[Calamitous]

The only anti-phishing program I've ever seen that was even a little effective was at one company I worked at, where there was an ongoing phishing test.

Users were randomly selected to get the test, and each phish was hand-crafted to trick people specifically at our company (but using only publicly available information). Anonymized results were posted quarterly, divided by department.

I only got fooled once, but man, it felt so bad to see Engineering show up on the dashboard with one hit that quarter.

(Sales was usually at the top of the list, which makes sense, since they interface with a lot of folks outside the org)

[tptacek]

These are exactly the kind of campaigns that studies show not to be effective (or even paradoxically ineffective). "Effective" doesn't mean "manages to successfully phish" (you'll always eventually be successful); it means reducing the likelihood that concerted attacks will be successful.

The actual response to phishing is to use authentication mechanisms that resist phishing.

[bee_rider]

Although, why limit it to publicly available information? Security is an onion. If somebody gets access to internal documentation, HR lists, etc, the organization should still be resistant to their phishes.

[thewebguyd]

> If somebody gets access to internal documentation, HR lists, etc,

It's hard to be resistant to phishing at that point and you have bigger problems.

What if Susan in HR falls victim to token theft (let's say conditional access/MDM policies don't catch it or aren't configured, which many businesses don't bother with). Her email account is now pwned, and the company gets an email from her, it passes all verification checks because it's actually from her account.

It's still phishing, but the users have no way to know that. They don't know Susan just got compromised and the email they got from her isn't real. If this is a human attacker and not just bots, they can really target the attack based on the info in her inbox/past emails and anything else she has access to.

So there's no way for the organization to be resistant at that point until IT/security can see thea account compromise and stop it. Ideally, it's real-time and there's an SOC ready to respond. In practice, most companies don't invest that much into security, or they are too small and don't have the budget for a huge security operation like that.

It's a really hard problem to solve

[bee_rider]

HR shouldn’t be sending links anyway. They should send instructions: go to the portal (on your corporate controlled laptop, so this could be your new tab page) click on the paystubs link, blah blah.

Somebody in every big company is compromised already.

[themafia]

We got hit in a similar way. They didn't use HR's account to email but they grabbed the mobile phone numbers of everyone in the directory. They then started a text message campaign, pretending to be our CEO, demanding that employees go to Target and buy gift cards on behalf of a client.

One person actually did fall for it but decided to physically bring the cards to the CEOs office. Thankfully that exposed the attack and effectively halted any damage done.

These criminals are relatively clever.

[spogbiper]

i've noticed the gift card stands at Target and other stores around here now have a sign stating "If you received a text from your boss telling you to buy gift cards, you are being scammed" or similar

[serial_dev]

I’m assuming it’s the “easy” mode and they still have many successful phishing attempts, so it didn’t make sense to go to the next level if the company still fails in easy level.