My company started with mandatory cybersecurity trainings for all employees. The training tool sends out automated emails to remind you when you have to do a new part of the training.
These emails, from a cybersecurity course, followed all the rules of being a phishing email:
- Sent from a non-company server
- Had a big red button to click here
- Urged you to take action (“You have 5 days to complete your training”)
IT decided to fix that, by adding a line to the emails that this email is really from our company. Like a phisher wouldn’t think of saying “nah, trust me bro, I’m totally legit”
That’s what always kills me… the line of “this is not a phishing email” as if just anyone can’t add that. If anything that line makes me more suspicious.
They could send an email from a legit company email stating “mail XXX will send you some legit emails in a week or so, do them.”
That’s what my company finally did, it works out a LOT better for everyone.
I emailed my IT team when I saw something suspect (which was a phish test), and they said “good job, but in the future click the link we insert in the email body to report”
Hmm…actually, I’d rather not click anything in a dodgy email, thanks.
And now you’ve passed the second test. Don’t trust links in dodgy emails.
The lesson was “don’t trust anybody, not even your own IT team”
Especially your own IT team.
Do they mean a banner in the message with a report suspicious link?
Yes. It’s a legitimate inserted banner that goes on every inbound. It just blew my mind a bit that the correct action was to click a link in an email!