from the do-you-have-a-phishing-license? dept.
Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.
But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.
"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.
[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.
"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.
[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.
This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.
(Score: 5, Insightful) by DannyB on Tuesday August 20 2019, @06:18PM (16 children)
Don't allow directly executable attachments. Warn users of them. Sandbox them. Scan them first.
It seems a neverending war, but make file formats, or rather the programs that parse them, more secure. It should not be possible to cause Word or some video player to execute code by manipulating the data file. If someone opens a PDF, it should not cause their system to become infected.
A corporate email system should flag EXTERNAL emails to alert internal users that this email comes from an outside source.
Try to educate users. People need to be less gullible. And not just around computers. In all areas of life. Voting. Classrooms. When opening paper snail mail. (see Sharknado 6! [youtube.com] Based on the Incredible True Story! Tornadoes pick up sharks, bring them inland and drop them where they can attack people! Sharks move incredibly fast along the ground! These sharks even attacked the T-Rex! I know because I saw it by clicking the link to the trailer for the movie!)
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 4, Insightful) by AthanasiusKircher on Tuesday August 20 2019, @06:31PM (7 children)
Indeed. This is the most significant thing. I worked for an institution a few years back where someone in the finance office received emails that appeared to come from one of the top administrative officers at the institution, ultimately requesting a wire. Luckily someone there said, "Huh -- we don't usually wire money this way" and asked questions before executing the order. Point is that the email address was spoofed, but the server it came from was wrong, which should have led to a red flag. But no one would know that unless they look at the email headers, or have something to flag such emails.
To respond to one other thing in TFS:
Uh, why not just say, "I'll need to call you back at the number I know is at your official website. Do you have an extension or a way to direct me to get to you using that number? I'm not giving my personal info out on the phone to a random caller until I verify who I'm talking to first."
I frankly don't ever remember any company calling me out of the blue and then asking ME to verify who I am. They have my number; they should assume they're talking to the right person. But if I did have that scenario, I'd do as I mentioned above.
(Score: 2) by vux984 on Tuesday August 20 2019, @07:42PM (6 children)
You should always be able to accept / reject mail claiming to be from your own domain. This is what DKIM and SPF are good for. It doesn't help you if its an "almost spoof" though...
if you are john@fishco.com and someone sends a fully and properly SPF And DKIM secured message from john@FlSHCO.com you'll never catch it automatically. If you want to stop wire-fraud scams, you need clear and well communicated policy on authorizing wire transfers.
"Uh, why not just say, "I'll need to call you back at the number I know is at your official website. Do you have an extension or a way to direct me to get to you using that number? I'm not giving my personal info out on the phone to a random caller until I verify who I'm talking to first."
It's good advice, but you are relying on the victim to be sufficiently un-trusting and wary. And everyone has to get on board, stoners, the elderly, everyone... or someone still falls for it.
" frankly don't ever remember any company calling me out of the blue and then asking ME to verify who I am. They have my number; they should assume they're talking to the right person. But if I did have that scenario, I'd do as I mentioned above."
It's happened to be me several times; I wouldn't say its common, but it definitely happens. I think on the whole companies are getting better but even if they never did it the scammers would keep on because people would still fall for it.
(Score: 2) by vux984 on Wednesday August 21 2019, @12:04AM (1 child)
Today I got hit with another microsoft tech support scam call... with a new angle. This one was claiming I was owed a refund for the microsoft technical support services because the government ordered them to shut it down. ... blah blah blah going to creditcard/bank information whatever.
Nobody savvy is going to fall for this, but the uninformed will. I'm kind of impressed really that they've taken negative news coverage of their own scam tactics and are leveraging that to bolster the credibility of this new scam.
Some poor sap who isn't really following along is still going to have seen talking heads on the news and headlines in the paper or whatever about microsoft tech support scams and that they are illegal etc, and without a finer appreciation for the details could well believe that the last computer they bought had a microsoft technical support surcharge on it that microsoft now has to refund them or something... 'they even heard something about that in the news' right? so it must be true!
