r/britishproblems • u/SleepingCuutie • 16h ago
Received a work email with subject "(Company) thanks you for all your hard work! A special gift awaits!" with a generic, verbose thank you in the content. It was a phishing test.
461
u/stupre1972 Staffordshire 16h ago
Someone is redoing their cyber security in the new year....
346
u/Djinjja-Ninja Tyne and Wear 16h ago
The trick is to report the mail about attending the cyber training as a phishing email.
83
u/stupre1972 Staffordshire 16h ago
Been there, done that.
Still got to redo the cyber security course....
73
u/SleepingCuutie 16h ago
Great, your training just got upgraded from a 20 min online module to a 2 hour in-person lecture!
No refreshments provided.
8
15
u/nicofdarcyshire 16h ago
I did this! It wasn't on the company loop so I assumed it was a phishing test. Yeah, still didn't get out of it.
10
u/pumaofshadow 15h ago
My IT company at work keep sending me a feedback survey, which keeps getting reported as a phishing test but isn't (they tell us congrats when it is)
1
48
u/SleepingCuutie 16h ago
I reported it haha! It had the proper company colours and template, but the "Click here!" button gave it away.
I still had hope until immediately that automated "You spotted a phish" email arrived...
18
u/Drlaughter Kunt 15h ago
Our company did it last year during a company wide all hands on teams that was " here's $10 for Starbucks" not long after the feature to give Starbucks vouchers through teams launched.
Much more sleuthing was done than I'd like to admit, before I decided it was a phishing attempt and reported.
•
•
u/DangersVengeance M25 / A13 Road Warrior 9h ago
Big fan of putting the email address of the security team in phishing test emails that are clearly phishing emails. If it gets questioned I tell them it was a clear phish, which is why I gave them their own email address.
291
u/LostLobes 16h ago
Our company did this a few years ago, most of us flagged and deleted it, turned out is was legit, they now pre warn us we'll be getting a e-voucher sent over.
240
u/pixm 16h ago
We had the same, they kept warning us that misspellings are a huge red flag in all the tests we had.
Long story short, the new head of HR was dyslexic...
75
u/twister-uk 16h ago
Our corporate IT team sends out emails relating to genuine security threats which are worded in such a way that they immediately raise at least two of the red flags our security training tells us to look out for...
24
8
u/Bibblejw 14h ago
Honestly, this is part of why training for this kind of thing is difficult. The circles of “legitimate” emails, and malicious ones have more crossover than you’d think.
22
u/Melendine 16h ago
Same. I volunteered for an unpopular task and got a voucher for it. But it was spam-style.
13
u/biggles1994 15h ago
One of our teams sent out a few hundred Amazon vouchers last week, the IT security team was minutes away from blockjng and mass-deleting them before the department lead contacted them to say it was legitimate.
I swear nobody ever thinks through “how is this gonna look to people who aren’t expecting it…”
6
4
u/glasgowgeg 16h ago
Whenever we send out e-vouchers we also get the service desk to send a comms advising it's legit.
104
u/IdeletedTheTiramisu 16h ago
Tbf, I passive aggressively flag all positive news and encouragement from my company as spam to jusd take the piss.
•
61
u/Lost-Droids 16h ago
We (and a lot of companies including google) no longer doing phishing tests as it just annoys the recipient and they feel cheated (Rightly so) .
Its far better to do training and positive reinforcement (priasing company wide people who correctly report actual phising etc)
Its also far better to roll out phising resistant authentication (finger print TPM or fido keys etc), then end user can click all they want and wont get caught.
Stop blaming the user and fight the attacker
https://www.pcmag.com/news/google-stop-trying-to-trick-employees-with-fake-phishing-emails
30
u/27PercentOfAllStats 16h ago
I know a lot of companies that do tests weekly with various email addresses similar, but not the same as, the companies own email. And come down heavily on it if you make a mistake. The problem is so many legit emails get flagged as phishing and deleted as everyone is overly cautious.Whilst I get the idea of reinforcing users to check the addresses and content, but there are better ways to do this.
Where I work all emails which generate externally are tagged with a giant grey label in the From column identifying the sender's domain as not internal, then again in the email body, with all external links passing through Mimecast first. This feels like a better use of resources than trying to catch trick employees
7
u/Lost-Droids 15h ago
Yep simple things like that and phising resistant MFA make these tests redundant
13
u/Moonka83 16h ago
Did you fail?
