back to article This uni thought it would be a good idea to do a phishing test with a fake Ebola scare

University of California Santa Cruz (UCSC) students may be relieved to hear that an emailed warning about a staff member infected with the Ebola virus was just a phishing exercise. The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We …

  1. Headley_Grange Silver badge

    "Phishing simulations run a very high risk of creating distrust and friction between your employees and security team,"

    In my experience any attempt to implement, highlight or enforce security causes friction, especially with engineers and directors. Make people use strong passwords, making people change passwords, making people use 2FA, workplace audits for post-it-passwords, disabling USB, warnings about stuff on local drives, and so on. I don't see why phishing simulations should be specially different.

    1. Sceptic Tank Silver badge
      Big Brother

      You and I work for the same place?

    2. Bendacious Silver badge

      "Making people change passwords"

      The gift that keeps on giving massive annoyance and weak sequential passwords for no security gain. Debunked many years ago but still forced on us by tick-box warriors. (sorry, touched a nerve)

      https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

      "Regular password changing harms rather than improves security."

      1. Ian Johnston Silver badge

        Strong passwords + regular changes required => passwords on post it notes, sure as night follows day.

        1. gnasher729 Silver badge

          Idiotic software not accepting a Safari generated password with 128 bits entropy. Because “not save enough” or “too long”. They create security by using 18 random letters instead of the upper/lowercase/special character nonsense.

          1. Michael Wojcik Silver badge

            Yes. Passwords are terrible authenticators, but many developers go out of their way to make them even more terrible.

            One of the systems I use for work doesn't allow spaces in passwords, making it more clumsy to use passphrases. Another has a (bogus, idiotic) complexity rule of "no more than two consecutive characters that appear in the user's name"; obviously many people have consecutive characters in their names which are also common in natural-language words, so that's also an impediment to using passphrases.

            So many IT practitioners simply aren't interested in the research around password/passphrase use and strength, and instead indulge in this cargo-cult false-security nonsense.

            1. mpi Silver badge

              > Yes. Passwords are terrible authenticators

              Strongly disagree.

              A 64 utf-8 character random stream is an amazing authenticator. Lightweight, easy to implement, and completely safe against against anything short of bruteforcing the entire keyspace or using the 5$-wrench-attack.

              And all it requires is for people to use a password manager.

              1. druck Silver badge

                Re: > Yes. Passwords are terrible authenticators

                So the $5 wrench only has to persuade you to reveal the mast password to the password manager.

        2. Anonymous Coward
          Anonymous Coward

          "Correct Horse Battery Staple"

          My place has minimum 20 chars for user passwords now, so we're all encouraged down the "Correct Horse Battery Staple" type of passwords. It took about a monht for people to get used to it but it's proved way more popular and has cut the number of password calls to helpdesk by about 70%.

          1. Doctor Syntax Silver badge

            Re: "Correct Horse Battery Staple"

            A minimum of 20 characters offers scope for creative comments about manglment's mental capacity and recent family history.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Correct Horse Battery Staple"

              And my ex-wife.

          2. Martin-73 Silver badge

            Re: "Correct Horse Battery Staple"

            Yes A&A do that, very easy to remember passwords (you can of course also set your own)

            1. collinsl Silver badge

              Re: "Correct Horse Battery Staple"

              If you mean Andrews and Arnold I've never found a way of setting my own. It just comes up with another randomly generated four word one.

              1. Ian Johnston Silver badge

                Re: "Correct Horse Battery Staple"

                My A&A passwords are all WordWordDigitDigit. I haven't come across WordWordWordWord yet.

          3. tiggity Silver badge

            Re: "Correct Horse Battery Staple"

            We have complex password requirements, but it also bans any dictionary words so say goodbye to memorable multi word passwords.

            There is a company mandated password manager we must use (but you guessed it, it's via a web page)

            .. so, lots of fun when the web based password manager is down

            .. theres easy workarounds as a coder, you can always find a line of code that hits the requirements so use that as your password & make a note of file, version and line number and it just sits in the drawer amongst your other paper notes of "to do" bits of code to inspect. Been saved by that more than once when password manager was having a wobbly.

          4. gnasher729 Silver badge

            Re: "Correct Horse Battery Staple"

            At the very very least you should make sure that you accept secure passwords from all popular password generators.

      2. gnasher729 Silver badge

        "Regular password changing harms rather than improves security."

        I had a password once ending in 39. Fortunately the software allowed me to use the same very secure password with 1 to 39 added.

        1. s151669

          Mine had 51. Then they saw the light and accept a longer password with no need to change it.

        2. Ian Johnston Silver badge

          My former workplace wanted uppercase, lowercase, digits and punctuation and insisted on changes every three months. So I started at Meringue1! and retired twenty six years later at Meringue104!

          Note: Not actually Meringue,

          1. Richard 12 Silver badge

            At a former workplace my manager explicitly recommended this workaround to the password requirements.

            Yours, Kitekat72?

          2. John Brown (no body) Silver badge

            "Note: Not actually Meringue,"

            It wouldn't matter if it was. Now you are retired, your account has been reset and closed and the username no longer exists of course. Or...does it? :-)

      3. steelpillow Silver badge
        Trollface

        "tick-box warriors"

        The curse of modern civilisation.

        Letting them loose on SharePoint administration is especially bizarre - all the native hindrances of shite cloud-shite, combined with an arbitrary and pig-ignorant security paradigm. The only work ever accomplished is by the phishers and data thieves.

