Fake phishing by employer

Signed-In Members Don't See This Ad
Cwalker935

Cwalker935

Member
Joined
May 18, 2014
Messages
3,525
Location
Richmond, Va
The IT department at work decided to do some cyber security training today by sending out a fake phishing email to a random group of employees. I was not selected in the random group so was not directly impacted. Several of my co-workers in my Division were selected and one fell for the scam. He and another co-worker were greatly angered by the exercise even tho there were no repercussions for falling for the fake email. I was surprised by the strong feelings and resentment that these two co-workers had. They felt that they were being tricked and that they were not trusted by their employer. I am just curious whether this type of training is common and if others would feel the same way as these two co-workers.
 
Signed-In Members Don't See This Ad
We're subjected to those sort of tests pretty regularly. The last one was a spear phishing exercise, where they target you specifically with some minimal amount of personal information and try to get you to give up further data, such as your smartcard PIN or network password.

So, regarding trust... I guess the employees would like to think that their employer trusts them to recognize these kind of emails and report or ignore them. The problem is not of trust, it's that people don't recognize these kind of things. In my agency of 18000 employees, the last test resulted in 1300 people clicking a link to go to a page where they were to enter personal info, and 850 actually entered their username and password. Bad news.

These things don't bother me at all. It has gotten me to the point where I am suspicious of every official looking email. That's a good thing.
 
I've never heard of that but it seems like a good opportunity to teach people. As long as the "suckers" names are not divulged to the workplace and the company follows up with a training email afterwards for everyone to learn from I see no foul. If a victim announces to all around that they fell for the phish then they can deal with any razzing they get. Far less of a violation than drug testing.
 
My reaction was increased awareness, this probably made me think more than the periodic mind numbing mandatory training lectures.
 
Jeff is all over this. About 3 weeks ago I get an e-mail from a known sender. Looks a little strange in that it just says "Click on link to open secure PDF". I call the company and as soon as I say hello to the owner he says, "Don't click on the link"! His computer had been compromised and every contact he had was sent a message. Ransom ware.
 
I work for HCA (Hospital Corporation of America). Patient and employee record security is a big priority. We are constantly being trained and alerted to scams. I am not sure if any of us were ever randomly targeted for such a "test", but it would not bother me if I was (and failed).
 
terry q said:
They are pissed because they did something stupid and got caught. They proved they can't be trusted. I have no sympathy for them.
Click to expand...

One of the two did not fall for it and reacted as she was trained to do. She is normally very rational and level headed. I was really surprised by her anger. The other guy actually gave them his password. He lives to find something to complain about so his reaction was his typical behavior- no sympathy for him whatsoever.
 
There's a difference between "trust" and "training" and the only way to see if someone has been trained is to to test them. Nothing new in the corporate world. Doesn't sound like anyone's integrity was being tested, only their training. Why would an employee be upset about their company taking steps to insure that the company is protected, especially in this day and age?
 
If you think a fake email test is bad, try driving 60 miles one way to a remote job site, getting set up, dragging out 300 lbs of tools, and a ladder to boot. BTW, this is all before 6 AM.
Then, your foreman walks up to you & tells you that you've been selected for a random urinalysis. That means you have to drag the ladder & those 300 lbs of tools back & secure them in a gang box, then drive almost 100 miles to the test facility to pee in a cup for no reason whatsoever.

It used to be we didn't get paid for that until our union stepped in & said the company had to pay us for that day.
One week, they tested everyone on the job. Guess how much work got done?
That's right, zero.


Now, that's something to get mad about. :mad:
 
I lived for 25+ years in another country as the internet began its trek into WWW land. (think 300 baud). I remember the first innocuous viruses and some early phishing scams. I lived close enough to a couple of countries and had acquaintances/co-workers in several countries where cyber security was an absolute necessity. Even with VPN, life was dangerous with email. And my coworkers were well aware of this. Back in the late '90s, two workers in a specialty field (health related) were murdered shortly after leaving one country and then sending a short email to the home office about contact information.

I can go on and on about security in some countries and even back here (USA) for people who have "friends" who are overseas.

