back to article Your anti-phishing test emails may be too easy to spot. NIST has a training tool for that

The US National Institute of Standards and Technology (NIST) has said it has developed a way of measuring precisely why corporate staff click on obvious phishing emails and open malware-laden attachments, despite warnings not to do those things. "Many organizations have phishing training programs in which employees receive …

  1. Anonymous Coward
    Anonymous Coward

    If you think ...

    ... I’m clicking on that ‘as a pdf’ link, you’re having a laugh.

    Nice try though. Almost had me.

    1. Andy Non Silver badge

      Re: If you think ...

      It's totally legit. I clicked it and after entering a few personal details and my bank account number I was able to read the details of the article in full.

      1. WolfFan Silver badge

        Re: If you think ...

        I always put in 245 Murray Lane, Washington DC, and tell them to ask for Jim.

  2. tin 2

    I like to click on them....

    ... to enter swears and humourous invalid information on whatever "enter your bank details, PIN, etc here" forms. Precautions taken of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: I like to click on them....

      I used to get lots of "your webmail account is full dear sir" phishing attempts per day. Most of them using Weebly (which can rot in hell).

      Sometimes I wasted my time locating an abuse report form since Weebly (why is this still a thing?) does not add a link to report abuse in each of the forms created by their non-paying customers.

      Weebly (may a million locusts chew on its gonads) never took any action. I still get the same messages with the same link.

      Gave up on reporting abuse. Life is too short to try to report stupidity on the web. Maybe I'll write some scripts to add a whole bunch of fake data just to keep the criminals happy and busy.

    2. WolfFan Silver badge

      Re: I like to click on them....

      Pick your fav Federal law enforcement agency, and fill in that address. I do that.

  3. Anonymous Coward
    Anonymous Coward

    It will still happen

    Some employees are not the brightest lamps in the box and no amount of "training" will counter blindly opening phishing mails, clicking on dubious links or downloading dodgy attachments. Dangers are not appreciated by many - even higher ranks, who should know better,

    1. HildyJ Silver badge
      Devil

      Re: It will still happen

      "even higher ranks" - "especially higher ranks" I corrected it for you.

      The Peter Principle ensures that incompetence floats upward.

    2. BrownishMonstr Bronze badge

      Re: It will still happen

      The thing is, a moment of stupidity can hit anybody and that's what they're hoping for. A moment of stupidity.

      A few months ago we were warned of a phishing email and it looked legitimate as well. Not sure how they were able to get the signature but they did that very well.

  4. gobaskof
    Facepalm

    Pot Kettle Black

    I used to work at NIST. I once got an email asking for loads of personal details for (I think) a weather warning system. The email was signed by NIST personnel, but sent from an external account. BAM! I sent it to the phishing alert email. I got a very snarky response telling me that NIST had contracted this company to help with the warnings, as such emails will come from them and that I should have given them my details by now. I protested and said that these "legitimate" emails that look like a phishing scam train everyone to do the wrong thing (and I assume others did too). Then never responded to me directly instead they sent a NIST-wide email around to confirm that we were meant to click on the link, and complained about those who were wasting time by claiming it might be a phishing scam...

    Great research happens at NIST, but many of the people who run the IT services there are painfully incompetent.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pot Kettle Black

      Great research happens at ${institution}, but many of the people who run the IT services there are painfully incompetent -- FTFY.

      I used to teach in the computer science department of a small university in a large coffee- and samba-oriented country. We had memorable fights with the IT department about their so-called work. We were the only group that didn't buy the BS they told us that was "policy" (aka we don't want to do it) and "because of limitations on technology" (aka we don't have a clue on how to do it).

  5. Doctor Syntax Silver badge

    Phish Scale

    Top marks for whoever thought of that one. It finished the job off nicely but as the A/C points out the offer of a PDF looks a bit like a phish tail.

  6. Anonymous Coward
    Anonymous Coward

    Do as I say, not as I do

    My employer regularly asks us to do phishing awareness courses.

    I am a customer as well as an employee and the emails they send to me as a customer always raise red-flags if I follow my training. In other words they are training their customers to accept questionable emails. I have raised my concerns but no one listens.

