Hacker News new | ask | show | jobs
by jameshart 817 days ago
Running managed phishing campaigns against your internal staff erodes trust too. It’s a widely implemented practice but I’ve never seen evidence that it actually improves security or whether the negative impacts of trying to trick your own staff are actually worth the tradeoff. My sense is it’s really only useful for measuring how porous your organization is to phishing to decide how to invest in training/other security efforts.

I suppose with internal users you can theoretically target test-failures for individual training or performance intervention - for customers you can’t do that.
1 comments
Atotalnoob 817 days ago
One place I worked would use real, legitimate companies for their phishing attempts.

That annoyed me to no end.

Literally the email domain, address, company, etc would match something in real life (I checked).

Is that phishing or just being a dick?

link
jameshart 817 days ago
I received an internal simulated phishing email to my work address, masquerading as a fake Google Play invoice - which happened to show up thirty minutes after I had adjusted payment details on a Google play subscription under my personal email.

It was obviously fake, but the timing was so suspicious, and it came in to the wrong email address - so my first thought was not ‘ah, here’s my Google play invoice’; nor was it ‘ah, a phishing test, let me report it and feel smug’. It was ‘oh crap, my phone must be compromised’ - if someone knows I just updated a Google play subscription, and they cross-associated it with my work email, the only place those come together is on my phone.

Then when I got confirmation that it was a simulated phishing email, my second thought was ‘wait, did the corporate endpoint security system monitor that I was just on the Google play store and send me a targeted phishing attack?’ - which is a significant hit to the degree of trust I place in my employer.

Turns out no, it really was just a randomly selected phishing template and a wild coincidence. But for me it says it is a very bad idea to send out phishing emails that masquerade as real services your employees might use in their private life.

link