this post was submitted on 05 Jan 2024
737 points (98.7% liked)

memes

10216 readers
3927 users here now

Community rules

1. Be civilNo trolling, bigotry or other insulting / annoying behaviour

2. No politicsThis is non-politics community. For political memes please go to [email protected]

3. No recent repostsCheck for reposts when posting a meme, you can only repost after 1 month

4. No botsNo bots without the express approval of the mods or the admins

5. No Spam/AdsNo advertisements or spam. This is an instance rule and the only way to live.

Sister communities

founded 1 year ago
MODERATORS
 

Alt text: Michael Scott Handshake meme. Managers text: "My company Congratulating me on avoiding a phishing test email". Michael Scott text: "Me, terminally behind on answering email."

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 10 months ago (4 children)

Does IT want useless reports? Because that's how you get useless reports?

[–] Alteon 10 points 10 months ago (1 children)
[–] CurlyMoustache 4 points 10 months ago* (last edited 10 months ago)

There are no "useless reports" when compared to the alternative

[–] [email protected] 5 points 10 months ago* (last edited 10 months ago) (1 children)

The IT people send out the phishing mail themselves as part of a test. It isn't an actual phishing mail, just something made to look and act like one. In the end they have a report which people fell for it, which ignored it (or were ooo) and which reported it.

Reporting is done via the report phishing feature in Outlook. For consumers it's sent to Microsoft, but for businesses you can configure those reports to do what you want. It's actually a really good feature and people should always use it.

[–] [email protected] 3 points 10 months ago (1 children)

Does your IT team tell you that they're performing the test and to report, or is reporting phishing always constantly recommended. I've managed a small org ( <100 ) email server and we tried to have people report suspicious emails and it was so much noise and wasted so much time. Of course the CEO isn't requesting you buy gift cards, what am I going to do about it. I'd say the money would be better spent on a better system rather than hope one human forwards it to another human.

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago) (2 children)

They don't tell us they are testing, it's done at random. Reporting is policy, it needs to be done with every phishing mail that gets past the filters. It's one of the big ways a company is vulnerable, an employee clicks on a link in a mail, opens something they shouldn't and before you know it there's been a databreach. I don't think they are especially worried about the employee leaking his personal info, they are worried about targeted attacks and corporate espionage.

I'm sure there are a lot of false positives. Even though I work in a technical company, we have plenty of people who aren't as handy with tech. People get training regularly and if one person reports a lot of useless I'm sure they will train that person extra. I think for a lot of people except maybe sales something like 80% of all mail is internal. And the other part is probably 50% repeating automated mails. So the number of mails that could even be phishing are limited. It's a mid sized company with about 1000 employees.

[–] [email protected] 1 points 10 months ago (1 children)

I see the benefit of reporting to catch false negatives of the filters, but in reality, if I received more than one report in a week or two, id consider a new system for scanning. A 20% false negative rate is pretty bad. Most emails should be easily identified, and I think it's unreasonable for end users to check if the sender domain name is newly registered, has utf-8 characters which look like ASCII characters, etc. The metric for success shouldn't be a high number of end users reporting phishing emails, but that seems to be what upper management wants to see, which just incentives less resources invested in better scanners with less than a 20% false negative rate.

[–] Promethiel 2 points 10 months ago

The metric for success shouldn't be a high number of end users reporting phishing emails, but that seems to be what upper management wants to see, which just incentives less resources invested in better scanners with less than a 20% false negative rate.

The eternal battle between the "oh we go by data backed metrics, much measured, I feel this is the best" executive suite and the poor saps beneath twirling the data backed signs going ignored until money or disaster strikes.

Pity businesses aren't formed from the bottom up; it's like an octopus deciding not to listen to its arm brains until the shark has a bite of its head.

[–] [email protected] 0 points 10 months ago (1 children)

Sounds like your email software needs fixing....

[–] [email protected] 1 points 10 months ago

Sure let me go tell Microsoft

[–] [email protected] 1 points 10 months ago (1 children)

No, it's better to get some useless reports than to get no reports at all because "somebody will surely report this".

Also people stay alert when punishment is an option.

[–] [email protected] 1 points 10 months ago

It's actually a big problem: https://en.wikipedia.org/wiki/Alarm_fatigue more alerts is not always better.

[–] [email protected] -3 points 10 months ago (4 children)

This is how they justify their jobs.

[–] [email protected] 9 points 10 months ago

No. Technically illiterate users, that's how we justify our jobs.

[–] [email protected] 1 points 10 months ago

Justify their jobs? Their job is to set shit up, then be around at all times to help already frustrated people to do something they just forgot how to do today for no reason. And then, to politely listen as the person makes excuses to preserve their ego

Security compliance? That's handed down to them. If they had a hard on for cyber security, they could make 2-3x as much and no longer have to explain to people that they joined the wrong teams call

I make a point to get to know the service staff. Chat with the custodian. Go to IT when you don't have a problem... Get to know them a little as a person. Then, when you have a problem, you don't have to make a ticket and wait for them to get to you. You already know them, and they feel respected as a person - they might not drop everything, but they're going to bend the rules and quietly tell you how to navigate the system to get what you need as painlessly as possible

They'll also know if you're an idiot or not already - they might know to trust you at your word, or they might know tech makes your eyes go glassy and hold your hand patiently... But either way, the respect makes them want to help you, and the preexisting relationship makes the whole experience less painful

It is a shit job... It's the overlap between being in the service industry and a tech worker. Almost all of them couldn't make it in a more specialized role that would pay far, far more, and if you walk in during downtime half of them will be practicing their programming hoping to get a better job

[–] LemmyIsFantastic -1 points 10 months ago

I think you mean satisfy regulatory requirements.