back to article Google guru roasts useless phishing tests, calls for fire drill-style overhaul

A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit. Matt Linton leads Google's security response and incident management division. Tasked with rolling out phishing exercises every year, he believes tests should be replaced by the …

  1. Throatwarbler Mangrove Silver badge
    Trollface

    Social and fallible

    "As long as humans are fallible and social creatures"

    So the ideal defense is to be like the typical Register reader: antisocial and infallible.

    1. UnknownUnknown

      Re: Social and fallible

      As I told my Dad? Assume everyone from the infernet wants to rob you of all your money and work forward from there. EVERYBODY.

    2. Michael Wojcik Silver badge

      Re: Social and fallible

      Correction: Only badged users are infallible. Peons and ACs are presumed wrong until proven otherwise.

  2. froggreatest

    Still useful

    You need to be able to monitor if your phishing awareness training is effective. In my megacorp we do mandatory training and we also get phishing emails. The training says “if you get X then report it in Y” so the regular phishing campaigns gives a measure of a variety of things. You see how many people reported, ignored and clicked after taking up training.

    I do not know what happens to people who click the links though.

    1. yetanotheraoc Silver badge

      Re: Still useful

      "I do not know what happens to people who click the links though."

      I do. More training. The training doesn't work. What works is not looking at emails until after the first cup of coffee.

      1. Michael Wojcik Silver badge

        Re: Still useful

        What works is not looking at emails until after the first cup of coffee.

        While there are factors such as alertness that improve vigilance against phishing and other social-engineering attacks, none of them "work" in the general sense. Constant vigilance is impossible. We have millennia of anecdotal evidence, and more recently plenty of methodologically-sound research, to tell us that.

        Phishing tests are useful for stroking the egos of those who pass;1 they're also a useful justification for rejecting email you simply don't like as "possible phish" just to annoy the sender and/or teach them a lesson about putting links in email messages. ("Oh, that crap from Marketing? I thought it was a phish, so I reported and deleted it.")

        There's little evidence to show phishing drills accomplish anything useful other than annoying users.

        1I haven't missed one yet myself. But I've been working in IT security for more than three decades. Being suspicious is now an ingrained habit. Other people quite rightly have other priorities.

        1. Anonymous Coward
          Anonymous Coward

          Re: Still useful

          I've "failed" two tests myself. In both cases, clicking the link took me to a "busted" page; they never tried to get me to enter my login info (which I wouldn't have done).

          1. Email asking me to fill out a survey for a vendor. I've gotten legitimate ones before, and gotten some swag from it, too. (Despite my response being "I have no decision-making power when it comes to what to buy", they still sent me a flashlight and a portable power bank.) In this particular case, my mistake was not noticing that the name of the vendor in question wasn't anywhere in the email. Eh, sorta on me. Kinda. (Real phishing messages are more obvious.)

          2. Can't remember the message, but I immediately knew it wasn't what it looked like, despite being a well-written message with no spelling mistakes. I researched the domain that it linked to, found out it was a legitimate cybersecurity company, and reassured by the knowledge there wasn't anything malicious on the other end, clicked the link. My "mistake" meant I had to do more cybersecurity training. Again, real phishing messages are more obvious.

          I wish I had had the chance to tell IT that, if their network can be compromised by a single click on a single link in a single email, they have MUCH bigger problems than my clicking a link!

          1. Claptrap314 Silver badge

            Re: Still useful

            I was with you until that last line. Your job REQUIRES that you at least have access to company confidential information. If you click a bad link, you are now p0wned, and it is really, REALLY hard to stop a snooper from picking up all of your access over time.

            Of course, with "least access" properly in place, that will be a lot less than some sort of eggshell setup, but it remains a very important foothold.

            1. Anonymous Coward
              Anonymous Coward

              Re: Still useful

              (From the previous AC)

              Merely clicking the link - and then closing the page that opens - compromises the whole company?

              Yes, I understand that there are such things as zero-day exploits. At the same time, though, I expect our IT to have up-to-date antivirus, the proxy to be looking for and filtering any requests to known bad sites, the browser to be up to date, etc. If a single click on a single link is enough to compromise my computer and thus the company, they have bigger problems than me clicking that link!

              1. doublelayer Silver badge

                Re: Still useful

                Probably it doesn't have that much of an effect, but that's not enough to justify doing it. The point of a zero-day is that IT having antivirus up to date won't stop it. There are other possible problems with it as well, and of course clicking the link informs the attacker at the very least that your address exists and you sometimes click links in them.