(Score: 2) by DannyB on Wednesday August 21 2019, @03:05PM
The greedy will fall for it. Even if they are savvy. Their greed will override their logic and any ability to be spectical.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by AthanasiusKircher on Wednesday August 21 2019, @12:18AM (1 child)
What's your solution then? It's fine to complain about imperfect ones, but do you have something better?
Because I don't think there is really one if people are freely allowed to make phone calls in a society. Sure, there are efforts to cut down on spam calls now (and we should try that), but that will never stop all scammers. I remember my grandmother getting scam calls 30 years ago. I also remember a scamming salesman coming to her door even longer ago than that. Scams are nothing new, and if you get rid of one form of it, scammers will try a different one.
I don't really know why anyone would give ANYONE personal information upon request, unless they had a specific need for it. I've been to stores in the past decade that will ring my purchases up at the register and say, "Can I get your phone number?" I simply say, "No." Usually it causes them to look up in slight surprise, because I'm not impolite about it, but I'm also quite blunt. "Well, can I get an email?" "No." "Can I have your ZIP code?" "No." "Sir, our system just requires me to enter..." At that point, if I'm buying an item I can easily get elsewhere, I often just say, "Nevermind. I'll go somewhere that doesn't need my complete biography in order to sell me a lightbulb. Thank you," and leave. If I really just want to make the purchase, I'll just say, "Well, I'll give you a fake ZIP code." And usually the clerk is just happy to accept it.
Similarly, many websites ask for all sorts of personal info for no apparent reason to sign up or register or whatever. I'm not giving them any personal information. If I'm making a purchase and they need to verify my payment address and phone number, I'll enter it then, but sort of that, nobody gets my personal data. You want a birthday? I'll give you a fake one. You want my address? I'll give you a fake one. I have a few I use regularly for these situations, so if I'm ever asked again, I can guess what it was. You want an email? I'll give you a fake one, unless you need to a confirmation to let me use your page, in which case I'll give you my spam email account that I never check except to establish those sorts of accounts.
So, some random person calls you on the phone and starts asking you for personal information? Why the hell would you give it to them? I don't give it to ANYONE unless it's really necessary. (E.g., I have an established business relationship, and *I* made the contact. Or I am trying to establish an ongoing business relationship that requires such information.)
Honestly, kids should be taught this from an early age. Elderly people likely have encountered scammers at some point in their lives, but if they've become gullible or unfamiliar with novel types of scams, they just need to be told not to give out any information to anyone who asks unless they made the contact themselves. If they can't do that, they need to have limited telephone access (keeping outgoing calls for emergencies, but screening incoming), or perhaps even live-in help. Just like children who aren't aware enough of scams, the elderly need assistance and watching. If you have another solution, we're all ears.
(Score: 2) by vux984 on Wednesday August 21 2019, @03:42AM
"What's your solution then?"
I agree there isn't a solution. You can't fix stupid.
But I do think fixing caller id properly would go a long way.
-Don't let people generate numbers at will en masse, that have no bearing to reality, and spoof numbers that don't belong to them.
-Local Numbers belong to entities within the country Telcos should know who is using what numbers, and enforce validation before letting a number through.
- Give people the tools to block them / report them. If I get a spam call claiming to be a number from inside the US; the callerID should be traceable back to a US entity that's responsible for knowing who is making calls with that number, and taking responsibility for what their customers do. (e.g. cut service)
- Show true call origin information. If the connection is coming from India then that should be made known. If they are 'proxying' through a US forwarder so it looks like its coming from the US, fine, but then see the point immediately above.
You also had a good idea.
