[nothrabannosir]

> The conclusion we came to was that the only solution to phishing was education, and education was also nearly impossible to get 100% coverage.

A friend works for a company that fires employees after failing three phishing tests.

It doesn’t solve the problem for those people, but it does work for that company. What has priority depends on your management style :)

[closeparen]

The only way to pass the phishing tests at my employer is to never click links in email. But then we also have a number of official systems sending emails with links in them (bug tracking, code review, Zoom invites, HR portal, etc).

The only way this kind of policy makes sense is if you have to actually give the phishing site some kind of credential in order to fail, vs. merely opening on it.

If someone has a Chrome zero-day, we're done anyway. Just post it on HN.

[anitil]

This is my major concern. Heaps of legitimate companies send emails with links to things like 'http://dh380.<third party server>.com'. We're being trained to accept this sort of silliness

[closeparen]

I don't think it's realistic to live in constant fear of browser sandbox escapes, or to consider visiting an arbitrary URL "silliness." If your threat model includes people willing to burn Chrome 0-days on you, you need an air gap.

The much more relevant battle is preventing credential theft, which you can solve completely at the technical level with U2F. And if you can't, user education on "check the URL before typing your password" is a little more realistic than "don't open links from email ever."

[anitil]

While I agree with you, I'm far less concerned for my family/friends/colleagues about a sandbox escape compared to accidentally putting information in to a malicious site

[closeparen]

Yes, and "consider the URL and how you got there before typing in your password or credit card" is a lot more realistic than "don't click links." Still, clicking the link fails the phishing test all by itself.

[jedberg]

Then I would have gotten fired. That's a ridiculous policy. Do they fire people for making mistakes too?

As a security engineer in a previous life, I always open the links in phishing emails (in an isolated and secure VM). I would fail the tests at work every time, but luckily the person in charge of them knew what I was doing and didn't care.