    3. Zibob Silver badge

      I think the main thing that makes people avoid and then give out about these security audits is that it makes them feel and in some cases look.stupid for either getting caught out by what is obvious or being seen forgetting new passwords and having to ask for a reset again. Usually compounded by a general disdain for IT staff even though they keep the place together.

    4. anothercynic Silver badge

      And yet people *still* fall for phishing campaigns and then cause misery for others.

      I don't like phishing simulations either, but they do eventually have the desired effect with many members of staff.

      1. Michael Wojcik Silver badge

        Do they? You have an actual methodologically-sound study showing a statistically-significant effect, using reliable data? Or are you just guessing or extrapolating from some anecdotal dust?

      2. djnapkin

        Do they eventually have the desired effect with many members of staff?

        All the research I have seen says the opposite.

        In practice the reality is that some people are very highly resistant to training in this way. They just will keep clicking the link, or OK'ing if the authenticator on the phone asks them "is this you?".

        Keen to see evidence that it works, that is not sponsored by a mob who provide the service for money.

    5. steviebuk Silver badge

      Shouldn't be changing passwords anymore unless you know they are insecure. Reason being people WILL write them down now they've had to change it.

    6. Anonymous Coward
      Anonymous Coward

      I kept hitting the "report spam" button on corporate/HR BS and "report phishing" when they sent a survey. Made no difference.

      1. Ian Johnston Silver badge

        The Co-Op Bank has a terrible habit of phoning me and asking me to prove my identity by giving them some security information: date of birth / place of birth / two digits from my PIN. Every time they do this I report it to their security team. It simply does not seem to occur to them that with two or three calls ("Oops, dropped") a scammer could get all they need to access my account.

        The RBS tried something similar recently and the person on the phone got really quite upset when I asked her to prove her identity.

        1. rafff

          phoning me and asking me to prove my identity

          John Lewis do the same. I tell them that this is arse about face, that they *know* who I am (after all, they called me) but I have no idea who they are, so could *they* please prove their identity.

          Same problem with NHS, but now they just send me SMSs..

          1. gnasher729 Silver badge

            Re: phoning me and asking me to prove my identity

            Barclays app does this quite well. They call me and at the same time send a message to the app. The caller says “I’m mr smith from Barclays”, but everyone could do that. But he also asks me to open the app and it has a notification “Mr. Smith from Barclays is calling” which should be very very hard to fake. Then I click a button saying it’s me and get an SMS. Or something like that. So they know they called the right number, and unless I’m bloody stupid I haven’t sold my phone and left their app on it. _And_ they use a passcode that is different from the phones passcode.

      2. Anonymous Coward
        Anonymous Coward

        I may or may not have done this at a place of work who was with Google. Shitty Google Workspaces where there was no control over the spam filter, not even as super admin. Oh no, only Google are allowed to touch that. So if e-mails were being falsely flagged there was no option to change this.

        So during my last month, I may or may not have flagged every e-mail from certain directors and other "important" people that came into my inbox as spam. Unfortunately never found out if it worked (I doubt it, I'd assume more than one user would have to flag them)

    7. Stuart Castle Silver badge

      Something my old Software Engineering Management lecturer used to say when talking about security (and yes, even 30 years ago, we *were* taught about developing applications with security in mind) "Security, Features, Ease of use. Pick two"...

    8. Stuart Castle Silver badge

      The problem is, most users would, given half the chance, have no password. Forced to have a password with no restrictions, they'll chose something easy to type or remember.. Make it more difficult (such as requiring longer passwords, with numbers and punctuation etc), you run the risk of them writing it on a post it note and sticking it somewhere, or they'll use the same password everywhere.

      Even MFA has it's issues. MFA is lovely when it works, but when it doesn't, can be a pain.

      All of this can cause user annoyance. As do test phishing excercises.

      Don't get me wrong: I think from a security point of view, these exercises are good. I like reading about scams, and like to consider myself naturally sceptical, and difficult to scam. I'm certainly a lot more knowledgable about these things that the average person, and I know I can be scammed.

      It's just these things do annoy users.

    9. Michael Wojcik Silver badge

      I don't see why phishing simulations should be specially different.

      You don't see the difference between security measures that are announced and explained to users, and attempts to trick users? That's an interesting cognitive blind spot.

      1. John Brown (no body) Silver badge

        Some people can only learn by experience. They don't learn from being told even by simulation in a classroom. Others are simply "too important to waste time" learning stuff they don't see as relevant. As for the Uni ebola phishing "test", if you're going to do that, and have the numbers to show it's a worthwhile method, then sending something that puts the fear of $deity into them and induces panic mode is possibly the ideal way to get the message across. Because that's the sort of psychological tricks scammers get up to all the time.

    10. M.V. Lipvig Silver badge

      Ugh, fucking IT and their passwords. My company just forced us to swtich to a FIFTEEN character password, random letters, numbers and special characters, with certain combinations not allowed - which you can't figure out what isn't allowed until you try it. New one required every few weeks. Fuck it, anyone who steals my laptop will find my laptop password taped to the keyboard, and there's a notepad labeled "Passwords" with all 60+ apps I'm required to use to do my job, with links, usernames (they aren't all the same) and passwords. They aren't the same either but must follow the same protocol when the equipment allows. Oh, and there's no sort of password manager either - they're not secure enough. We're just expected to remember when I'm the sort that can't remember what my last meal was.

  2. Doctor Syntax Silver badge

    Do not set the fingers in motion before engaging the brain.

