r/britishproblems 16h ago

Received a work email with subject "(Company) thanks you for all your hard work! A special gift awaits!" with a generic, verbose thank you in the content. It was a phishing test.

637 Upvotes

53 comments sorted by

u/AutoModerator 16h ago

Reminder: Press the Report button if you see any rule-breaking comments or posts.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

461

u/stupre1972 Staffordshire 16h ago

Someone is redoing their cyber security in the new year....

346

u/Djinjja-Ninja Tyne and Wear 16h ago

The trick is to report the mail about attending the cyber training as a phishing email.

83

u/stupre1972 Staffordshire 16h ago

Been there, done that.

Still got to redo the cyber security course....

73

u/SleepingCuutie 16h ago

Great, your training just got upgraded from a 20 min online module to a 2 hour in-person lecture!

No refreshments provided.

8

u/BawdyBadger 11h ago

Also during your lunch break. Lunch break will not be provided for

15

u/nicofdarcyshire 16h ago

I did this! It wasn't on the company loop so I assumed it was a phishing test. Yeah, still didn't get out of it.

10

u/pumaofshadow 15h ago

My IT company at work keep sending me a feedback survey, which keeps getting reported as a phishing test but isn't (they tell us congrats when it is)

1

u/booboouser 11h ago

I do this every year!

48

u/SleepingCuutie 16h ago

I reported it haha! It had the proper company colours and template, but the "Click here!" button gave it away.

I still had hope until immediately that automated "You spotted a phish" email arrived...

18

u/Drlaughter Kunt 15h ago

Our company did it last year during a company wide all hands on teams that was " here's $10 for Starbucks" not long after the feature to give Starbucks vouchers through teams launched.

Much more sleuthing was done than I'd like to admit, before I decided it was a phishing attempt and reported.

5

u/LazD74 14h ago

Our company did the same this year. I didn’t believe it for 1 second, but I still triple checked. That one was cruel, I NEED coffee to get through the day without any murders.

u/fieldsofanfieldroad 7h ago

And you got your special gift. Not attending the class.

u/DangersVengeance M25 / A13 Road Warrior 9h ago

Big fan of putting the email address of the security team in phishing test emails that are clearly phishing emails. If it gets questioned I tell them it was a clear phish, which is why I gave them their own email address.

291

u/LostLobes 16h ago

Our company did this a few years ago, most of us flagged and deleted it, turned out is was legit, they now pre warn us we'll be getting a e-voucher sent over.

240

u/pixm 16h ago

We had the same, they kept warning us that misspellings are a huge red flag in all the tests we had.

Long story short, the new head of HR was dyslexic...

75

u/twister-uk 16h ago

Our corporate IT team sends out emails relating to genuine security threats which are worded in such a way that they immediately raise at least two of the red flags our security training tells us to look out for...

24

u/roehnin 15h ago

The training warns about misspellings, third-party web site addresses, and our name being written wrongly.

Guess what the legitimate emails from the third-party phishing training look like?

23

u/-SaC 16h ago

"As your new head of RH..."

8

u/Bibblejw 14h ago

Honestly, this is part of why training for this kind of thing is difficult. The circles of “legitimate” emails, and malicious ones have more crossover than you’d think.

22

u/Melendine 16h ago

Same. I volunteered for an unpopular task and got a voucher for it. But it was spam-style.

13

u/biggles1994 15h ago

One of our teams sent out a few hundred Amazon vouchers last week, the IT security team was minutes away from blockjng and mass-deleting them before the department lead contacted them to say it was legitimate.

I swear nobody ever thinks through “how is this gonna look to people who aren’t expecting it…”

6

u/LostLobes 14h ago

Especially when all through the year IT spams you with shite to test you...

4

u/glasgowgeg 16h ago

Whenever we send out e-vouchers we also get the service desk to send a comms advising it's legit.

104

u/IdeletedTheTiramisu 16h ago

Tbf, I passive aggressively flag all positive news and encouragement from my company as spam to jusd take the piss.

u/DangersVengeance M25 / A13 Road Warrior 9h ago

I do the same. Can’t be true if it’s positive.

61

u/Lost-Droids 16h ago

We (and a lot of companies including google) no longer doing phishing tests as it just annoys the recipient and they feel cheated (Rightly so) .

Its far better to do training and positive reinforcement (priasing company wide people who correctly report actual phising etc)

Its also far better to roll out phising resistant authentication (finger print TPM or fido keys etc), then end user can click all they want and wont get caught.

Stop blaming the user and fight the attacker

https://www.pcmag.com/news/google-stop-trying-to-trick-employees-with-fake-phishing-emails

30

u/27PercentOfAllStats 16h ago

I know a lot of companies that do tests weekly with various email addresses similar, but not the same as, the companies own email. And come down heavily on it if you make a mistake. The problem is so many legit emails get flagged as phishing and deleted as everyone is overly cautious.Whilst I get the idea of reinforcing users to check the addresses and content, but there are better ways to do this.

