I had a coworker that had the best strategy about phiahing emails.

He just never read his emails.

It is compliance theater.

I report suspected phishing emails… And meeting requests with links from people I don’t know, and culture surveys with external links, and ‘subscription’ emails from services used in our stack, any ‘surprise’ email with an attachment… I’ve set up rules that automatically forward emails from specific senders directly to security.

Don’t tell an autist that you want them to be paranoid about phishing unless you’re ready for the consequences.

My work literally just says “report it to it” no other instructions. Like, do we put in a ticket? Email the entire group? Send a teams message? Walk over there and start talking about how its weird that the CEO wants my specific login to help him with his major issue? We have SOPs that out line every specific step you take so anyone can just blindly follow and do it, yet there’s not even a statement on how they want it reported.

I forwarded the one phishing attempt I received before we were warned, and there was zero response from them. So I’ll just continue deleting them and moving on with my day.

Do you consult people with a psych or education background for your trainings? If not then no, I guarantee you your training does not work. Even if you did consult someone it’s a toin cross on whether you consulted someone who really knew how to design it. Vomiting out info on an online training is a really good way to get it all ignored.

sometimes the report button doesn’t show up on Outlook at my job :(

I just leave it untouched or immediately trash it without opening it. No need to report it, a billion more from completely different addresses will just keep coming in.

The fact we even continue to use this deeply, deeply flawed protocol is just begging for trouble. End email now!

Seconding the thread of folks being like, “I gotta do the training anyway so fuck it,” BUT I did think it was very funny that frequently after sending out a phishing test or whatever, this would be followed up with an email requesting the security training, and invariably a bunch of people would report THAT.

I report all the emails from my security team

Anything from IT gets immediately reported as phishing.

It’s really funny when I do it to their phishing training reminders