    1. Pascal Monett Silver badge
      Trollface

      Brain ?

      BRRAAAAAIIIIIIINNNNN !!

  3. Khaptain Silver badge

    Priorities?

    The email content was not real and inappropriate as it caused unnecessary panic, potentially undermining trust in public health messaging," his missive said. "We sincerely apologize for this oversight."

    So they are more worried about people's trust in the public health messaging than they are in the universities security.

    If they can't simulate messages like this, then I don't see how they will successfully manage to avoid actual phishing emails which are becoming more and more sophisticated.

    In our company we are now at the stage where we are doubting even legitimate emails.

    1. Evil Scot Bronze badge
      Facepalm

      Re: Priorities?

      What is it with US orgs and poor Phishing awareness schemes.

      I received an email from my boss at 3PM offering sarnies for lunch if I clicked on the link.

      Said boss was currently dosed up on chemo and probably strong pain killers so wasn't running on Greenwich mean time let alone Eastern Seaboard time.

    2. Jonathan Richards 1
      Alert

      Re: Priorities?

      > we are now at the stage where we are doubting even legitimate emails.

      ...aaand you're trained. Congratulations, collect your certificate at going-home time. You should doubt all emails initially, and know how to identify the legitimate ones to eliminate reasonable doubt.

      1. KittenHuffer Silver badge

        Re: Priorities?

        To collect your certificate please click on the following link

        1. Anonymous Coward
          Anonymous Coward

          Re: Priorities?

          The link is broken, tells me to update my browser. How about you make the page backwardly compatible for older versions of Windoze.

          1. KittenHuffer Silver badge

            Re: Priorities?

            I will get it working ..... Never gonna let you done

          2. John Brown (no body) Silver badge

            Re: Priorities?

            "The link is broken, tells me to update my browser. How about you make the page backwardly compatible for older versions of Windoze."

            That's part of the selection process. If you can't afford a new computer and the latest version of Windows, you're not worth the effort of scamming :-)

      2. Khaptain Silver badge

        Re: Priorities?

        “You should doubt all emails initially, and know how to identify the legitimate ones to eliminate reasonable doubt."

        Do you actually believe that I am the one making the decisions and that I have the authority to stop links, or that the management haven't been warned multiple, multiple times .

        And why does our company insist on allowing links, , because without them the Sales team can't put those damned logos and shit event scenarios in email signatures .

        Think again.

        You can pick up your pink slip for not understanding how most companies work.

    3. gnasher729 Silver badge

      Re: Priorities?

      “ So they are more worried about people's trust in the public health messaging than they are in the universities security.”

      You don’t get it. The risk is that if there’s a genuine health warning people may not take it seriously.

      1. NickHolland

        Re: Priorities?

        That's exactly what should be happening..

        EMAIL CAN NOT BE TRUSTED. Period.

        All the attempts to bolt "security" on a fundamentally insecure protocol just don't work. The ones that are technically sound are too complicated for normal users, who can't figure out the difference between a lock indicator on the URL bar and a lock graphic in the web page.

        People have to learn that you can't trust e-mail. If a "genuine health warning" is sent out via e-mail and that's the only way it is sent, then the senders need to learn how to do their job properly.

      2. Dostoevsky Bronze badge

        Re: Priorities?

        Email is not the proper channel for public health warnings. That'd be what official postings and websites are for.

        1. Doctor Syntax Silver badge

          Re: Priorities?

          But remember to send out emails with links to the public posting or website. just to be sure.

        2. OhForF' Silver badge
          Devil

          Re: Priorities?

          >That'd be what official postings and websites are for<

          So i'm supposed to verify the public health warning email by following the institutions official blue ticket Xitter account?

        3. Falmari Silver badge

          Re: Priorities?

          @Dostoevsky "Email is not the proper channel for public health warnings."

          The proper channel is of course a text sent to smartphones https://www.theregister.com/2018/01/15/hawaiian_missile_warning/ or https://www.theregister.com/2023/04/21/florida_emergency_alert/. ;)

          Joking aside no one channel is used to inform the public of health warnings, normally through various media/news/press outlets, via TV, radio and web, may even use EWS. Sure there will be an official posting and/or website for a public health warning, but if you expect the public to read that health warning then you have to tell them where it is (a website address).

          Now of course Email would not be used for public health warnings. But when it comes to companies issuing an internal health warnings to their employees at site or reginal location emails make sense. They probably have company email addresses groups for site and regions.

        4. Jadith

          Re: Priorities?

          I believe that it is an apporpriate channel, but no links should be sent along with it. The current guidance on securely using emails is to verify using a secondary source entirely separate from the recieved email.

          It should be something like:

          "Public health warning: Green goo disease currently spreading. Please look at the agency website for more details"

          It has the added benefit of limiting the survival of anyone not able to find a website with a google search.

      3. Plest Silver badge

        Re: Priorities?

        We do get it, we get the exact problem they think they have when in fact they already had a problem.

        They had already had a genuine phishing email, they told people to never trust email, sent out a fake phishing email, people still trusted the new email as fact and now they're moaning about people might not trust emails as fact.

        Now do you get what the core problem is here, it starts with "e" and ends with "l". Email is simply no longer fit for purpose, it's basically useful for sending text informaiton but all the HTML, links, pics and other bollocks they've crowbarred into the specs is now useless as email is still one of the number one initial vectors for scuzzbags to get their claws into your org. No matter how much you beat people with the "DO NOT TRUST EMAIL!" stick they still come back for more punishment by trusting emails and clicking on links, as if there's some sort of prize for how many stupid email links can people click in a day.

