As developers, we quickly discovered that all the emails had a metadata header in them which identified them as a phishing test, so we set up a filter for it so every email since is clearly coded with a bright red "Phishing test!" label.

[–] toynbee@lemmy.world 71 points 2 weeks ago (2 children)

... You must be one of my co-workers. Except that we just delete ours rather than labeling them.

[–] tiramichu@sh.itjust.works 79 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

We needed to label them because the requirement was not only that we don't click them, but that we use the "report phishing" function on them.

Also some of them were pretty funny.

[–] ViatorOmnium@piefed.social 9 points 2 weeks ago (2 children)

Was it hoxhunt? It's a bit spammy but they seem to push for a more gamefied approach over collective punishment.

[–] tiramichu@sh.itjust.works 19 points 2 weeks ago

Not in my case, no. The content was completely custom to the organisation. I assume they were big enough that they felt like a lot of the risk would come from coordinated spearphishing carefully crafted to look like genuine corp email.

[–] Aviandelight@mander.xyz 4 points 2 weeks ago

I fucking hate hoxhunt. Just let me send shit to the junk folder and ignore it.

[–] ook@discuss.tchncs.de 4 points 2 weeks ago (1 children)

Aren't you supposed to report them though

[–] toynbee@lemmy.world 3 points 2 weeks ago

In my case, the phishing tests originated with the organization that owns my employer, rather than within my employer itself. Our email states are entirely distinct so, while we can report the emails, no one would ever care.

[–] Dave@lemmy.nz 14 points 2 weeks ago

Where I work they use the microsoft phishing simulation, for which they publish a list of domains they send from.

[–] affenlehrer@feddit.org 13 points 2 weeks ago (1 children)

X-Phish

[–] lessthanluigi@lemmy.sdf.org 2 points 2 weeks ago

My favorite band from 1999

[–] Ephera@lemmy.ml 12 points 2 weeks ago

Here they started doing such phishing tests a while ago and our IT department had significantly worse stats than other departments, in terms of how often we would click on the link in the phishing mail.

And yeah, the conclusion was that we were just being asshats that decided to poke around in the obvious phishing mails for the fun of it. Rather than getting extra security training, management told us to just stop dicking around, so that our stats look better.

[–] slazer2au@lemmy.world 8 points 2 weeks ago

I have the same thing. All the emails come from nova.phishme.com so I have outlook set to mark them as junk so I can "report" the phishing attempt.

[–] dennisnedry@feddit.nu 5 points 2 weeks ago

Thanks for the tip!

[–] brbposting@sh.itjust.works 2 points 2 weeks ago* (last edited 2 weeks ago)

Assuming that’s disabled -

experienced folks can get caught (e.g. maybe waking up before dawn or something)

Can be a good reminder, a little humbling!

[–] Honytawk@feddit.nl 0 points 2 weeks ago

Did it also label real phishing mails?

Because those tests are send out for a reason. And in my experience, developers are some of the worst at cybersecurity.