Guy Forced to Endure 2-Hour Phishing Workshop as Punishment, Reports All IT Director's Emails as Phishing Attempts

Advertisement

Anyone at a large organization has probably experienced an actual phishing attempt or had to endure one of these exercises. Managers in these large companies love to catch workers out with these fake emails which feign phishing attempts — which hold a punishment of attending a phishing training course if you're caught clicking.

The problem is that these fake phishing emails often are written as if they are actually internal emails, in a way that is way more believable than an actual phishing attempt.  

For those unaware, "phishing” is a scam attempt where cyber criminals send fraudulent messages (often impersonating an important person or organization) to garner sensitive information and access accounts. These can result in massive breaches in security and information and leave organizations — and individuals — incredibly vulnerable.

Thus, companies put their workers through “Phishing Training” sessions to increase security and reduce the likelihood that your coworkers will click on an email from their boss requesting intimate details about their lives or work — looking at you, Becky. These attempts range from ridiculous to incredibly convincing, but the problem is you never know just how stupid and gullible the people sitting beside you might be. In a world where the most common IT solution is still to have the user “turn it off and on again,” we can't help but have a lack of faith in people — and companies share this sentiment. 

So, after you've “graduated” from “Phishing Training” courses, you're granted a button in your email program to “Report Phishing” and are then subjected to an onslaught of random phishing attacks to keep you on your toes. 

These are the “fake phishing emails” that we're discussing; If you accurately report the emails, you get a pat on the back, but if you repeatedly prove that you weren't paying attention during the seminar, you're demoted and subjected to retaking your “Phishing Training” courses.

This whole game of cat and phish plays out in an infuriating fashion in ways that I've failed to portray here. The fake attacks are relentless and frequently catch you off guard.

I've been a part of teams in the past that have resorted to doing exactly what this Reddit user has shared: Reporting every damn email from an executive as phishing just to avoid the issue altogether.  

Keep reading for the screenshots of the original thread, story, and reactions below. For more workplace malicious compliance, check out this worker who discovered a loophole in their workplace's sick leave policy. 

 

via u/soldollhausen

Tags

Scroll down for the next article

Also From FAIL Blog