        1. doublelayer Silver badge

          Re: Priorities?

          The problem is not email. It's not HTML in email. In any functioning organization, there's a need for some kind of communication. Any communication can be faked. People fall for scam phone calls, scam web adverts, scam printed letters on paper, scam SMS messages, scam messages sent over E2E encrypted messaging systems, scam social media posts, and they will fall for scam anything else that can be sent in. Some parts of email could be better, although many of the worst ones have already gotten patches to try to help, not necessarily correctly.

          In all of those cases, there are technical measures that will reduce the problem, but no system, no matter how thoroughly designed can use a technical measure to eliminate the problem or the need for receivers of the communication to work with skepticism. Phishing will never go away. Users will have to recognize this fact and learn how to recognize it when it comes in. Even if we eliminate email with all its historical cludges and replace it with something else, and I'm not sure what you think that something else should be, the problem will only reduce in scale, and possibly not even permanently once the scammers adapt to the change.

          1. MuleD

            Re: Priorities?

            AhhhMeeennnnnn Brother.

          2. Michael Wojcik Silver badge

            Re: Priorities?

            Who said the goal was to "eliminate" anything?

            Security is not an absolute. We seek to increase costs for attackers and/or lower them for defenders. If you start from the position that security ought to be, or aims to be, perfect, you're not making a cogent argument.

            Removing links from email messages raises the cost (of a successful attack) for attackers, because it raises the work factor for users to fall for the attack, and that means fewer users will fall for it. Anti-phishing training, if it achieves anything useful at all (and that remains to be shown), ought to have an (almost certainly smaller) effect along the same lines.

            1. doublelayer Silver badge

              Re: Priorities?

              The argument was that email is the weakest link due to technical limitations. There are a few technical problems with email that could be improved, but in many cases, they are not necessary and not used for successful phishing attacks. Email is the most often used path into an organization not because it's technically weaker, but because that's the most common way for an external party to communicate with the organization. I can't hop on a company's internal Slack or Teams groups without hacking an account (although an attacker might hack an account so people need to know that phishing can happen there as well), but I can send them email. If email were removed, then most phishing would come through whatever external communication method replaced it.

              It is popular to see phishing as a technology problem. IT people like it because we are already used to trying to solve most problems with technology because we can and it doesn't require any of the less reliable methods of trying to solve it. Non-IT people like it because it means they can tell IT to fix it and stop paying attention. It sometimes makes more sense to file it there because sometimes it is attached to things that are actually IT problems such as malware or account compromise. The problem is that it's not really an IT problem any more than scam letters were a post office problem. No matter what technology-based solution you try, the improvement will be marginal. Since nothing else is being done, by all means find any technical hammer and hit that nail. However, if you expect a lot of movement, to not have to train people to be vigilant, or to not have failures, you will never get any of those things.

              1. Terry 6 Silver badge

                Re: Priorities?

                Absolutely. And, with a moment's thought it seems fairly reasonable to say that this is a behaviour problem, not a tech problem. A training solution, not an IT solution.Requirng training specialists, not IT specialists.

      4. John Brown (no body) Silver badge

        Re: Priorities?

        Except as per the article, it was based on a real Ebola health issue phishing scam from a previous year, so people DO need to learn to tell the difference between a legit one and a fake one. Yes, you might be able to instil awareness with other forms of phishing, but you still need the type that instill fear and/or panic because that is the situation the Phishers are trying for, making you click and enter details without thinking it through.

    4. anothercynic Silver badge

      Re: Priorities?

      In our company we are now at the stage where we are doubting even legitimate emails.
      Excellent. Training has had an effect then.

      That's what training should do. You should question email that looks dodgy. Pass it on to your Infosec people (if you have any). Let them reeducate the offenders.

      1. Michael Wojcik Silver badge

        Re: Priorities?

        Yes. Increase the pain for people putting links in legitimate email messages. When a former place of employment started including links in messages from the Infosec team, I reported every one of those as a phishing attempt. Alas, that team became redundant before they saw the light, but it was a good attempt.

  4. John_Ericsson

    Not so many years ago at a university in the UK did our first phishing exercise. I can't remember the text but it would have been along the lines of "funding issue with your fees". The following day HR raised complaints at the highest level and were demanding discipline be considered. Time and time again they were telling us that "lying to students is totally unacceptable" and how the damage done will take many many years to repair. No further exercises were ever run.

    1. Ian Johnston Silver badge

      Was it sent from a university email address?

    2. gnasher729 Silver badge

      It seems you should have talked with HR before that exercise. As a first step you could have sent the scam email with an explanation that it is a scam, plus tips how to recognise this scam. Like “if there was a real problem the email would contain your name. “

      1. Ian Johnston Silver badge

        What business of HR is it what communications get sent to students?

        1. PTW

          Human remains, absolutely worthless, why do they even exist?

          1. Ian Johnston Silver badge

            It's a workfare scheme for people with lower seconds in psychology.

  5. gnasher729 Silver badge

    I’ve received emails where I didn’t do what I was asked to do, but just replied “this is just what a scammer would ask me to do”. Training is needed that way as well.

    1. Plest Silver badge
      Happy

      Ditto, every email I get in the company that has links embedded and from people as sources, not automated systems I know about, I now just forward them to the HR and Infosec bods as possible phishing scams. They get fed up and keep telling me to stop and say most are genuine, but I simply say "That's exactly what a scammers want you to think!".