I am paranoid for a reason when it comes to email and web sites, not so much for me as to friends who I still have overseas. Even with knowing what can happen and what has happened, I know former co-workers personally (some in leadership) who disregarded safety protocols and put lives at risk.

For Company privacy and information security, it is a risk in emails.
Some people just don't think;
Some people think "they" are immune;
Some people think that their "trusting instincts" are better than others;
some people just like to flirt with danger and see how much they can get away with;
A few think they can out con the con-phishers.

There are a hundred ways to describe these folks. IN the end, it is dangerous to the integrity of the company they work for.

IF your company is working with a company in another country Or in the USA, your company's weakness is shown by those who open such email. Cyber theft of company information comes from one person in your company opening a phishing email planted by a competing company.
 
Last edited:
Cwalker935 said:
They felt that they were being tricked and that they were not trusted by their employer. I am just curious whether this type of training is common and if others would feel the same way as these two co-workers.
Click to expand...

I don't think they were angered by the tricking and lack of trust as much as that they showed they couldn't be trusted. As another poster said, it is about training. IF these two guys will just bite the bullet and become the poster guys for how important it is to follow protocol.
 
I am going for my Security+ certification and Employee training is a big thing in some of the lessons. If it was my network I would be doing this all the time to get employees to start thinking before they open any attachment. It is called Social Engineering and takes many forms but relies on the employee being targeted not be thinking.
 
I am a retired Chief Information Security Officer for a Fortune 500 company. Exercises such as this are an absolute necessity in today's world. The advent of email and all the ways it can be spoofed (remember to log off of your workstation before you head out to lunch) had brought us to the place we are today.

Training is absolutely necessary and -- as one poster has stated already -- the only way to know if your awareness program is really working is to test it. If someone is upset about not being trusted, then they certainly do not understand the concept of cyber-security and how a seemingly minor breach can lead to enormous consequences.

Kudos to those who did not respond to the phishing email. Remedial training for those who did.
 
What some of these employees do not understand is that it only takes one of them to fall for the scam once and they compromise the whole system. 99 can react properly but it's that one guy/gal that clicks that opens the door. In my previous job we we constantly tested, we were supposed to be "trained professionals" when it came to computer security matters and we STILL had the occasional "clicker" which meant that everybody in the division had to undergo re-training on the subject, normally after duty hours or over the weekend. They made it painful on purpose and as much as I used to complain about it it WAS necessary to drive home the point of "think before you click".
 
I worked for the franchise owner of 12 retail locations. One day all 12 stores received a real 'ransom email'. 4 of the stores fell for it and clicked the link and froze the store computer systems. We did not pay the ransom but it took 3 days and some new hardware to get the 4 stores up and running again.

I would have no problem with testing and training like you describe. Don't your fellow employees ever watch the news about all the data hacks and all the credit card and personal info that is stolen? Remember when Target had the problem not long ago!
 
At my first duty station in the Air Force back in 1997, the base actively ran a password cracker program for any user that had internet access. If they cracked your password, your account would be locked and you'd have to go get your password reset.
 
Better they got caught by a inter phishing test than a real one. Working in IT, we have to deal with the the real thing ALL the time. We can filter/catch some, but some make it through and YES people click them!

We are fighting constantly to train/retrain people. And yes, some people do it more than once!!!
 
Our IT director said they may also start doing phone tests. There are phishing scams where the caller offers money for sign ons and passwords. A couple Apple employees took $20k.
 
My company does it all the time and since they started doing it their has been an significant increase in the number of spam reports. It might not seem like a big deal but one virus inside your firewall pretty much ruins the day / week for your IT department.
 
I received them quite frequently with my previous employer (a multinational conglomerate on the Dow Jones). IS was very important to them. The company I'm with now has not sent m any phishing emails in the six months I've been here. It too is a multinational conglomerate. I've never seen anyone get upset by the emails as it was a necessary part of security.
 
I personally have one rule with e-mails..........

"When in doubt......Delete!"

I would rather get in trouble that way, then having my PC hacked or information stolen.
But that is just me.
 
Both of those 2 employees need an attitude adjustment and the one who fell for the phishing email needs more training.
The costs and damage caused by the adversary is too much to ignore.
 
You must log in or register to reply here.
Back
Top Bottom