I quit reporting any emails at my job. Reported one from an outside source once, but it wasn’t technically a phish. So I received mandatory online safety courses for “wrongly reporting a phishing scam”. Which was the same courses I was already forced to take a few months prior. I was pissed.
I safely opened an obvious phishing mail to see the tactics they employed - not realizing our company signed up with a company to “test” its employees. I was then required to attend mandatory phishing training - I refused on the grounds that I didn’t fall for the attempt. The “you must attend by” date came and went and I never heard anything more about it from IT. I, too, was pissed.
My favorite thing now is to report mails from the head of IT as phishing emails (e.g., “…we are seeing an increase in phishing attacks around this rando topic. Click here to learn more…”). Test me once, shame on me…
That’s gotta be one lazy IT team or a terrible training firm, if they’re expecting training to “solve” phishing, at the cost of causing security fatigue on users.
What a terrible policy.
In my firm, we never raise a fuss over someone suspicious of phishing, because it’s our job, not theirs.
If anyone was actually reporting so much that it’s impacting firm time, yah don’t sign them up for training, we just talk to them.
I quit reporting any emails at my job. Reported one from an outside source once, but it wasn’t technically a phish. So I received mandatory online safety courses for “wrongly reporting a phishing scam”. Which was the same courses I was already forced to take a few months prior. I was pissed.
My workplace thanks us for reporting pretty much anything. What your place is doing is making people too scared to report. Smort.
I safely opened an obvious phishing mail to see the tactics they employed - not realizing our company signed up with a company to “test” its employees. I was then required to attend mandatory phishing training - I refused on the grounds that I didn’t fall for the attempt. The “you must attend by” date came and went and I never heard anything more about it from IT. I, too, was pissed.
My favorite thing now is to report mails from the head of IT as phishing emails (e.g., “…we are seeing an increase in phishing attacks around this rando topic. Click here to learn more…”). Test me once, shame on me…
This is the way. There’s nothing more important than security, can’t be too safe.
Are you kidding me? I would kill for a user base that over reports.
Better that than the guy who downloads
taxformpdf.exe
and runs it without a second thought.Your security team sucks. Users should be encouraged to report anything sus, even if it occasionally results in a false positive.
That’s gotta be one lazy IT team or a terrible training firm, if they’re expecting training to “solve” phishing, at the cost of causing security fatigue on users.
What a terrible policy.
In my firm, we never raise a fuss over someone suspicious of phishing, because it’s our job, not theirs.
If anyone was actually reporting so much that it’s impacting firm time, yah don’t sign them up for training, we just talk to them.