I worked at a company where they'd make you do phishing awareness training if you didn't use the correct mechanism to report their test emails. Deleting wasn't good enough to prove that you recognized the (fake) phishing attempt for what it was. Because of that I'd keep reporting.
posted by fedward at 11:59 AM on May 6, 2022 [10 favorites]

Have they deployed a Report Phishing function in your email client or anything Iike that? If so, hit that button on it and get your good-drone prize like mine gives me. If not, just ignore and delete.
posted by deezil at 12:00 PM on May 6, 2022 [4 favorites]

For what it's worth, I immediately forward each such email to the Security department. It's a combination of maximizing my productivity and letting my passive aggressive personality shine through. The Security folks haven't told me to do anything different.

On preview, my (now retired) boss had to take such phishing training because of the rationale that fedward mentioned.
posted by forthright at 12:01 PM on May 6, 2022 [6 favorites]

Failure, in my company. Our explicit policy is to forward anything suspicious to our Help Desk. If you don't, even if you delete it, you fail the test. I failed one this way once and almost didn't get a raise because of it.
posted by kevinbelt at 12:21 PM on May 6, 2022 [2 favorites]

Report the phishing tests. Ignore/delete the real-world ones, or report them. But they're trying to train you to report, so ignoring won't get you any credit.

My company's phishing tests all tend to come through a handful of fake domains they set up, so I created some Gmail filters to tag those messages so that I'll remember to use our in-house reporting tool. Seven years into this job, I haven't mistakenly clicked through and failed a test.
posted by emelenjr at 12:31 PM on May 6, 2022

on slow days when i am feeling mischievous i flag emails obviously sent by company leadership as phishing emails.

plausible deniability:

- company comms broadcast out to the rank and file often use a SaaS tool with a weird name, and the emails appear as sent from the tool's domain, not the company name, requesting the employee to click links for a "company" "survey". hence: obviously phishers who have a person on the inside
- some successful fraudsters are sophisticated, and instead of spamming typo-ridden "your package is on its way, click here to redirect" to everyone, they will send a single targeted emails to joe in accounting masquerading as one of the company execs and requesting that payment of an invoice to a "vendor" be expedited...
posted by are-coral-made at 12:45 PM on May 6, 2022 [11 favorites]

> My company's phishing tests all tend to come through a handful of fake domains they set up, so I created some Gmail filters

phishing training emails sent out from some phishing training product often have special headers attached to the the email with names like "x-somebrand-phishing-training" to subtly identify them, outlook can show you these headers if you inspect an email and it also supports creating rules to filter them and moving them into a special folder ("report-these-to-security")
posted by are-coral-made at 12:49 PM on May 6, 2022 [5 favorites]

Seconding are-coral-made. I've seen X-PHISH: lately.
posted by humbug at 4:35 PM on May 6, 2022

Our IT department sent out some phishing test emails that appeared to come from our organization's domain. The unintended consequence was that people were then ultra suspicious of all kinds of legit emails from IT Services, and then would just delete them. Not infrequently, we now receive IT Services emails that start, "This is a legitimate email--please do not delete!" Ha.

I just report everything that seems suspicious now, just in case. Not because care about passing the phishing tests, but because now I'm suspicious of everything. If something is actually legit, I want to know that I should fish it back out of my deleted emails folder and do something about it.
posted by hurdy gurdy girl at 5:48 PM on May 6, 2022 [5 favorites]

Counter example from a giant company. I'm in charge of email for a company whose user get 1.2+ billion messages sent to users annually. I don't run the phishing tests but they are in a sibling org. Somewhere in the neighborhood of 70-80% of mail never gets opened. I don't know what the phishing people explicit thoughts are on people who don't fail but also don't report. However, I know that enough people do actively fail the test that they have more than enough work following up with those people.
posted by mmascolino at 8:20 AM on May 7, 2022

This thread is closed to new comments.