undefined | Better HN

0 pointsWorkaccount26mo ago0 comments

My It department does mandatory phishing training every year, and then for the "test" e-mails, they spoof a domain and whitelist the DMARC on their side so it goes through.

So we get e-mails from @microsoft.com and it's only if you dig in the metadata that you see it failed authentication. The only tell in the e-mail is checking the URL, which doesn't tell you much because tons of regular e-mails use tracker redirects too. They even send emails from our own domain or the domain of our payroll company.

I won't type out my rant, but our IT department is a few guys who couldn't figure out what to do when their competitive xbox FIFA 2006 dreams failed, heard IT pays a lot with not much work, and then sat through the certs.

0 comments

stronglikedan6mo ago

> heard IT pays a lot with not much work

I want to live in this fantasy world!

(Our IT dept is so overworked that I go out of my way to work around them purely out of empathy.)

throwawaylaptop6mo ago

Every industry has its bad employers and good.

I know teachers that make $50k and no pension, with others making $93k, halfways to their pension at 35yrs old, get almost 12 weeks off total a year, and work from 8am to 3pm (1 hour lunch, 1 hour for 'prep' aka Netflix) and home by 335, and no, they basically never do any work at home. She technically has students (10 year olds she sends links to for their chrome books) about 5x53 minutes a day.

fair_enough6mo ago

That sounds like a good semi-retirement gig just to get out of the house for a little while. If you're teaching the tech-related electives rather than mandatory core courses, the students are likely a lot more pleasant to deal with. I took German just to get away from the all the kids taking Spanish or French who were just there because they have to get their foreign language credit.

1 more reply

bongodongobob6mo ago

No one in IT wants to deal with that stuff. Upper management requires it for compliance and cyber insurance.

fair_enough6mo ago

My university pulled the same BS 10-15 years ago. The worst part is that they sent the "test" email from the same email address they use for all of their other announcements, and then had the gall to send an automated "shame on you" reply if you clicked their link.

Knowing what I know now about the IT staff and professors and knowing in hindsight only 3-4 of my CS classes were of any relevance to my work, I seriously regret not cheating my way through undergrad. I wish I could take back the time I wasted on Java and spend it with my N64.

BobbyTables26mo ago

My company does similar phishing thing.

Except their system adds extra headers related to the phishing… Wonder if they even know…

Thus, I created an Outlook rule to automatically move them to a dedicated folder… (;->

cameron_b6mo ago

Hey, simulating the hack is a lot better than using some canned tool with blatant knowbe4 urls.

Workaccount2OP6mo ago

The problem is that if you click one of the links, you need to do (well sort of) the hour long phishing class and testing again. But of course, nowhere in the class do they say anything about not trusting e-mails from a known safe domain.

Whats funny though is that if you click the link in a phishing test, they will e-mail you to complete the training. But there is no enforcement (general management doesn't care), so you just get a daily e-mail telling you that you are overdue. It also however stops them from sending the fake phishing emails. So a bunch of us clicked the phishing link, marked the "do your training" e-mail as spam, and now never get bothered.

arcfour6mo ago

Where I was, they tracked who didn't do it, and came down on them, then their manager, and then it became an HR issue. Only one or two people went down the HR path, and then they did the training pretty quickly. Of course it didn't start harsh, just "hey, a reminder, we are tracking this and you need to do it" but when you blatantly ignored it the response got more firm.

Also, the last one I took they talked about phishing using a malicious Google docs link IIRC.

Anecdotes don't mean you know everything about a system.

2019846mo ago

For anyone subjected to these, they usually contain the header X-PHISHTEST which you can create a filter for, and then either send them to trash or put them in a special folder so you can report them later.

bongodongobob6mo ago

You can use whatever urls you like.

j / k navigate · click thread line to collapse

0 comments

stronglikedan6mo ago

> heard IT pays a lot with not much work

I want to live in this fantasy world!

(Our IT dept is so overworked that I go out of my way to work around them purely out of empathy.)

throwawaylaptop6mo ago

Every industry has its bad employers and good.

fair_enough6mo ago

1 more reply

bongodongobob6mo ago

No one in IT wants to deal with that stuff. Upper management requires it for compliance and cyber insurance.

fair_enough6mo ago

BobbyTables26mo ago

My company does similar phishing thing.

Except their system adds extra headers related to the phishing… Wonder if they even know…

Thus, I created an Outlook rule to automatically move them to a dedicated folder… (;->

cameron_b6mo ago

Hey, simulating the hack is a lot better than using some canned tool with blatant knowbe4 urls.

Workaccount2OP6mo ago

arcfour6mo ago

Also, the last one I took they talked about phishing using a malicious Google docs link IIRC.

Anecdotes don't mean you know everything about a system.

2019846mo ago

bongodongobob6mo ago

You can use whatever urls you like.

j / k navigate · click thread line to collapse