, a tracking pixel in the email would be enough to see that the email was rendered, and that the address is valid. The trainings specifically instruct you to review the contents of the email and check the email headers before clicking links, so that alone would confirm to a spammer that the email is valid.
The real idiotic thing is a network where one client system compromise compromises the whole company.
sirblastalot@ttrpg.network 16 hours ago
One time I failed a phishing test because I did a message trace and confirmed that it originated from our own internal servers.