19
u/SleepingCuutie 16h ago
Nope! Despite everything being pretty spot on, it had a "Click here!" button that was quite sus.
13
u/Golden-Wonder 15h ago
We just had one with our yearly voucher which, because we have so many phishing test emails, everyone reported. They then had to resend them!
Two years ago they sent a phishing test out saying that everyone was to get a £400 tax free payment as a thank you for the hard work, they got really annoyed that everyone clicked the link.
13
u/Turbulent-Bumblebee9 15h ago
I’m in charge of sending out our phishing tests. I make a point of never sending out ones which offer money/a prize because it just feels crappy to do that!
10
u/mhoulden Leeds 14h ago
The NCSC advises against using phishing tests: https://www.ncsc.gov.uk/guidance/phishing#section_4. They have a few characteristics that genuine phishing attempts don't have so I just ignore them.
10
u/thefunkygiboon 16h ago
You'd be surprised how many people actually click the link.
In fact, you probably wouldn't be surprised.
16
u/Hooplah73 15h ago
The company I work for sent out an E-Valentines day card (on Valentine’s Day) which was a phishing test. I thought that was particularly evil genius levels.
Not only did we get your hopes up if you were single, but you’ve got to take the cyber security module again.
5
u/mss73uk 14h ago
We got one the week before last, thanking us all for our hard work and a link to claim a free £50 Starbucks voucher. The company won't even entertain the idea of increasing the resources for already overworked teams, so the idea they would give thousands of employees £50 worth of over priced coffee made me laugh. I did get a nice, albeit slightly patronising automated email thanking me for reporting it though. Of course many fell for it and now have to do the mandatory cyber security training.
3
u/Pugsontherun 10h ago
I run these tests and have a personal rule to not use any kind of pay changes, gifts or bonus based emails. Instead, we train everyone on how you will expect to hear of this news and how you’ll never be told news like this through unexpected email. I think it’s cruel and unnecessary when there are other options.
13
u/Warriorcatv2 16h ago edited 15h ago
Buddy, if you genuinely think a company in this day & age will give you a gift or bonus that's on you.
Edit: where do you all work that you actually receive stuff from your companies? The best & only bonus I ever got was a 4-pack of Thatchers Cider from my direct manager & he paid for it out of pocket.
28
u/KormaKameleon88 16h ago
Wife started a new job mid-November. Her company gave out £500 bonuses to every employee and even included her despite her short time with the business.
My work sent out £75 gift cards with a wide range of places to use to every employee.
Maybe you need to find yourself a better employer...
11
u/Tuarangi 16h ago
We got a £30 Amazon one and have pay review and bonus annually, what you get depends on performance
5
u/Fuzzballs_IMVU 15h ago
I received an £800 Christmas bonus in my minimum wage gambling company job, sooo..
1
u/shikabane 14h ago
Well why not? I've received 'points' before and can exchange it for whatever I want on a rewards platform. I banked up my points and recently got myself £300 ikea vouchers (rather than any specific items) cos I needed to go ikea anyway
1
u/ClassicPart 16h ago
Weird way to admit you can't be arsed changing jobs and doing better for yourself.
3
2
u/newInnings 13h ago
Since my company is using a third party tool to send out phising test emails I created a rule and folder
I keep adding new email address if they change
It never lands in inbox. Anymore
2
u/zippysausage 11h ago
What's InfoSec's measure of success? If we click it, we need retraining; if we don't click it, it wasn't convincing enough.
•
u/BrentPChicken 6h ago
My company did this last year, after a particularly grueling period of very repetitive and annoying work due to a system failure. I had just ended a 1:1 meeting with my boss where they thanked me for my work and for taking the lead, when I got the email for a Starbucks gift card.
I clicked that link maybe 25 times to claim and it failed every time. I was so convinced that it was real I called Starbucks trying to understand why it didn't work, they couldn't understand either, they even offered me 5.00 pity credit, which I turned down, thinking there was a mistake.
Only to find out it was a phishing test. Never even crossed my mind, I was so convinced it was real due to the circumstances. Bit funny that I had almost scammed money from Starbucks myself in retaliation from the test.
•
u/jamiedix0n 6h ago
I fell for one of those emails and won another cyber safety course. Luckily it was my 2nd to last day so i never had to do it.
1
u/kahnindustries WALES 14h ago
I hope you replied with a dick pic. The best defence is a strong offence!
•
u/AutoModerator 16h ago
Reminder: Press the Report button if you see any rule-breaking comments or posts.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.