the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
Replies:
3
Boosts:
8
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea Microsoft put a big blue banner on all the broadcast-internal emails.
I was in a meeting of the D&I Council where someone said they'd sent an email about an event and was surprised I didn't know about it. I eventually found the email: it had the same blue banner.
That was when I learned that I had been trained to ignore any email that started with the blue banner. Asking around, I was not the only one. A lot of the internal communication problems had the root cause that there was so much pointless broadcast email that everyone ignored them and missed the important ones.
Someone did an internal thing for a hackathon as an Outlook plugin that would estimate the reading time for emails, interrogate the employee database to find the levels, multiply by the average salary for that level scaled to the reading time, and then give you an estimate of how much an email was costing the company if the recipients read it. It never shipped because management didn't like being reminded that they were burning tens of thousands of dollars with their emails.
@0xabad1dea the number of times I’ve reported SharePoint or CoPilot as phishing is non-zero. They clearly had the “this email is from an external sender be careful” banner