                The rules are pretty simple and there is a reason for each one. Phishing email: don't reply, don't click links, don't enter information, don't open attachments, send it to the reporting mechanism provided. I think we would both agree that someone saying "How much harm did it really do when I entered my username and password on the phisher's form" is not making a convincing argument. Yours is not that convincing either. The response to you doing it was probably larger and more annoying than it needed to be, but still, don't click the links unless you have a specific reason why you need to.

          2. doublelayer Silver badge

            Re: Still useful

            "real phishing messages are more obvious."

            No, the phishing messages you have gotten are more obvious. Phishing messages can take a lot of forms. Just because you've seen plenty of spam sent out in bulk doesn't mean it all looks like that. That's spam sent to millions of email addresses. They have to use broken English for at least one and possibly both of the following reasons:

            1. They are sending out millions, so they can't afford the time to filter out lots of people who will eventually smell a rat. They want all the people who get that this looks scammy to ignore them on the first message so they can focus their attention on those that appear the most gullible.

            2. They don't have the time or money to make their messages look convincing and don't have that ability themselves either.

            Swap both around. If they're targeting your company, which probably has plenty of money, and are using you to get to that, they are no longer sending out millions and losing you at the start is no longer acceptable because you only have so many colleagues for them to try. They need you to respond a lot more. If they can write convincingly, they will. If they cannot, they may well get someone to help them. I've been sent phishing messages, and not only did they have the grammar worked out and the visual design matching, they went to the effort of figuring out who in the company I was likely to know and impersonating them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Still useful

      This works best when the helpdesk run by one company is aware of the phishing tests being conducted by the other company. Otherwise every link gets clicked by someone who if you ask "who do these things get reported to?" the answer is "me? That's why I clicked it to see what it was...". Really messes up the stats :)

    3. UnknownUnknown

      Re: Still useful

      Considering the amount of shite that comes through G-Mail, Apple, M365 and so many false positives ending up junked the providers need to do FAR better.

    4. captain veg Silver badge

      Re: Still useful

      Not slightly useful.

      The first time my corporate overlords phished me I went into full spam response mode. Apart from reporting the spam to the mail service that served the (faux)phish (Microsoft, no response) I also checked out the phished web site. This involved using wget to retrieve the source for analysis. That alone was reason enough for our know-nothing security bozos to assert that I had clicked on a phishing email and would therefore have to serve a mandatory training punishment. I've subsequently learnt that the presence of the string "threatsim" in the headers of any incoming is a sure-fire indicator that our own IT-droids were droids were responsible for sending it.

      So far the only even slightly phishey emails I've ever received in my corporate mailbox have been from these goons. So they're training me to recognise the phish-alike bollocks that they send, not any actual phish, of which I've seen precisely no examples at all.

      I wouldn't mind, but I'm extremely careful not to give out my corporate email address to any non-colleague. Meanwhile our powers that be (American) seem more than happy to hand out our email addresses to all and sundry like sweeties.

      -A.

  3. usbac

    Wow, the reality distortion field in slly-con valley must be strong!

    So, according to Google, the best way to stay safe is:

    1. Use un-phishable credentials (they don't exist).

    2. Make sure to use systems and software without any security vulnerabilities (good luck).

    I didn't know that defending against phishing was so simple...

    1. egrep
      Facepalm

      Un-phishable credentials exist. It's called FIDO2 authentication with a hardware security key. It won't authenticate to websites except those at which the user registered their account.

      1. usbac

        No, FIDO2 is difficult to phish, not impossible. I saw a recent presentation by an expert in phishing multi-factor authentication, and the takeaway was that all multi-factor is phishable. It's just that some are more difficult than others.

        1. Michael Wojcik Silver badge

          Specifics or GTFO.

          I dislike the FIDO Alliance; they're prominent in the "everyone has a smartphone anyway!" crowd, their idea of accessibility is basically "screw you", and while they make noise about handling diverse use cases they're happy to bless lousy constrained implementations. And I loathe the MicroGooPle passkey implementations, which are fine examples of all of those shortcomings.

          But a FIDO2 authenticator is in fact immune to traditional phishing attacks, and while no security system that ultimately relies on human approval can be immune to social engineering of some sort, not all social engineering is "phishing". That term refers to a specific category of attacks.

          Also, FIDO2 authentication is not MFA, so "all multi-factor is phishable", true or not (it's not), does not apply.

      2. riking

        "Zero Successful Employee Account Takeovers" since adopting mandatory security keys. It's one of the most blatant success stories in the industry.