- provide inexpensive call screening to all customers or even build it into basic services, or free if you are over 65. Really, how many people call my grandmother?? A handful of friends and family members who would rapidly have their numbers whitelisted, and then everything else goes to a professional reception service that screens calls, manages whitelisting, and then connects people -- even offering a short introduction/warning prior to connecting and staying on the call for a minute or two. Major utilities and services could register their registered call out numbers for whitelisting in advance. Local businesses that generate a lot of calls out -- dentist appointment reminders, carpet installers etc, could register to be whitelisted locally or whatever, etc.
So most legit calls wouldn't get need interaction. With all that in place human screeners would only need to be involved in exceptional cases -- family checking in grandma from a hotel in Bangladesh or a payphone in Florida; and a couple bucks on your monthly bill would cover that.
Hell... if the incoming call isn't whitelisted, the caller pays 25 cents before connecting. With all above in place, you might not even need human screeners -- simply charging suspicious callers ought to to ruin the economics of mass-robodialing for victims. Worried about scammers stealing someone's phone service and using it to mass call... default to a $2/month suspicious call limit at which point you need to call customer service to authorize increasing it. So a stolen phone service is good for 8 calls.
There isn't a single good reason this stuff can't be done.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:02AM (1 child)
Huh? Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside). That means e-mails from inside fishco.com should never be routed through the outside MTA unless coming from inside. You can, and should, have a spam rule in place to flag local domains coming from the outside interface.
(Score: 2) by vux984 on Wednesday August 21 2019, @05:14PM
"You can, and should, have a spam rule in place to flag local domains coming from the outside interface."
john@FlSHCO.COM is not a local domain. the l is a lowercase L. so its really john@FLSHCO.COM.
What spam rule would you have in place to flag a message that properly passes SPF and DKIM for FLSHCO.COM, an external domain coming from the external interface??
"Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside)."
You also don't really need this if you have SPF and DKIM/DMARC setup. Instead of a spam rule flagging local domains from an outside the interface you publish a DMARC reject policy. At that point someone trying to spoof your headers, would be caught and rejected because it lacked the signatures. It's actually a better solution because someone trying to spoof email as coming from you and sending to a 3rd party also gets rejected because if the 3rd party is checking DMARC policy they'll see that its not signed properly and that your domain policy says to reject it it if its not signed.
There's not really much advantage to the layout you've described but there's certainly no harm in it as 2nd layer -- defense in depth is impossible to criticize.
(Score: 3, Informative) by edIII on Tuesday August 20 2019, @09:29PM (4 children)
Nope. There are FOUR: SPF, DKIM, DMARC, and encryption. The 5th method hasn't been implemented yet, and that is email user interfaces actually showing the provenance of the email.
-- SPF is super fucking easy. Anybody that says otherwise is a literal IT retard. So many tools out there to assist you, and it's a simple TXT record in the DNS. It's also not used correctly. I'm guessing that 90% of higher of SPF records specify a "soft" response, or in other words, "even if its bad let it through". That was for the early days when debugging was required, and at this point it should be retired with a "fail". Email servers and MTAs have had more than enough time to adjust to SPF usage. More than enough time. We should be using SPF to white list our approved MTAs, and if an email doesn't come from an approved source, the recipient MTA should send the fucker to /dev/null. THIS ALONE WOULD HELP IMMENSELY. If properly implemented, attacks would have to originate from approved IP addresses, which means in order to spoof somebody the attackers have to compromise a different target's DNS and/or MTAs.
-- DKIM is also fairly painless. There are tools to set it up, and it requires a DNS TXT record like SPF. Once it is in place, it allows actual authentication of the email by using information in the headers and a public key available from DNS.
-- DMARC is somewhat new. You could be forgiven for not having one yet. That being said, DMARC helps coordinate usage of SPF and DKIM with defined policies of what to do when DKIM fails. It's another way for a corporation to define policies that receiving entities can use to help authenticate and route emails.
