Your anti-phishing test emails may be too easy to spot. NIST has a training tool for that The US National Institute of Standards and Technology (NIST) has said it has developed a way of measuring precisely why corporate staff click on obvious phishing emails and open malware-laden attachments, despite warnings not to do those things. "Many organizations have phishing training programs in which employees receive …
I used to get lots of "your webmail account is full dear sir" phishing attempts per day. Most of them using Weebly (which can rot in hell).
Sometimes I wasted my time locating an abuse report form since Weebly (why is this still a thing?) does not add a link to report abuse in each of the forms created by their non-paying customers.
Weebly (may a million locusts chew on its gonads) never took any action. I still get the same messages with the same link.
Gave up on reporting abuse. Life is too short to try to report stupidity on the web. Maybe I'll write some scripts to add a whole bunch of fake data just to keep the criminals happy and busy.
The thing is, a moment of stupidity can hit anybody and that's what they're hoping for. A moment of stupidity.
A few months ago we were warned of a phishing email and it looked legitimate as well. Not sure how they were able to get the signature but they did that very well.
I used to work at NIST. I once got an email asking for loads of personal details for (I think) a weather warning system. The email was signed by NIST personnel, but sent from an external account. BAM! I sent it to the phishing alert email. I got a very snarky response telling me that NIST had contracted this company to help with the warnings, as such emails will come from them and that I should have given them my details by now. I protested and said that these "legitimate" emails that look like a phishing scam train everyone to do the wrong thing (and I assume others did too). Then never responded to me directly instead they sent a NIST-wide email around to confirm that we were meant to click on the link, and complained about those who were wasting time by claiming it might be a phishing scam...
Great research happens at NIST, but many of the people who run the IT services there are painfully incompetent.
Great research happens at ${institution}, but many of the people who run the IT services there are painfully incompetent -- FTFY.
I used to teach in the computer science department of a small university in a large coffee- and samba-oriented country. We had memorable fights with the IT department about their so-called work. We were the only group that didn't buy the BS they told us that was "policy" (aka we don't want to do it) and "because of limitations on technology" (aka we don't have a clue on how to do it).
My employer regularly asks us to do phishing awareness courses.
I am a customer as well as an employee and the emails they send to me as a customer always raise red-flags if I follow my training. In other words they are training their customers to accept questionable emails. I have raised my concerns but no one listens.
A bank I was once with, sent me an email every month to view my statement online including a link to access the bank's login screen. Utter stupidity and begging for phishing emails to do the same; except of course you would be entering your login information onto the scammers clone of the site.
I don't know entirely how 'they' did it, but fraudsters, having stolen lots of my post from financial institutions managed to:
1. Create an account in my name at HSBC. Which stayed open for almost two months AFTER I'd alerted them to its fraudulent nature.
2. Managed to empty one one my pension funds into said HSBC account and then transfer the money elsewhere (after 1).
3. 'They' were in the process of emptying another pension account when I contacted the provider to warn them, which stopped that.
4. Emptied two access only by passbook and signature building society accounts over the Internet, transferring the money via a fraudulently set up account at said Building Society in my name to said HSBC account.
5. Emptied a shares account AFTER I had warned the company by e-mail of scams, and said company had replied saying they had communicated it to the relevant department.
6. Set up two Direct Debits on a current account taking almost £9,000 before I found out.
These people were / are professionals at their 'jobs', and almost got away with about £100,000 of my money* (I didn't work hard for it, I suffered incompetent management, bullying, lack of promotion, ignoring my sensible ideas - until 'suggested' by the manager I'd just been talking to - you know, standard IT 'career progression').
Anything that raises awareness amongst staff at companies of phishing and fraud is good in my opinion.
And guess what: The UK fraud investigators cannot be bothered to investigate because, as I've got the money back* I have not suffered a crime!
BTW: There is a Panorama program on BBC 1 tomorrow night about how HSBC allowed transfer of illegal funds.
If you stop getting post from banks, building societies, pension companies, credit / debit card statements etc. be warned, and let them all know, if only so you can tell them it is their fault if they get done. Note, at no time did I authorise in any way any of these transfers.
*(Fortunately as I was able to show that it was entirely the fault of the organisations, I got my money back, eventually.)
Still get worked up about this, 'cos, I know you are all paid your true worth, b ut £100k is actually a lot of money to me.
My sympathies. I am afraid your story is just an early warning of the coming digital pandemic. It is scary how shaky the whole trust and identity infrastructure is in the UK. I really don't know why we bother having a nuclear deterrent when we are much more likely to be taken out by a digital first-strike. That's if the criminal gangs haven't comprehensively looted the entire country first. And the digital knowledge among the political and civil service leadership is pathetic, under trillion-dollar Cummings and the Government Digital Service (aka the Ministry of HTML). Our digital infrastructure is built on a quicksand of vulnerabilities and insecurity by design. The powers that be know it, and their response is always to blame the victims. I guess that's why hackers leave the politicians alone - they know it's the only thing that would provoke the negligent bastards to action.
Please don't (all) take this personally, but my posts here that I am proudest of get 3-6 votes. My daftest posts get 30-60 votes.
I propose a system where we can swap ten votes from our silliest posts for one vote on a post we are actually proud of.
I've never fallen for a phishing scam, but I did once fail badly when trying to email, phone and mobile phone different people at the same time. And I was probably chewing gum. Stupid is as stupid does too much.
We did a test phishing email around March this year and about 50% clicked on it and provided their passwords. I knew there would be some but yea.
The silver lining was that the ones that logged the email with the support delivery team did well and the SD team escalated as per protocol so IT wise we didn't do a bad job. Even saw an email alert go out about 30 minutes after the fake phishing email warning people (the SD team and almost nobody knew it was a test)
Anon, obviously.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