        You can't Phish U2F/FIDO unless you already have malware executing on the victim computer system.

  4. IGotOut Silver badge

    Not sure if it's possible

    ....but can't it be forced that the hyperlink is always displayed as the actual URL it's going to?

    I know in Protonmail, it pops up a warning with the full URL before you can proceed, but can corporate mail take it one further?

    It will have the added bonus of making tracking footers and icons etc look like crap.

    1. usbac

      Re: Not sure if it's possible

      The most commonly used corporate email client, MS Outlook goes out of it's way to hide the real URL. It's almost like Microsoft is trying to encourage phishing.

      What should I expect from a company that doesn't even support checking SPF records between their O365 tenants!

      1. Sandtitz Silver badge
        Stop

        Re: Not sure if it's possible

        "MS Outlook goes out of it's way to hide the real URL"

        You are lying. The URL is shown as a tool tip when you hover mouse pointer over it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not sure if it's possible

          Except in cases where url shortners are used. Pretty replaces secure and negates training.

          Lots of cases where software companies choose pretty and easy over secure because they don’t want their users to flee to other products that will mark things easy and pretty.

          1. Sandtitz Silver badge
            Stop

            Re: Not sure if it's possible

            "Except in cases where url shortners are used."

            Then it will show the shortened URL. As will, say, Thunderbird.

          2. Clarecats

            Re: Not sure if it's possible

            I always tell people that I do not click shortened links. If they want me to click something they will have to send it to me shown fully. I don't know anyone who sends a shortened version any more.

            1. DancesWithPoultry
              Windows

              Re: Not sure if it's possible

              > I always tell people that I do not click shortened links.

              Goatse me once, shame on - shame on you. Goatse me - you can't get goaste'd again.....

              1. Anonymous Coward
                Anonymous Coward

                Re: Not sure if it's possible

                What has been Goatse'd cannot be un-Goatse'd!

                1. Claptrap314 Silver badge

                  Re: Not sure if it's possible

                  How I wish that were not the case...

      2. mhoulden

        Re: Not sure if it's possible

        You can tell which ones are phishing tests because they're the only ones that don't go through the Safelinks thing. I'm not sure what happens if that ever gets compromised.

    2. Doctor Syntax Silver badge

      Re: Not sure if it's possible

      I know some email systems add a warning to any external mail as I've seen them when my messages has been quoted in a reply. Whether that would be enough to stop some recipients clicking on links is another matter.

      Meanwhile the public don't receive any training not to be phished. Far from it organisations which should know a lot better persist in training them to respond by sending emails with invitations to click, including invitations to click to log in. I remain convinced that those responsible for sending such emails would click on a link in an inbound email with the subject "This is a fraudulent phishing email" and a link labelled "This link is dangerous to click".

      By all means keep running phishing tests and restrict those who fail from using any technology more advanced than a mechanical typewriter and an abacus.

      1. yetanotheraoc Silver badge

        Re: Not sure if it's possible

        "organisations which should know a lot better persist in training them to respond by sending emails with invitations to click"

        ^^This.

        To: All

        From: Cybersecurity

        Subject: New training

        In our effort to be even more outstanding than we were last year, we are offering a new mandatory training called "How not to write business emails that look just like phishing emails".

        Click [here] to register.

        --

        The A-Team

      2. An_Old_Dog Silver badge
        Joke

        Re: Not sure if it's possible

        Are you sure you want the people who failed the phishing tests to be running your business continuity equipment (the manual typewriters and the abaci)?

    3. doublelayer Silver badge

      Re: Not sure if it's possible

      They definitely could in a variety of ways. Rewriting the email is easy. Configuring the clients to show links is usually an option depending on whether they let you choose the client. One company I have worked let me do this which was nice because I don't like GMail webmail and that's what everyone else was using, but it also didn't give me any integration with their systems. The capability to do that is available to them.

    4. yetanotheraoc Silver badge

      Re: Not sure if it's possible

      Bring back plain-text email!

    5. cybergrcgb

      Re: Not sure if it's possible

      You use Protonmail? "interesting"

    6. SVD_NL Silver badge

      Re: Not sure if it's possible

      This is often not done in the email client these days, but at the spamfilter level. Modern spamfilters often do checks like "does the sender name and actual 'from' address match" and does the same for urls. Same with typosquatting. (Along with some ML stuff these days, detecting suspicious calls to action for example)

      Many spamfilters also scan every url included in emails, and edit the links to be proxied via a service that checks the url for suspicious content as well.