-- Encryption. This one is also stupid simple, while also being almost entirely unused in the real world. Which is a shame. Important contacts between corporations could easily be encrypted in such a way that a spoofer/phisher has exactly ZERO chance of success. End-to-End encryption, if supported in email, would allow two parties to easily prevent all kinds of mischief. Yet for various reasons this is precluded, not in the least by data retention laws and monitoring of employees. However, it's entirely possible to create a workable platform that allows key escrow within corporations.
Lastly, provenance. The vast majority of email users never even see headers, or understand that they're the "envelope". There should be an easy to see and understand provenance of the email. From the start of the chain, to the end of the chain, with security status for SPF, DKIM, and DMARC. If the email address is different (cousin domains), or SPF fails, or any critical rule is broken, the email is NOT RENDERED. If the "envelope" fails and provenance proves to be shit, then the contents should be immediately quarantined and forwarded to the sysadmin.
Finally, the fact that most people just give up and use the big email providers is one of the biggest problems we face in email security. Google just doesn't give a fuck. They've dragged their asses on SPF, DKIM, and DMARC. So much so, that recent attack vectors and phishing campaigns have begun using security flaws within Google and Microsoft to send emails from systems that actually can pass SPF and DKIM (signed by Google/Microsoft). Regardless of how bad the major players are, they're still impossible to blacklist. You can't just tell a user that your email server accepts no emails from Google, although as a sysadmin, that's the very first thing I would do.
Securing email isn't impossible. We actually have the tech to do it. Beyond that, we should be moving to an entirely new system anyways. Email is horrific for data transfers (base64 conversion) and just plain outdated.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by RandomFactor on Tuesday August 20 2019, @10:19PM (3 children)
Haven't been paying attention. There anything actually going on regarding non repudiatable provenance?
Maybe public key signing of headers or something? Or just PKI signing of the body or whatnot?
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by edIII on Wednesday August 21 2019, @01:26AM (1 child)
Not sure I understand you correctly, but this seems like the sending MTA having final say over actions in the receiving MTA. That's not possible, AFAIK. There are useful policies right now, but actions against the policies are always voluntarily followed by the receiving MTAs.
DKIM does sign some of the header, but not all of it. Obviously, there are lot of hops email can go through. DKIM only affects the hop/domain it can sign for.
Between two parties you can set up encrypted email, and that is more than signing the body of the email. It's full encryption of the email content.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by RandomFactor on Wednesday August 21 2019, @02:04AM
yeah, I don't think our words are matching up. That was...orthogonal.
Rather than worry about it, I suspect we can both agree there's not much new in SMTPland.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @05:23AM
You could require S/MIME signatures to mail. Any entity on the chain of custody could sign the mail, this would include the sender and the sending MTA.
(Score: 3, Insightful) by RandomFactor on Tuesday August 20 2019, @09:46PM (2 children)
I've implemented this in various environments over the years.
It's great if you've got the top level backing to make it stick properly and a user base that understands (or can be taught) the difference between 'outside the company' and 'malicious'
However, there can be...issues...
For example - your company has outsourced HR and Retirement and five different helpdesks and Sales and Distribution and Marketing and Communications and random unknown other critical functions to external systems.
Go implement these dozens and dozens of exceptions for these unsecured and easily spoofable external email senders (and more as we go along) and also for these partners (or you are fired.)
And of course if you do remove the flag/stamp/annotation for exceptions things get even cooler as then you get it from both sides - NOW your users and random managers are pissed because WTF? This came from outside and isn't flagged! Fix this, we need to be able to rely on the stamp.
Hey YOU! Department X has told their workers to NEVER open anything flagged so you need to exempt from flagging everything outside they work with (no they didn't check with you first.)
Hey YOU! Salespeople can't scan down through their emails on handhelds because the subject has your stupid stamp in the way.
Hey YOU! The guard shack has to scroll down in emails on their handheld device because you put your dumb annotation at the top of the text.
Hey YOU! Can you flag emails from this (DMARC P=none) company as "TRUSTED SENDER" somehow for us?