    1. Andy Non Silver badge

      Re: Do as I say, not as I do

      A bank I was once with, sent me an email every month to view my statement online including a link to access the bank's login screen. Utter stupidity and begging for phishing emails to do the same; except of course you would be entering your login information onto the scammers clone of the site.

    2. Doctor Syntax Silver badge

      Re: Do as I say, not as I do

      A UK bank or building society by any chance? All emails I get from such bodies raise those flags.

  7. N2 Silver badge
    Facepalm

    (NIST) has said it has developed a way of measuring precisely why corporate staff click on obvious phishing emails and open malware-laden attachments

    Because people really are stupid enough do it?

    I'll pop my consultancy invoice in the post.

  8. Eclectic Man Bronze badge
    Unhappy

    This is serious

    I don't know entirely how 'they' did it, but fraudsters, having stolen lots of my post from financial institutions managed to:

    1. Create an account in my name at HSBC. Which stayed open for almost two months AFTER I'd alerted them to its fraudulent nature.

    2. Managed to empty one one my pension funds into said HSBC account and then transfer the money elsewhere (after 1).

    3. 'They' were in the process of emptying another pension account when I contacted the provider to warn them, which stopped that.

    4. Emptied two access only by passbook and signature building society accounts over the Internet, transferring the money via a fraudulently set up account at said Building Society in my name to said HSBC account.

    5. Emptied a shares account AFTER I had warned the company by e-mail of scams, and said company had replied saying they had communicated it to the relevant department.

    6. Set up two Direct Debits on a current account taking almost £9,000 before I found out.

    These people were / are professionals at their 'jobs', and almost got away with about £100,000 of my money* (I didn't work hard for it, I suffered incompetent management, bullying, lack of promotion, ignoring my sensible ideas - until 'suggested' by the manager I'd just been talking to - you know, standard IT 'career progression').

    Anything that raises awareness amongst staff at companies of phishing and fraud is good in my opinion.

    And guess what: The UK fraud investigators cannot be bothered to investigate because, as I've got the money back* I have not suffered a crime!

    BTW: There is a Panorama program on BBC 1 tomorrow night about how HSBC allowed transfer of illegal funds.

    If you stop getting post from banks, building societies, pension companies, credit / debit card statements etc. be warned, and let them all know, if only so you can tell them it is their fault if they get done. Note, at no time did I authorise in any way any of these transfers.

    *(Fortunately as I was able to show that it was entirely the fault of the organisations, I got my money back, eventually.)

    Still get worked up about this, 'cos, I know you are all paid your true worth, b ut £100k is actually a lot of money to me.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is serious

      My sympathies. I am afraid your story is just an early warning of the coming digital pandemic. It is scary how shaky the whole trust and identity infrastructure is in the UK. I really don't know why we bother having a nuclear deterrent when we are much more likely to be taken out by a digital first-strike. That's if the criminal gangs haven't comprehensively looted the entire country first. And the digital knowledge among the political and civil service leadership is pathetic, under trillion-dollar Cummings and the Government Digital Service (aka the Ministry of HTML). Our digital infrastructure is built on a quicksand of vulnerabilities and insecurity by design. The powers that be know it, and their response is always to blame the victims. I guess that's why hackers leave the politicians alone - they know it's the only thing that would provoke the negligent bastards to action.

  9. Danny 2 Silver badge

    idiot users

    Please don't (all) take this personally, but my posts here that I am proudest of get 3-6 votes. My daftest posts get 30-60 votes.

    I propose a system where we can swap ten votes from our silliest posts for one vote on a post we are actually proud of.

    I've never fallen for a phishing scam, but I did once fail badly when trying to email, phone and mobile phone different people at the same time. And I was probably chewing gum. Stupid is as stupid does too much.

  10. Anonymous Coward
    Anonymous Coward

    Thanks so much NIST

    This paper will help make my phishing emails much more effective

    Best regards, A Criminal

  11. Anonymous Coward
    Anonymous Coward

    We did a test phishing email around March this year and about 50% clicked on it and provided their passwords. I knew there would be some but yea.

    The silver lining was that the ones that logged the email with the support delivery team did well and the SD team escalated as per protocol so IT wise we didn't do a bad job. Even saw an email alert go out about 30 minutes after the fake phishing email warning people (the SD team and almost nobody knew it was a test)

    Anon, obviously.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020