      I think your suggestion is useful and possible, email servers constantly change urls to be proxied or add external email warnings before delivery, but i don't think it's something that's widely adopted. I genuinely think the main concern is going to be that it absolutely wrecks email layouts, especially on links with a bunch of trackers and ids. That's the whole reason html email exists and it's so widely used, even though plain text emails have a way smaller attack surface.

      I'm just thankful i can block RTF mail...

      1. Calum Morrison

        Re: Not sure if it's possible

        People responding here about obfuscating - or not - the URL are missing the point entirely. The vast majority of people have no idea what the URL actually means or how it works. And why should they?

        It's not their job, it's often beyond their skillset, and it's not interesting to them if they can understand it. IT needs to do better. To extend the analogy, should office staff be expected to fight the fire itself (water or powder extinguisher?) or just get to safety quickly?

        1. Michael Wojcik Silver badge

          Re: Not sure if it's possible

          Exactly. While it's useful for technical users to be able to see the actual URL, for most people that's not helpful information.

          MTAs that rewrite link URLs to go through a scanner, as someone mentioned above, are useful for catching known-bad sites and TLDs, and for containing damage as part of attack response. That's only a partial measure but it's worth having.

          Strongly discouraging the use of links in email messages within the organization would certainly be worth doing, but I've never seen anyone do it. The hypertext addiction is hard to shake. (Ditto attachments and most of the crap that MIME introduced. If you have Unicode email, plain text should be sufficient, frankly. There are better ways to do everything MIME was created for.)

          1. doublelayer Silver badge

            Re: Not sure if it's possible

            If you're going into this with the theory that "for most people that's [the URL] not helpful information", then plain text email will do you no good. They will still need to be referred to a page, so all plain text email does is make sure they don't have to take another step to see the URL. If they're unable to tell the difference between a legitimate and malicious URL, what good is making the URL more visible?

            In my experience, nontechnical users who are trying are perfectly capable of recognizing dodgy URLs. These primarily aren't morons, and it is a bad idea for us to treat them like that. Many of them are either unaware of the risks, unaware of the methods, or don't apply the steps to check on them. The first two are why there is training. The third is why there is testing.

          2. Anonymous Coward
            Anonymous Coward

            Re: Not sure if it's possible

            While I appreciate the importance of checking whether that link goes somewhere safe, rewriting it to gibberish I can't read actually increases the chance I'll click a malicious link. If the link is to y00tUUbe.com or tastyprinterwheeldeskfire.cn, I know better than to click it, but scanningservice.com/?kl3;l45jioj;lgfnd9u43jtigopy89p doesn't tell me anything.

  5. kurtseifried

    Why not test the IT teams reaction to a credential leak?

    Here's an idea: Reverse phishing test. You post a username and password online and see how long it takes to be used and for IT to notice.

    Shouldn't your IT dept be able to handle this? They have practiced it, right?

  6. Doctor Syntax Silver badge

    "fire drills of the early days, which were more like fire evacuation drills – sprung upon a building's residents with no warning.

    ...

    now fire drills are better planned, well-announced procedures"

    Oddly enough it's the old style drills that more closely resemble actual fire alarms (and bomb alerts).

    The comparisons is, actually, a false one. An evacuation drill is an exercise is responding to an alert raised by others. Phishing testing is more akin to testing response to encountering al fire outbreak or recognising a suspicious object and taking appropriate action including raising an alert.

    1. Anonymous Coward
      Anonymous Coward

      Where I used to work, we had unannounced fire drills. The safety team would at least pick days with decent weather. So when the alarms went off, you headed outside, not knowing if you were going to see smoke, or a safety team member holding a stopwatch.

      The drills work quite well, actually.

      (Unlike the phishing drills.)

  7. Cav Bronze badge

    Nonsense.

    ""there is no evidence that the tests result in fewer incidences of successful phishing campaigns,"". Where I work, phishing tests initially had high failure rates. Those decreased over time.

    "secure-by-default systems in the long term"

    We don't all have Google's resources. Legacy systems hang around for decades.

    "later blaming them as individuals for their failures"

    They are to blame. if you tell someone, over and over and over again that they should never click links in unexpected emails, and certainly never enter credentials, and they do it anyway then they are to blame. Personality and workload are irrelevant.

    Announcing that an incoming phishing email is a test makes it pointless. If you know you are being tested then of course you are not going to click. You have to know not to click EVER.