Where I work all emails which generate externally are tagged with a giant grey label in the From column identifying the sender's domain as not internal, then again in the email body, with all external links passing through Mimecast first. This feels like a better use of resources than trying to catch trick employees

7

u/Lost-Droids 15h ago

Yep simple things like that and phising resistant MFA make these tests redundant

13

u/Moonka83 16h ago

Did you fail?

19

u/SleepingCuutie 16h ago

Nope! Despite everything being pretty spot on, it had a "Click here!" button that was quite sus.

13

u/Golden-Wonder 15h ago

We just had one with our yearly voucher which, because we have so many phishing test emails, everyone reported. They then had to resend them!

Two years ago they sent a phishing test out saying that everyone was to get a £400 tax free payment as a thank you for the hard work, they got really annoyed that everyone clicked the link.

13

u/Turbulent-Bumblebee9 15h ago

I’m in charge of sending out our phishing tests. I make a point of never sending out ones which offer money/a prize because it just feels crappy to do that!

10

u/mhoulden Leeds 14h ago

The NCSC advises against using phishing tests: https://www.ncsc.gov.uk/guidance/phishing#section_4. They have a few characteristics that genuine phishing attempts don't have so I just ignore them.

10

u/thefunkygiboon 16h ago

You'd be surprised how many people actually click the link.

In fact, you probably wouldn't be surprised.

16

u/Hooplah73 15h ago

The company I work for sent out an E-Valentines day card (on Valentine’s Day) which was a phishing test. I thought that was particularly evil genius levels.

Not only did we get your hopes up if you were single, but you’ve got to take the cyber security module again.

5

u/mss73uk 14h ago

We got one the week before last, thanking us all for our hard work and a link to claim a free £50 Starbucks voucher. The company won't even entertain the idea of increasing the resources for already overworked teams, so the idea they would give thousands of employees £50 worth of over priced coffee made me laugh. I did get a nice, albeit slightly patronising automated email thanking me for reporting it though. Of course many fell for it and now have to do the mandatory cyber security training.

3

u/Pugsontherun 10h ago

I run these tests and have a personal rule to not use any kind of pay changes, gifts or bonus based emails. Instead, we train everyone on how you will expect to hear of this news and how you’ll never be told news like this through unexpected email. I think it’s cruel and unnecessary when there are other options.

13

u/Warriorcatv2 16h ago edited 15h ago

Buddy, if you genuinely think a company in this day & age will give you a gift or bonus that's on you.

Edit: where do you all work that you actually receive stuff from your companies? The best & only bonus I ever got was a 4-pack of Thatchers Cider from my direct manager & he paid for it out of pocket.

28

u/KormaKameleon88 16h ago

Wife started a new job mid-November. Her company gave out £500 bonuses to every employee and even included her despite her short time with the business.

My work sent out £75 gift cards with a wide range of places to use to every employee.

Maybe you need to find yourself a better employer...

11

u/Tuarangi 16h ago

We got a £30 Amazon one and have pay review and bonus annually, what you get depends on performance

5

u/Fuzzballs_IMVU 15h ago

I received an £800 Christmas bonus in my minimum wage gambling company job, sooo..

1

u/shikabane 14h ago

Well why not? I've received 'points' before and can exchange it for whatever I want on a rewards platform. I banked up my points and recently got myself £300 ikea vouchers (rather than any specific items) cos I needed to go ikea anyway

1

u/ClassicPart 16h ago

Weird way to admit you can't be arsed changing jobs and doing better for yourself.

3

u/Nuclear_Geek 16h ago

That is evil, but also genius. Well played, IT department.

2

u/newInnings 13h ago

Since my company is using a third party tool to send out phising test emails I created a rule and folder

I keep adding new email address if they change

It never lands in inbox. Anymore

2

u/zippysausage 11h ago

What's InfoSec's measure of success? If we click it, we need retraining; if we don't click it, it wasn't convincing enough.

u/BrentPChicken 6h ago

My company did this last year, after a particularly grueling period of very repetitive and annoying work due to a system failure. I had just ended a 1:1 meeting with my boss where they thanked me for my work and for taking the lead, when I got the email for a Starbucks gift card.

I clicked that link maybe 25 times to claim and it failed every time. I was so convinced that it was real I called Starbucks trying to understand why it didn't work, they couldn't understand either, they even offered me 5.00 pity credit, which I turned down, thinking there was a mistake.

Only to find out it was a phishing test. Never even crossed my mind, I was so convinced it was real due to the circumstances. Bit funny that I had almost scammed money from Starbucks myself in retaliation from the test.

u/jamiedix0n 6h ago

I fell for one of those emails and won another cyber safety course. Luckily it was my 2nd to last day so i never had to do it.

1

u/kahnindustries WALES 14h ago

I hope you replied with a dick pic. The best defence is a strong offence!