Hey YOU! We brilliant devs, who know more about email security than you lot, did NOT set up our dozens of shadow IT AWS systems (that are now production) in SPF/DKIM/DMARC and yes we HAVE to use the primary company domain and no we can't change it.
Hey YOU! Can you make it a highlighted stamp for us? You can? Great, can you do it in the subject?
Hey YOU! We need a stamp, but it needs different wording. And make sure we don't get both. OH, so does this other division. And that one too. Can you do it in different languages for Europe?
Hey YOU! These five different divisions have contracted with their own marketing deliverability firms. Add all these entries to your DMARC records (and we don't care how many the spec says can be in there)
Hey YOU! We need emails to this system exempted because the stamp breaks email processing and we don't want to tweak (or can't even find to tweak) a few code lines.
Hey YOU! Can you help me to carry a stone?
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by legont on Wednesday August 21 2019, @12:05AM
Yep, we have all this. I am getting a real phishing email and a couple of training attacks from security per week. And a list of quarantined emails has a few corporate's every week; self-prison is a bitch. This does not count a dozen or so per day that I simply delete as opposed to reading or reporting them.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Insightful) by edIII on Wednesday August 21 2019, @02:43AM
I read all of that as, "the fuckers deserve it" :)
You can bring a horse to water, but sometimes all you can do is drown the son of a bitch in it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by KritonK on Tuesday August 20 2019, @07:04PM (2 children)
Which is precisely why, when asked, I always refuse to provide this kind of information over the phone. I then contact them about whatever issue it was that they called me.
(Score: 2) by vux984 on Tuesday August 20 2019, @07:27PM
Which is terrific advice... but it only helps you. It doesn't help anyone else.
And even if every bank, telecom and other service wised up and stopped making these calls, and printed on every bill that they never will call you and ask you security questions people will still get scammed by people impersonating them. There's always enough people that can be fooled that it will not stop.
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @10:30PM
I've been getting a monthly billing email with someone else's name on it from AT&T for about a year, I haven't been an AT&T customer for over 5 years. Hovering over the links shows att.net.cn
Nice try.
The same with Apple, statements every month with a .cn in the links.
Gotta be careful as these look legit.
(Score: 4, Insightful) by bobmorning on Tuesday August 20 2019, @07:19PM (2 children)
If organizations really want to avoid phishing, then configure your mail clients to convert HTML email to text. Yes it's a pain to cut n paste URLs into a browser, but not only does it prevent the casual click, it also displays exactly what the URL is that the "link" points you to.
It won't prevent the careless user from still shooting themselves in the foot, but it certainly will make them work harder to do so.
(Score: 2) by hendrikboom on Wednesday August 21 2019, @02:56AM
I use mutt in an xterm. I get to see *everything* as text. I've gradually acquired an ability to read raw HTML. I've noticed that the harder to read HTML is, the more likely it is to be spam. There is thus a natural threshold beyond which there's no point even trying to read it.
(Score: 2) by DannyB on Wednesday August 21 2019, @03:08PM
I don't really think that will fix it.
Phishing is NOT a technical problem. Technical fixes can be effective band-aid mitigations. But are not cures.
Even Html to Text will let the text get through. The point of phishing is that the TEXT convinces some clueless market droid or sales droid to escort some malware right into the company network.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Insightful) by Thexalon on Tuesday August 20 2019, @07:40PM (4 children)
The only real solution to password-gathering spear-phishing is to make your passwords or other relatively static credentials insufficient for actually doing anything important on their own. It's relatively simple to implement these days, and it would have kept, for instance, John Podesta's emails from becoming public.
