[imzadi]

I run my organization's phish sims, and we had a similar issue one month. A bunch of people failed for downloading attachments. When I looked into it further, all the attachments were downloaded by the same Czech IP address. With some research, I found that it was an AVG IP address. The fix is very simple. The phish sim service has a place to exclude IP ranges. Any activity from those IPs are just ignored. I'm sure all phish sim services and software have this ability.

[sdrinf]

Question: why is clicking on the (test) phishing email's link "fail"? Isn't the whole contract between browsers and society that one can safely open any website they want (ie loading a webpage is safe), and what you do on the actual site is the actually unsafe op?

Asking because in the vast majority of cases, the phishing landing page has way more signals to recognize than the email headers.

[linuxalien]

Unfortunately not. If there is a 0 day vulnerability, or you're running an older version of a browser for a known patched issue, you may find yourself with a remote code execution, or 0 click download. Or it could be another kind of exploit, maybe your email service is vulnerable to XSS attacks. Like operating systems, browsers can have security issues too. So trusting your browser to see if a phish is really a phish is just unnecessary risk. I've worked with clients that have ended up with crypto lockers from clicking the link. Even from the IT side, I'm not going to increase the risk by opening a known phishing link to check how good it looks. If I am, it's going to be in a system that doesn't have active logins to other systems/sites, and is in easily disposed and reset. Check out all the YouTubers getting channels hacked with session stealing. Yes, they are falling for phishing attacks, but you really don't know what the attack vector is going to be. It might just be a fake login, or it could be much more sophisticated.

[sdrinf]

Thanks, that makes sense!

[Finnucane]

Now when I see a phish, I check to see where it is coming from. 97 percent of the time, it is a test. We're getting these tests often enough that I just assume that's what it is.

[imzadi]

Which is fine, actually. If you see it and think "oh, IT is at it again" and delete it or report it, mission accomplished, because there is still that 3/100 chance it is real.

[Kinrany]

It only works on fake fishing.

[imzadi]

So when you look at the sender of a suspicious email and it's not the phish sim service you just go ahead and open it? That doesn't sound like a problem with the phish sim.

[Kinrany]

It's certainly a problem with the phish sim if you're trying to teach people not to open random links and instead you're teaching people not to open phish sim emails.

It fact, it can be actively harmful if it creates a false sense of security.