top | item 45534755

(no title)

My university routinely sends notifications about required annual phishing training that violate almost every point in the training about how to avoid getting phished. Its been happening for years. Urgency. Appeals to authority. Grammatical errors. Mystery click-me links that go outside the domain to training service providers that we do not use in any other context. References to alternative ways to get to the training that don't work.

I've reported it multiple times over the last few years but our IT security team blows off the concern, insists that I follow the link, and changes nothing. And no, it isn't just them testing people to see if they will fall for it. I am also in a position to see the tracking reports and be in meetings where expectations are discussed.

Our program is explicitly training people to get phished.

discuss

No comments yet.