    1. tiggity Silver badge

      @Cav

      I would not say workload is irrelevant - if people are pushed to (& often arguably beyond) comfortable limits by workload then decision making, clear thought etc. WILL be compromised. Thus they will be more likely to click links on a phishing email (especially if they are one of the many workplaces where "typical" emails the company sends are almost indistinguishable from phishing ones).

      Most people when tired / stressed will be poorer at decision making than normal.

      Frequent phishing exercises can be counter productive (e.g. users may add email filters to auto move anything received from a well known phishing test url to junk or a similar folder, just to avoid irritation of phishing tests in their inbox, and so avoid being "tested" on ability to spot a phish). Other bad side effects are, if deluged by frequent phishing tests, user fatigue sets in & less likely to report phishing attempts (as reporting them seems to gives no reprieve from next phish tests), and so if a "genuine (non test)" phish email comes through, it's less likely to be reported & can mean it takes longer for IT to become aware of it.

  8. doublelayer Silver badge

    Suggested solution is insufficient

    The problem with the four suggested points is that none of them replace what phishing testing is supposed to do. That's not to say that any of the suggestions are wrong, and some of them are required along with phishing testing, but if you don't test and do these instead, you'll still have a gap. Going through them:

    "Make it difficult for attackers to reach your users"

    Great idea, but you can never count on that. Sure, authenticate the servers sending mail to you and reject it, but phishers can put DKIM on their sending server too. There is only so much you can do to prevent someone who needs to receive emails from the public from receiving emails from dangerous parts of the public.

    "Help users identify and report suspected phishing emails"

    Everyone has training. The phishing tests are there to check whether the training worked, and where it didn't, provide more training. Someone who clicked a link has not learned some lesson that should either be taught to them directly or put in the training for more general consumption. The tests are there to improve this goal. Not having them means your training probably has holes, but you don't know where they are until it causes a problem.

    "Protect your organization from the effects of 'successful' phishing emails"

    Of course, but this is now cure rather than prevention, and we all know the saying that links those. You'll have to spend less time cleaning up if you can minimize the number of messes that are created.

    "Respond quickly to incidents"

    Not much different from the third point, and a point where prevention is more important. If, for some reason, you don't have the ability to respond as quickly to incidents as you would want to, for example the main security person is busy cleaning up from a successful phishing attack that happened yesterday, the second security person is off sick, and the third security person doesn't exist because this isn't Google with probably a couple buildings full of them, then it would be best to have fewer incidents. Phishing training and testing is designed to make that happen so that the security teams can respond quickly when ones do happen. By the way, having a Google-sized IT security team doesn't necessarily make this easier if the number of incidents scales with that, because a hundred people chasing ten thousand incidents is still going to be slow, even if they acknowledge the alarm quickly. I've worked with large incident response teams who look speedy and efficient, but the incident load can make that productivity theater if you're not careful.

    1. Anonymous Coward
      Anonymous Coward

      Re: Suggested solution is insufficient

      Just some thoughts on designing the phishing tests.

      1. Try to trick the user into entering their username and password. If they don't do that, they didn't fall for it; don't penalize them.

      2. If they fail the test, ask them why. (This can be a form on the "busted" page.) Have a human read the response before giving the knee-jerk reaction of "more training". The responses might indicate it wouldn't help:

      "I recognized the URL as our cybersecurity vendor's website, knew it was safe, and wanted to see what the faux-phishing page looked like."

      "I hovered my cursor over the link like they told me in training, saw it didn't make sense, but my finger twitched by accident."

      "This looks exactly like an email from $vendor who I work with all the time. I'll have a talk with them about making their emails not look like phishing attacks."

  9. Joe Dietz

    You can't fix people, but you CAN fix tools!

    Actual blog post link: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html

    And a hearty hear hear! "You can't fix people, but you CAN fix tools! "

  10. Anonymous Coward
    Anonymous Coward

    Non-event: Google miffed at competition

    Google's own anti-phishing measures, as known by every GMail user, are so rubbish that they are reduced to childish sniping at the competition, like this. And as any corporate knows, if you try to assess the efficiency of Google's anti-phishing measures, you are presented with so much smoke and mirror hoodoo that their black Vikings snafu looks like AI genius.

    Point #1 If phishing successes are going up, would they be going up even more if there were no anti-phishing exercises? Are they going up at your competitor, but not for you?

    Point #2 If you think the idiots who click on test links get a nasty surprise, wait till a proper criminal phish empties their bank account.

    Point 3# That counter example? What on earth is that supposed to do?!?!