      As the best sci-fi films often say, "They took an innocent man, trained him and turned him into an unthinking killing machine!", well that's what all the infosec training they make us take every 2 months has done to me, now I don't trust anything and no one!

      1. Ian Johnston Silver badge

        We've had the concept of links for 35 years now. What sort of business do you work in that never needs them and from one person to another?

        1. Michael Wojcik Silver badge

          I can't offhand think of any email message I've ever received which needed to contain an HTML anchor, or a URL. Certainly there haven't been any recently.

          If someone can't tell me where to find some resource properly, then they need to learn how to communicate.

          1. doublelayer Silver badge

            Maybe we send and receive different types of mail. I frequently have things that I want to send. Let's take an example.

            I've just found an interesting paper produced by a university. This paper can be found at https://ee.engineering.someuniversity.ac.uk/ce/2018/~efermi/archives/2016/rgaaf-pg15-38.pdf

            I want to tell my colleague about this because it has something relevant in it. How should I do it. I could include the URL, but evidently, that makes me bad at communication. So maybe I should give them the last search string I used to find this from a search engine. Except that search string is confusing because I was using it to replace the absent or malfunctioning search box on the university's site, so it has a site: filter and a few words that look like I just picked them out of a bag. Also, I used DuckDuckGo and they're using Google, so their results might be different. So I tell them to go to DDG, enter this search string, select result number 5, and oh right, this PDF was not what result number 5 links to. Result number 5 links to a personal page from graduate student R Feynman who worked on a paper about something else with professor Teller. I'm not interested in that, but fortunately, Feynman mentioned when linking to Teller that Teller also works on the kind of thing I'm interested in, so I click on that link and go to a page that Teller wrote. Only there do I find the link to a different paper that Teller wrote with Professor Fermi, which is why the PDF is under Professor Fermi who I hadn't heard about before. So maybe giving a search term isn't the best option.

            So instead of that, maybe I should take the link I have and see if I can find a path back to the university's home page. If I'm lucky, I may be able to tell my colleague to navigate to the home page of Some University, and if they don't know that they can always google it, then find the link to the engineering departments, then the twenty more links needed to arrive at this professor's page. So that is not much better and there's a decent chance they'll take a wrong turning and end up at the wrong URL entirely.

            If I have somewhere that I want someone else to go, a URL is the way to ensure they arrive there and not somewhere else. This is why, when I tell people to download something, I always make sure to give as clear a URL as possible and never give them a search string. Frequently, when I have used other methods, bad things happen. For example, they Googled something, clicked on an ad that I didn't see because I block them, and ended up in some sketchy site that's more than happy to provide them software downloads, just not the software download I told them to use.

            1. John Brown (no body) Silver badge

              "If I have somewhere that I want someone else to go, a URL is the way to ensure they arrive there and not somewhere else."

              Yes, something you can do without making it a directly clickable link with text hiding the actual URL. Most email clients will allow you to right-click a plain text URL and open it. That way you effectively get a clickable link which isn't obfuscated. (Assuming the site itself has a reasonably clear URL and isn't a mish-mash of seemingly random character strings)

              1. Terry 6 Silver badge

                Exactly. Emphasis here- a displayed url that is a clickable link may link to another URL entirely

                And surely everyone working in any part of IT, not just people typing here knows that behind a URL .myclickablellink.com there could easily be scam-meforeverypenny.co.ru (or wherever)

    2. Doctor Syntax Silver badge

      "Training is needed that way as well."

      Especially with marketroids. A metre or so of scaffolding pole would be a suitable training implement.

      1. Doctor Syntax Silver badge

        A thumb down? Was one metre considered inadequate?

        1. Michael Wojcik Silver badge

          I didn't downvote you, but I know I grow weary of the constant "anyone not in my field is a villain" tone in the Reg forums. It quickly grows tiresome.

          1. John Brown (no body) Silver badge

            If you've ever tried to to teach sale and/or marketing people how to do "safe" emails and promotions without them looking like phishing attacks full of off-site links, then you'd know better! :-)

            Weariness is the enemy of instilling good practices.

    3. anothercynic Silver badge

      I tend to just forward those messages to our InfoSec people. Let them deal with that. :-)

  6. NickHolland

    Works for me...

    A few years ago, my employer sent out a fake termination e-mail. "please click on this link, download the forms, fill them out, sign them and take them to HR", something along those lines. I thought it was a brilliant test.

    However, I had a new coworker -- very Inexperienced, but smart and trainable and hard-working. i.e., the dream young employee. However, while her experience was measured in months, the rest of us in the team measured our experience in decades. So...not too surprisingly, she had confidence problems. She got the fake termination phish test, and she told us she freaked out. And I fully sympathize.

    BUT...you can't take tools off the table. If we say, "We won't train with 'shocking' content", there's how you get get your phish through. Shock them, horrify them, get them to drop their guard...and a-clicking they will go.

    Security training needs to be brutal. Two-up bosses telling underlings to do things (and obviously, managers have to learn to accept people questioning their questionable demands). Disease alerts. Termination notifications. Meet the new coworker. Department after-work party. And drop the stupid "misspellings and bad grammar should be your tip-off" b***s***, because if the target is worth the effort, they'll find someone who can write good $LOCALLANGUAGE.

    1. Anonymous Coward
      Anonymous Coward

      Re: Works for me...

