theayn wrote:
People who can't (or perhaps won't) learn.
I work in cyber security. It's my job to keep the bad guys out of my hospital's network. As part of that we provide continuous education on the latest scams, how to recognize a phishing email, or a bad URL, all the basics. We test people, and re-train if they don't get it. We've also got automated systems to keep most of the bad stuff out to begin with.
Today I see a phishing message has got through our filters, and of the 400 employees who got the message, 6 tried to click the link (to a fake version of a major Canadian telco's website) before the security software started to pull the message out of people's in-box. A limitation of the software is that it can't pull a message you've already opened, so those 6 people still have it. Each of them got an error message when they clicked the bad link, explaining that it was a phishing site and had been blocked for their safety. Five of them were OK with that.
Contestant number six calls to complain about the blocked site. I explained why it was blocked. I showed him how he should have recognized that the site was faked (he passed his test on this just four weeks ago), I showed him how he should have recognized the email was fake (same test, same time), I referenced the specific training material he'd seen to teach him that, I told him directly that the link would only take him to a fake login page to steal his username and password, and I pointed him to the real web-site if he thought he needed to go to it.
Some of this stuff is pretty hard to catch, I've had one or two fool me as well, but when the expert is on your screen and in your headset showing you exactly where the tells are, you'd believe him, right?
This guys response; "the email says I should use their link".
I'm convinced that some people are too stupid to be let out of their own homes unsupervised.
This thread is surprisingly therapeutic. Thank-you for letting me vent.
The IT department at the school district I work for does regular training on cybersecurity, and occasionally sends out test emails. If enough people in any one department fail the test, the entire department has to be retrained.
One time, about a week after a district-wide cybersecurity training, an email from IT went out telling us to "claim our account". Except, it didn't come directly from IT, but rather from "noreply{at}rapididentity{dot}com". NO ONE clicked through. Even our CFO refused, and wouldn't do it until the head of IT was physically in her office to watch her click it. IT got all pissy because they were setting up this new login portal to simplify things for the users, but the users weren't claiming their accounts. They had to send out another email from their account telling everyone that emails from that address were safe.
They taught us well.
People still screw it up, though.