Another aspect of this that seems relevant: If the top people in the organization you are trying to protect aren't the sort to regularly bully their subordinates into doing unusual things without explanation, and even praise subordinates who ask pertinent questions, it's more likely that somebody pretending to be one of them will get questioned and stopped before they succeed in taking what they want.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by edIII on Wednesday August 21 2019, @01:34AM (3 children)
This is a fairly incomplete solution though. You assume that the phishing can work, that the victim is brought to the attacker's web page, and that subsequent use of the credentials will fail. Although you don't say it, you allude to 2FA. What happens though when the 2FA provides a simple code like Google's Authy? As an attacker I could collect that, but then only have 60 seconds in which to operate. It's a tight window, but a coordinated attack in real time might pull that off. The attacker already possesses access to the secured terminal in this situation and is ready to pass the credentials. I can't be completely sure, but I think the window can actually be two minutes because it will take a code 60 seconds behind. I've seen that strangeness in Google Authy.
Additionally, the victim just visiting the phishing page can be enough to deliver payloads. Browsers absolutely suck at security, and the best defense is simply to never load the attacker's content/scripts.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Thexalon on Wednesday August 21 2019, @01:51AM (1 child)
There are other forms of 2FA (or 3FA if need be), and they aren't perfect, and aren't necessarily easy, but are needed if you're trying to protect a high-value target like, say, a prominent politician.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by edIII on Wednesday August 21 2019, @03:11AM
Ohh, I didn't imply 2FA wasn't worth it. I actually see properly implemented 2FA with a hardware key as a serious solution.
What I was saying is that it is an unacceptable risk to allow the user to visit the attacker web page. You were saying that we needed to nullify any advantages that receiving security credentials would provide, and I'm just pointing out that is only one form that the attack may take.
I think you mean MFA (MultiFactorAuth) when you say 3FA, but the same problem exists if the attacker's web page can initiate the 2FA process client side to receive the codes. It's a very tight and difficult attack window, but not something beyond nation state level resources attacking, say, a prominent politician.
On the whole though it's a much better idea to prevent the user from ever visiting the phishing page in the first place, because that can result in compromising a whole machine.... which usually resides on the inside of a protected network.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:40AM
TOTP allows you to configure the CT time. The default is 30 seconds, but most services I've used seem so settle on 10 to 15 seconds. Then the recommended acceptable codes are the immediate past, present, and immediate future code, which most seem to stick to, or use the "half" time rule, due to clock skew issues. By default, that would mean codes are valid for 90 seconds; if using the stricter standard, they are valid for 20 seconds, but realistically only 15.
FWIW, Authy and Google Authenticator are two different implementations of TOTP, and not the only ones that exist.
(Score: 1, Interesting) by Anonymous Coward on Tuesday August 20 2019, @08:13PM (1 child)
Among other things, I sometimes contract to perform security checks. Of the various methods, phishing is by FAR the most reliable way to steal login credentials. The oldie but goody click the link below and log in to your email so it doesn't get deleted usually works. In one case, I got credentials for people who weren't even in my mailing list. I found that someone had FORWARDED my spam with a warning at the top that it was a phishing attempt and that NOBODY should click that link. The users had simply scrolled down and clicked the link IN THE WARNING email. You might say the phish were jumping into the boat.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @01:23AM
We had that once. Some pentester sent a bunch of emails to mid-level people from one of the C-suite executives. One of the IT people noticed and the Director of IT himself sent a copy of the email to EVERYONE with the subject "Example phishing email." It started with a LONG paragraph telling people that this is what fake emails look like and to report them in the future and then attached the text of the email without any sort of horizontal rule or other division. The text was two sentences that were something like, "I need you to fill out this form [phishing.example] as soon as possible. Also, please forward this to anyone you think needs this information. Sincerely, Executive's Name," except with the proper name and a working phishing site at the link. According to a friend in IT, over 1/3 of people in the entire company (literally hundreds if not thousands of people) clicked the link in the forwarded email and filled out their SSO credentials, and the Director of IT had his email blacklisted off and on for weeks because of all the people who marked his forward email as "junk" or reported it.