      There is a limit to what's acceptable, still. How about sending fake phishes to Ukrainians about their sons dying in the war? Fake phishes to Israelis about their hostage family members being found? Fake phishes to Palestinians abroad about their Gazan child relatives being killed, to confirm identity? Fake phishes to American parents about their child being injured by a school shooter, or committing suicide?

      There's a point where people don't think the phishing test is that important in the grand scheme of things, and will want to destroy you for toying with their emotions. Is realism in phishing tests really more important than everything else in the world? Probably not.

      1. doublelayer Silver badge

        Re: Works for me...

        I agree with you that there's always a limit somewhere where the temporary negative emotion you cause someone is severe enough that it's not worth doing the test on that topic. However, there are people who put that limit quite low, and I think that can be a problem, because attackers do not think the same way. If someone wants to really phish you and find that informing you of a child's death is the way to get your attention, they will do it. In fact, there have been a few people who think that "child's death" is not severe enough and use, as their phish bait, faked recording of your child being tortured live for your convenience. Just because phishers do that doesn't mean the tests should. Something that is shocking but less so should still be on the table because, if someone is going to try it, then people should be aware about it.

        Where that limit is depends on a lot of variables, but I am not convinced by the people who basically think that, if people felt the least bit nervous about the content of the email, it was automatically immoral to have sent it. The same is true of communication promising a reward which annoys people when the reward turns out not to exist. Sorry, but that's one of the phisher's most common lures and has been since the time of horse-based paper-scam delivery.

      2. NickHolland

        Re: Works for me...

        The problem is...you mentioned REAL WORLD scams that actually take place.

        Which would you prefer: "your son's been killed" and turn out to be a phishing training drill, or "your son's been killed" AND they just used your emotions to penetrate your company's security systems, or your bank account, or... ?

        People need to learn, think first, emotions later. They ARE out to get you. The bad guys don't give a rat's ass about your "feelings".

        1. John Brown (no body) Silver badge

          Re: Works for me...

          True, but see Doublelayers post above yours. You don't train soldiers by shooting them (You might use "live fire" exercises when they ARE trained, even near the end of training, but not on day 1 and you still take every precaution to NOT demonstrate actual fatalities or injuries)

    2. Falmari Silver badge
      Devil

      Re: Works for me...

      "BUT...you can't take tools off the table. If we say, "We won't train with 'shocking' content", there's how you get get your phish through. Shock them, horrify them, get them to drop their guard...and a-clicking they will go."

      Perhaps you would not need train them to keep their guard up with "shocking' content" if you trained them out of the habit of clicking links. In my experience receiving a phishing email happens rarely, while internal company emails containing links were very common, probably a daily occurrence. So you regularly clinking links but keeping your guard up to spot that rare phishing email.

      If we were trained not to include links in emails, then on the rare occasion we received an email containing links it's unlikely we would click a link even if it was "shocking' content".

      But no matter how well trained we are no one is perfect mistakes can happen. All it takes is a momentary lack of concentration for a link to be clicked. So why not remove even that possibility and remove or disable all links from from incoming emails.

      1. Terry 6 Silver badge

        Re: Works for me...

        Aaaand we still get marketing emails from our bank etc. with exactly the same kind of "Click here to go to your account" links that the same f*cking bank's security people have been telling us we should never click on!!!

      2. doublelayer Silver badge

        Re: Works for me...

        Because links are very frequently necessary. You can forbid them, no problem, but all that gets you is people pasting URLs into the email. People who are used to clicking links will now copy and paste them, and they still need to be trained to look skeptically at them first or a scammer can just send their phishing message with a URL in plain text.

        Of course, there are lots of emails that could stop having links in them, like my financial institutions that always tell me how to find the information that's too private to include in the email by logging in manually, but not before giving me a link to the same information that could go anywhere. I would really like it if they stopped using links. They're not going to, though, so people need to learn what to do when we can't impose our good ideas on every business we deal with.

      3. NickHolland

        Re: Works for me...

        Oh yeah.

        Same job they sent the fake termination notices out, they used an "secure e-mail" system that basically sent you a link to click on to get your e-mail off a website.

        So not at all infrequently, we'd get unexpected e-mails from people we'd never heard of about things we we didn't know about with a link to click on. And the same management that enforced "security and compliance training" expected us to violate exactly the guidelines they "trained" us on. I refused. I ain't clicking on that thing. (security team hated that service for that reason. Well, that, and a certain jackass (me) kept hitting "report phish". Don't know what bothered them more -- me hitting "Report Phish" or the fact that so few other people did.

    3. SCP

      Re: Works for me...

      ... if the target is worth the effort, they'll find someone who can write good $LOCALLANGUAGE.

      I wish my old company had done that; some of the 'official' missives were appalling.

      #like for all those pointing out that company missives should not be training people to click on links by insisting on them in company emails - particularly when those links are to 3rd party sites (such as the outsourced HR, an independent survey company, or similar). Very frustrating when they could have just given a written instruction to get the details from the company's intranet site.

    4. Sherrie Ludwig

      Re: Works for me...

      However, I had a new coworker -- very Inexperienced, but smart and trainable and hard-working. i.e., the dream young employee. However, while her experience was measured in months, the rest of us in the team measured our experience in decades. So...not too surprisingly, she had confidence problems. She got the fake termination phish test, and she told us she freaked out. And I fully sympathize.

      As a young newbie at a company, I might have just been overwhelmed and just headed for home. A really fragile and desperate person might contemplate self-harm, especially if the job were all they had standing between them and destitution. I don't know what a proper phishing scheme should be, but this isn't it.

