Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
The company I work for has always been a bit obsessed with cyber security, but it seems like lately it's gone into overdrive. In recent weeks, every single email we get that is not from a co-worker is flagged with a giant yellow ribbon suggesting we be careful with this one. Some even have an additional notice above the yellow ribbon noting that "you don't often receive emails from this sender."
But the best part happened to me today just before I left. I received an email that I immediately detected as somewhat suspicious. I quickly forwarded it to the IT team with a note asking, "Is this legitimate?" Minutes later, I got a second email explaining that the first one was a company-generated phishing attempt and I completely failed and have been automatically signed up for remedial training.
Excuse me? You're saying that by immediately alerting IT that the email might be illegitimate, I *failed* to recognize it as phishing? In that case what does success look like?
I can hardly wait for my conversation with the IT manager tomorrow.
For us it wasn't that they took cyber security too seriously, but that the people they put in charge of it had no sense of risk vs cost and impact. Yes we got things like that all the time where there was basically no way to do it "right." We got the classic emails telling us what to look out for. Then we got emails telling us to do the very thing we were told not to do, so folks would dutifully report the suspicious email and it would come down from management that was a legitimate email and to do it. It was so silly that they blocked us from some of our own internal sites that were required for doing business. But perhaps the silliest was when the IT security protocols blocked the IT training site so we couldn't take the IT security training.
I forget what the number is, but we are hit with thousands of malicious emails per day. Our IT department encourages us to forward any suspicious emails to them, or to simply delete them. Depending on what it is depends on what I do.
I received an email that I immediately detected as somewhat suspicious. I quickly forwarded it to the IT team with a note asking, "Is this legitimate?" Minutes later, I got a second email explaining that the first one was a company-generated phishing attempt and I completely failed and have been automatically signed up for remedial training.
We were told to handle any suspect email as "Phishing" or "Junk" using the Report buttons that Outlook already has built in, and that is then routed to the proper IT person to decide if the sender should be blocked.
As a CISO/Infosec professional - my response may be biased .
But depending on which industry you work in - these things may be the result of regulatory mandates. Of course, it can certainly be due to bad implementation of a cybersecurity program. Or - the combination of both...
This is a fairly young industry, relatively speaking. So it's going to be far from perfect.
At the end of the day - the risk is real and potentially costly. Unfortunately - a lot of places take the "check the box" approach since it's often a black hole in terms of spending. Not many companies can see a measurable result from a cyber program - it doesn't improve efficiency or increase profits. It's strictly an "insurance policy" type of scenario.
The first thing most look to are technology solutions; as opposed to establishing a business strategy first - then looking for the right tools to support that strategy.
Quote:
Originally Posted by joe from dayton
I forget what the number is, but we are hit with thousands of malicious emails per day. Our IT department encourages us to forward any suspicious emails to them, or to simply delete them. Depending on what it is depends on what I do.
I don't know about actual "malicious" emails. But when I was a security engineer and looking at countless of mail relays - legitimate emails often are in the range of 2-8% of all emails received. Now, this was back in the early days of SPF and DMARC wasn't really a thing. It may be more now with better security around mail routing.
I worked for a Fortune 500 company a few years ago. Every year we had to take a cybersecurity online course. And IT would send out a "test" phishing email a couple of times a month. There would be a link and if you click the link you fail. You only failed if you clicked the link. There was a button to report it as a phishing email. If you just deleted the email or ignored it you were good. And there was a progressive discipline process too. The first 2 times you failed, your manager would be alerted you would be enrolled in a remedial cybersecurity training course. After that, the next step is it would go to the next manager up and then to HR, then a write up the next couple of times. If you failed a certain number of times in a rolling 12 month period it was grounds for termination. Fails also were reported to Internal Audit.
As a CISO/Infosec professional - my response may be biased .
But depending on which industry you work in - these things may be the result of regulatory mandates. Of course, it can certainly be due to bad implementation of a cybersecurity program. Or - the combination of both...
This is a fairly young industry, relatively speaking. So it's going to be far from perfect.