    (Anonymous because my employers use Google and Google has lawyers)

    1. Anonymous Coward
      Anonymous Coward

      Re: Non-event: Google miffed at competition

      I think I've gotten only one phishing email at work in the past two years. My private gmail account has gotten three this week, plus several "don't you want a girl like me, click here" emails. Worst part - the "girl" emails are coming from gmail addresses!

  11. Clarecats
    Boffin

    Not just e-mails

    A friend showed me a WhatsApp message they'd just received. This said the sender was from an Irish agency and wanted to know if my pal was interested in some work. He was quite chuffed to be remembered as he's a few years out of that business. He'd checked that the firm exists.

    How did they get your number? I asked.

    Don't know.

    Their phone number starts with 062. Where is that?

    Manchester?

    Wouldn't that be 0044?

    Oh.

    Look it up on Google. +62 = Indonesia. Why is an agent calling you from Indonesia?

    Oh.

    Did you reply? Tell them anything about yourself?

    Yes.

    Block that number. I recommend telling the agency in an e-mail that someone is using their name.

    He did. A couple of days later I got a similar WhatsApp message, but as the new EU Digital Services Act had just come into play, WhatsApp had added a warning that the message originated in Bangladesh, and I did not have them in my contacts. If I blocked the sender, WhatsApp would read their last three messages and check for suspicious activity.

    I blocked, of course, and have not had repeats of the activity.

    1. Michael Wojcik Silver badge

      Re: Not just e-mails

      Well, yes. "Smishing" (SMS phishing) and "vishing" (voice phishing — I didn't make these terms up) have been widely known for years. Of course someone will be trying OTT apps like WhatsApp if they have a list of potential victims to try.

      1. Clarecats

        Re: Not just e-mails

        I would think it was random sending. The other day my phone rang in my pocket and a person said he was calling me back as my number had shown up as a missed call. I didn't know his number, I hadn't been calling anyone. Looks like the phishers are spoofing send numbers too - but that didn't happen on WhatsApp.

        1. Claptrap314 Silver badge

          Re: Not just e-mails

          That person might well be the phisher....

  12. Richard IV

    Why does phishing work?

    The thing that never seems to get mentioned when discussing these so-called fixes is why phishing is so easy.

    Internal corporate comms to employees is appallingly bad.

    • HR contacting you from 17 different email addresses, some of which are personal.
    • "Important" messages from the CxO that could be your pay review or that the company has won an award.
    • Messages from third parties like your pension provider that come from random domains that don't look anything like a company that you recognise and have password protected pdfs.
    • Newsletters from external domains because the marketing department are using some random tool that looks pretty.
    • Surveys on forms.office.com or a shared google doc that could be from goddamned anyone and 50% of the time you'll eventually get nagged about filling it in because the management team want "engagement".
    • I could go on...

    As much as I hate to say it, the banks are getting fairly good at including "here's how you know it's from us" in their messaging. I want similar cues at work. I want mechanisms to be able to verify that it really is important and genuine:-

    • HR messages could be duplicated in the HR system. Email notifications just a courtesy.
    • The CxO could have a blog only visible internally - sure, send me email notifications if you like.
    • Companies could force trusted third parties to improve their comms. An internal message with an ID that the third party will/has used to back it up.
    • I don't think that anyone who has ever been auto-subscribed to a newsletter ever has cared about the prettiness.
    • If surveys are _that_ important, then they should be hosted on domains that _you_ control. And no, I absolutely don't mean "yourcompanyname.somerandomthirdparty.com", I mean "somerandomthirdparty.your.domain". It needs to be nigh on impossible that some rando has set it up.

    Fix all that and phishing becomes orders of magnitude harder. It's all very well having fire drills to improve the current "fear all burny stuff" approach, but eliminating the combustible material is far more important.

    Not only that, but you can then add in extra stuff on the mail servers to do things like blocking "HR" or "CxO" messages that don't meet the standard. If it really is an internal person trying to send the message, train them about the ban hammer and why it's important.

  13. KSM-AZ
    Alert

    Let your network admin know . . .

    Security team at my old gig tossed out a test phish to everyone without telling anyone. I was the Senior Engineer, and not notified of the test. I got the E-mail, logged into the PA and blocked the site. The next day the director wanders over and starts asking why this url is blocked . . . brilliant move dude! Apparently I was really fast, nobody had clicked the link.

    1. Claptrap314 Silver badge
      Pint

      Re: Let your network admin know . . .

      I love it! Have one! -------------------------------------------------------------------------------------------------------------------------------------------->

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like