      1. gnasher729 Silver badge

        Re: Works for me...

        The solution to this: Another fishing mail where you report that a young impressionable employee killed herself after receiving the fake termination notice.

        Two links to click on: “I feel so sorry to hear this” and “serves her right, stupid cow”. Click the first, terminated. Click the second, terminated with prejudice.

  7. Anonymous Coward
    Anonymous Coward

    University of California Santa Cruz

    That's like Oxford Brookes?

    Hey! Just askin.........

    1. anothercynic Silver badge

      Re: University of California Santa Cruz

      Don't dis Brookes. They certainly do better than OU where it matters... The Boat Race. ;-)

    2. doublelayer Silver badge

      Re: University of California Santa Cruz

      California, being a very large state, has a bunch of public (government-funded) universities and they're all named University of California [city name]. Their relative quality can be debated, but it is part of the same system as some of the more famous ones such as University of California Berkeley (of BSD fame) and University of California Los Angeles. Each one has its own leadership but there's a central organization that coordinates things between them. I don't know much more than that about how the system works.

      1. Michael Wojcik Silver badge

        Re: University of California Santa Cruz

        And UCSC is plenty famous in some disciplines. edurank.org puts them at #71 in the US for Computer Science (82 for CS in North America, 186 in the world), FWIW.

  8. anothercynic Silver badge

    I do like...

    I do like UCSC's 'Phish Bowl' though...

    At least they document for their users the latest phishing scams passed on to them. I wish more companies did this!!

  9. Eponymous Bastard
    Coat

    A benefit?

    I'm told that when colleagues perform poorly at simulated phishing attacks sent via email they are subjected to further simulations until they shape up. Some staff complain that they get so many emails and that they're busy. We're all busy and some of us bother to concentrate or actually get in a few minutes earlier each day and have a bit of extra quiet time to attend to any email backlog.

    What the moaners fail to appreciate is that they are more than likely being subjected to similar attacks via SMS, telephone calls and emails in their personal life and that if they learn to be a bit more savvy at work it might actually save them quite a few quid and an awful lot of nightmares. Their employer might survive too.

    Coat required because autumn's come early in South West England . . .

    1. arachnoid2

      Charity work

      "We're all busy and some of us bother to concentrate or actually get in a few minutes earlier each day and have a bit of extra quiet time to attend to any email backlog."

      So you compensate for a works problem by doing unpaid time, how charitable.

      1. Eponymous Bastard

        Re: Charity work

        Minutes required, only minutes. The colleagues who complain are the usually the ones who can never get to work on time, but always manage to leave on time . . .

        1. arachnoid2

          Re: Charity work

          Still unpaid , so you made my point.

          1. parrot

            Re: Charity work

            Currently in a position where my own workload is unmanageably high. But overall that’s my manager’s problem, and what I don’t have time to do in a day will have to wait.

            While I don’t believe the necessary time should be found from one’s own time, I agree with the general point that the user needs to take reasonable responsibility for managing their time and doing things properly.

            The point really is if you fall for a fake phish you could fall for a real phish. Regardless of workload it’s essential to pay attention. Security is a higher priority than most other concerns, after all, if you muck it up you’ll have a lot more on your plate to deal with.

          2. Michael Wojcik Silver badge

            Re: Charity work

            What a pathetic fucking attitude this is. "Oh, every minute of my day must fall in the 'work' or 'personal' category, and I will fret over any miscalculation!"

            Personally, I haven't been paid by the hour since I was an undergraduate, and I don't worry about how many minutes I spend working for my employer, versus working on the many projects of my own, or time spent with family and friends, or solo leisure. I do what I want, and I am well-compensated for my output on behalf of my employer.

            1. John Brown (no body) Silver badge

              Re: Charity work

              I guess that depends a lot on who you work for and especially if being paid by the hour or not. If you are effectively paid "piece work", then yeah, it's doesn't matter how long you choose to spend on the job so long as the job get's done. Those paid hourly and working for a shitty boss, yeah, clock off on time and don't give the bastards anything more than they deserve :-)

              Personally, I'm hourly paid, but I also like to do a good job and not leave shit for others to clear up and I'll only put overtime claims in if it's over half an hour or so usually (relatively rare anyway). But then my boss is good and there's no issue of leaving a bit early if everything's done for the day or for other, personal reasons.

  10. Anonymous Coward
    Anonymous Coward

    Hmmmm

    I used to be the go-to guy for suspect emails.

    “Should I click/answer this?”

    No, send it to IT to have it checked. It clearly looks bogus. Don’t click.

    “OK, I’ll click anyway….”

    1. djnapkin

      Re: Hmmmm

      > “OK, I’ll click anyway….”

      Exactly. Some people will always fall for these traps, and can't be told.

  11. Fred Daggy Silver badge
    Meh

    Independent Objective Measure of IT competency

    Sigh.

    I.T. is not magic, it is a learned skill. A situation very analogous to driving a car and the requirements around that.

    The situation by Mr or Ms A. Coward is EXACTLY why there should be a licence or certificate to demonstrate basic IT competency in the workplace. If such a beast existed and had wide acceptance, I know that I would make some of our users sit the exam and/or produce the certificate. For the reason of demonstrating to their manager the users' competency (or more exactly, the lack thereof).

    There was previously a ECDLC thingy, but that has died out and wasn't well known in the first place.