At the end of the day - the risk is real and potentially costly. Unfortunately - a lot of places take the "check the box" approach since it's often a black hole in terms of spending. Not many companies can see a measurable result from a cyber program - it doesn't improve efficiency or increase profits. It's strictly an "insurance policy" type of scenario.
The first thing most look to are technology solutions; as opposed to establishing a business strategy first - then looking for the right tools to support that strategy.
I don't know about actual "malicious" emails. But when I was a security engineer and looking at countless of mail relays - legitimate emails often are in the range of 2-8% of all emails received. Now, this was back in the early days of SPF and DMARC wasn't really a thing. It may be more now with better security around mail routing.
This is an honest question. We used to ask it all the time after cyber training, but never got a solid answer. During training we'd be told all the signs of various attacks, from phishing to elicitation and so forth. Yet every day we'd also get multiple legitimate emails from within our organization and leadership that had all the earmarks of some sort of attack. Such as requirements to click a link and enter some data. I'm not talking about attempts to fool us, but actual directives from management. Someone always reported it and we'd get another email from IT that it was legit and to do what it says, or it would come down verbally from management to do what the email said.
So, given that, our question still is, "How do you tell the difference between phishing or elicitation and a legitimate direction from management?"
This is an honest question. We used to ask it all the time after cyber training, but never got a solid answer. During training we'd be told all the signs of various attacks, from phishing to elicitation and so forth. Yet every day we'd also get multiple legitimate emails from within our organization and leadership that had all the earmarks of some sort of attack. Such as requirements to click a link and enter some data. I'm not talking about attempts to fool us, but actual directives from management. Someone always reported it and we'd get another email from IT that it was legit and to do what it says, or it would come down verbally from management to do what the email said.
So, given that, our question still is, "How do you tell the difference between phishing or elicitation and a legitimate direction from management?"
If you hover over the links without clicking, you can see if they go to a company site. If you hover over the link and it says "evilisus.co m/takeoveryourpc (space added so this doesn't become a link) and you don't work for evilisus, then it's probably a phishing attempt. Look at the return email address. Is it a company address? If not, probably not legitimate.
Do you know the sender of the email? Are they trustworthy? Could still be a phishing attempt.
Is the email offering massive discounts on Apple products? Absolutely a phishing email. I never clicked on one of those because I don't like Apple.
Your company probably has a guide to what phishing looks like. Check it out.
We were told to handle any suspect email as "Phishing" or "Junk" using the Report buttons that Outlook already has built in, and that is then routed to the proper IT person to decide if the sender should be blocked.
I have that button but it never worked before. Whenever I clicked it, I'd get an error message. Needless to say, after yesterday's episode, IT was very quick to fix it.
Quote:
Originally Posted by joe from dayton
I forget what the number is, but we are hit with thousands of malicious emails per day. Our IT department encourages us to forward any suspicious emails to them, or to simply delete them. Depending on what it is depends on what I do.
I used to forward suspicious emails to IT, prior to our current IT manager coming on board, and was usually thanked for it. Today I was told that forwarding suspicious emails is bad protocol. Perhaps when they changed it from "thanks for doing this" to "never, ever do this or you'll be punished," we could have been notified...
If you hover over the links without clicking, you can see if they go to a company site. If you hover over the link and it says "evilisus.co m/takeoveryourpc (space added so this doesn't become a link) and you don't work for evilisus, then it's probably a phishing attempt. Look at the return email address. Is it a company address? If not, probably not legitimate.
Do you know the sender of the email? Are they trustworthy? Could still be a phishing attempt.
Is the email offering massive discounts on Apple products? Absolutely a phishing email. I never clicked on one of those because I don't like Apple.
Your company probably has a guide to what phishing looks like. Check it out.
Thank you. Typically we'd know the sender's organization but still ... A lot of them were either training or survey's provided by contractors. They were legit companies, but a lot were in the style of "Your management has tasked us to (gather the following information/provide the following training/etc); please use the link provided ...."
We'd get guidance down to "do not click on survey links" then not long after get management direction that "participation is below acceptable levels on the following survey/please go take the survey."
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
. 