How normal is this?

[user1492538376]

I work for a company which regularly sends fake spam emails internally to check who clicks on the links. They do this a lot and then those who click then have to meet with IT - presumably to be told not to do it again. There is a lot if cyber attacks now which I completely get. However I am sure most of the time people who click just don’t read emails properly and everyone makes mistakes. FWIW I never click on links now unless I am certain of the sender.

Yes common in most big companies with sensitive data. I’ve had it in my last company and current company.
Not common to “send you to IT” for a slap on the wrist though. Normally
you just get an email to say either well done or oops! this was a test, think next time.

i've had this in everywhere i've worked in about the last 10 years.

it is good practice, and leads to people developing good habits.

Why in the wide world does anybody click on a link in an email these days?

do you understand why they do this? you seem very cavalier about it.

I would ask if your company offers training on cyber security? you should do it.

It’s a type of red teaming, yes it’s thing and has been for a while, but it’s been widely disregarded and shown to be ineffective at changing behaviour. Most companies with advanced security maturity have moved on from this type of finger pointing activity.

Yeah we get those "gotcha" emails too. The problem is they say not to click on ANY links or attachments which is impossible as we work with a lot of externals and invite people to get in touch. They have also shut down access to all file sharing platforms which we can only use on an ad hoc basis and needs to be approved. Going forward, we can no longer use our laptops for any personal use or access gmail or hotmai etc. All the photocopies/scanners are keylogged. USB ports are disabled.
We do share in the team if a gotcha email is going round.

Because they either don't know now to or they think it's genuine or they don't think at all and just do it

Lots of reasons spring to mind

How do you link people to things if you can’t send links? Just through Teams?

Very normal. Millions of spam emails are sent to thr same company every year (large companies). It may. It be nice but consider how it can cripple a company like JLR. I have no problem with it - thats the world we live in now. It isn’t your employer doing it for any other reason than to prevent very serious ramifications .

Yes, I got caught out on a fake one sent by I.T and had to do a short online course

Because if you work in a professional role you will get numerous emails a day full
of links to documents in the cloud, recordings of meetings, work polls etc etc etc

I think ours make you redo the online cyber security training that everyone has to do regularly and if that’s not punishment enough I don’t know what is 😂

They do it where I work all the time. If you fail the "phishing test" you have to do online training again which takes about 1/2 hour out of your day.

Mine does, and worse they have a program you're supposed to report it to and you get stars if you do. I do not engage with this nonsense 😅

My company sends fake spam. You’re supposed to report it and then you get another email basically saying “well done you, you identified a fake phishing email.” I don’t know what happens if you click the links, I’ve never tried!

OP you seem to think that so long as you can offer a lame excuse it’s all ok. It’s not though is it, if the phishing is real.

We have to do a short phishing refresher course if we click on the test emails IT send out. Financial services.

We had this in my org. There was some stat shared about how many people tried to open it.

It's very common. And it makes the point.

Totally normal and based on your own post... It works.

I never click on links now unless I am certain of the sender.

Well, it seems to be working then! When you think of how many high profile companies have suffered cyber attacks recently, affecting not only them but their suppliers, they'll be doing anything they can to protect themselves.

I work for a very large company that does this fairly regularly. DH works for a very small company with an outsourced IT function and they do it occasionally as well. I think it’s pretty normal. The people who click without reading it are the people they want to teach to stop doing that!

My company does this. Cybersecurity is a massive risk area and we take it seriously. It only takes one mistake for hackers to get into our system.

My company had an reorg. We got a phishing email test called "reorganisation" soon after the announcement. These are scheduled in advance and the IT forgot to cancel it. They had to apologise a lot :D

I lead cybersecurity for our company and we do phishing tests monthly at least. Unfortunately about 95% of security incidents are due to social engineering, the most common being email based phishing attached but SMS, WhatsApp, QR code, video call etc are all rising too. The addition of AI to the mix now means that many of the signs of phishing that we try to train people to recognise no longer exist, so the habit of NOT CLICKING ON THE FUCKING LINK needs to be embedded behaviour.

We have put in every form of technical security control we feasibly can, every email is checked by the system first before being delivered to people’s inboxes, but it can only check based on the Intel it has and there will always be new scams that haven’t made it to the database yet.

we have been doing very regular tests for over a year, with mandatory micro-learning for everyone who clicks, awareness events, prizes for participation, ‘Fireside chats’ using real case studies of the damage successful phishing scams have directly caused to us as a business. You name it, we do it, and still about. 20% of employees every month click on the fucking link, about 7% don’t just click the link they then go on to enter their username and password when the fake website asks them to.

So yeah, we do phishing tests and training.