  12. clintos

    Best medicine is...

    the closer to the real thing the better, do you think perps think about feelings, 'oh we better not do that, it's cruel!' get a grip ffs. Best medicine is, think like a perp, act like a perp and fish out the weakest link for thorough training, or your business might end up dead in the fishy water! You need everyone to spot the disease ridden trout! Oops, No harm intended mentally to trouts, especially ones with a pout. No wonder this world of techbola is fukd. Feelings?!!feelings!!?!! fvk feelings, keep the money rolling in. Rant over!

  13. 6426-george
    Stop

    ...and 26% entered their credentials

    Does this count as unethical science, and as such we cannot know the phishing success rate?

  14. Terry 6 Silver badge

    Basic educational principles...

    Make people proud to be able to spot Phishing emails, don't just scare them.

    Training means you have to do some---training. And yes, that might need some time and investment.

    Say-- a "How to spot a Phishing message" session, with a small reward for correct answers ( a sweety or a voucher for a coffee).

    Maybe like the Scam Aware courses a chance to earn a little "Phishing Awareness Ambassador" certificate with the role of guiding others.

    Empowering people works better than (just) terrifying them. Carrot works better than stick.

  15. MuleD

    Criminals Don't Care

    What nonsense !!! I read through almost all the comments on this article and in my opinion most missed the underlying issue. Criminals don't care if they "cause unnecessary panic, potentially undermining trust in public health messaging". We in the Information Security world get paid to think like criminals, ponder the absolute worst case scenarios, mingle with those who have absolutely no morals, conscience nor soul. Modern media has done a huge dis-service to the general public portraying "hackers" as a bunch of fat, pimply faced nerds living in their moms basement looking for on-line places to hide their porn collections. OR personable anti-hero types a-la-a Mr. Robot. Organized crime does not care if the money comes from an orphanage or from Satin himself as long as the money keeps flowing. Somehow we have to convey the seriousness of our adversaries to the general public. I have tried the softer easier way, no none listens. I say go to the whip. The Russian FSB and the US Navy Seals have an acceptable loss (death) rate in training and while that's awful the point is that they recognize that if you want extraordinary things you have to be willing to go to extreme measures. I feel bad for the CISO who undoubtedly was told to issue and apology or loose your job immediately instead of having 90 days to look for a new job. Live in the real world, not the world you wish it was. ---MuleD

    1. Michael Wojcik Silver badge

      Re: Criminals Don't Care

      None of that shows the test in question was successful or productive, or that it didn't have revenge effects that outweighed its usefulness. Or indeed even supports such a thesis.

  16. djnapkin

    Phishing simulations a waste of time

    I used to think that phishing simulations were worthwhile. Indeed, they were used in one place i worked.

    I've since learnt they serve no useful purpose.

    Some people cannot be trained by sending them an occasional phish, to stop clicking those links. Training simply does not work this way.

    The evidence suggests there is a sub-section who are highly resistant to learning about clicking on phishing emails.

    Rather than waste everyone's time, better to build a working defence against these incoming emails in the first place.

    1. Fred Daggy Silver badge
      Unhappy

      Re: Phishing simulations a waste of time

      Think "Defence in depth".

      A bit like vaccines. There might be 20% (estimated number, pulled out of posterior) that CAN be trained. They either learn from the email or directly, or they are identified by falling for the phake phish and given a few pointers. For these, the simulations are worthwhile and the carrots are good. (A vaccine in this instance would have changed a severe case to a mild case).

      There are another 20% who are immune to education. They are also identified by falling for the phish. Carrot does not work, but perhaps stick will. Eg, extra, extra training, time in the naughty corner or eventually losing the job due. (Observation, this 20% who are immune to education are also extremely upset at even the slightest change to the routine, they have simply put their brain on the shelf at the end of their formal education and are determined to never use it again).

      Then the other 60% just need the best pointers for some of the key signs that the sender may not be who they say they are. Eg, "External Email", "Action warning" and blocking EXE, AV scan for corrupt documents, etc.

      And of course, anyone can have a bad day, not enough coffee, awake all night with the kid(s), etc and click one time on a dodgy link.

      1. Anonymous Coward
        Anonymous Coward

        Re: Phishing simulations a waste of time

        Nonsense.

        These tests are just due to low IQ security people being hired. They don't actually know anything so they invent crap like this (and insanely boring training courses).

        For example, our org replaces all HTML email "external links" with links that look like they are internal but redirect to external links. Just to make it even harder to figure out if an email is an attack or an actual internal email.

        They also have a big flashing "this came from an external email" banner... then have genuinely internal mailing lists that trigger it.

        So, yeah - training should start with the security group.

    2. doublelayer Silver badge

      Re: Phishing simulations a waste of time

      "Rather than waste everyone's time, better to build a working defence against these incoming emails in the first place."

      People have been trying to do that since the 1990s if not before. If you can find a better way than all the alternatives, you can probably sell it to a lot of people. The problem is that, just like all the others, your solution will either pass through some phishing or dump some important emails in a location where nobody can find them, probably both. This is why people are trained to know that it might come in and tested to make sure they're aware about what to do.

      Your suggestion is yet another item in the familiar category of requesting that a computer make it impossible to do something undesired. From the earliest computers, people have been asking for them to eliminate human error. Some types of human error can be limited, but none can be eliminated and some types can't be reduced much at all. By all means keep trying, but I'm going to continue having plans for if you don't achieve 100% success.

  17. tiago.pelicari

    Fake news to combat phishing

    What an wonderful idea, huh?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like