I’m 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone’s supervisor and made it look like an urgent Teams message was pending.
Usually, if you get phished you lose your bonus. They made an exception that one time.
Phishing simulations should be about educating employees, not punishing them. Train them on what they missed and if training material is available check where it might be lacking. Nobody learns from having their bonus taken away. It also only serves to stimulate a culture were people prefer not reporting possible security issues they might have caused, in order to avoid further pay cuts.
If someone is consistently falling for phishing emails (real, or from the IT department), shouldn’t that person eventually be fired? Isn’t that a punishment?
If there is neither a punishment nor a reward, what is the incentive to learn? Some people may not need one. Many others do.
I agree that a single failure resulting in the loss of significant income might be harsh, but I think there needs to be a way to convince people to take the issue seriously, and a punishment of some kind is therefore always warranted (e.g. eventual firing).
You can balance out the issue by creating a reward system as well, e.g. if you report all of the test emails sent to you in a year (i.e. not just ignore them), your bonus is increased by X% or something. Similarly, if you report an actual phishing email, your bonus is increased by some percent, even if you initially fell for it. I think it is possible to foster a consciousness and honest culture, with a system that includes punishments.
I dunno…If you’re in a position to get a bonus, you should be smart enough to not click on random links and enter your work password.
I am extremely pro-worker but I would be fuckin pissed if an employee so easily gave a potential hacker access to our systems and that’s what the test is for
They tried a similar one on me once. Sent a email saying my boss (by name) sent me a virtual gift card. I immediately knew it was one of their “phishing tests” as my boss is a giant douche who would rather take the time to throw me under a bus than do anything that nice.
I’m 100% so far at my job, but we had one test that tricked somewhere around 30% of employees. They spoofed everyone’s supervisor and made it look like an urgent Teams message was pending.
Usually, if you get phished you lose your bonus. They made an exception that one time.
You lose your bonus? What basement-dwelling neanderthal executive came up with that hogwash?
To be fair, my job involves very sensitive medical data. We’ve seen entire businesses shut down because of data breaches.
Phishing simulations should be about educating employees, not punishing them. Train them on what they missed and if training material is available check where it might be lacking. Nobody learns from having their bonus taken away. It also only serves to stimulate a culture were people prefer not reporting possible security issues they might have caused, in order to avoid further pay cuts.
If someone is consistently falling for phishing emails (real, or from the IT department), shouldn’t that person eventually be fired? Isn’t that a punishment?
If there is neither a punishment nor a reward, what is the incentive to learn? Some people may not need one. Many others do.
I agree that a single failure resulting in the loss of significant income might be harsh, but I think there needs to be a way to convince people to take the issue seriously, and a punishment of some kind is therefore always warranted (e.g. eventual firing).
You can balance out the issue by creating a reward system as well, e.g. if you report all of the test emails sent to you in a year (i.e. not just ignore them), your bonus is increased by X% or something. Similarly, if you report an actual phishing email, your bonus is increased by some percent, even if you initially fell for it. I think it is possible to foster a consciousness and honest culture, with a system that includes punishments.
I dunno…If you’re in a position to get a bonus, you should be smart enough to not click on random links and enter your work password.
I am extremely pro-worker but I would be fuckin pissed if an employee so easily gave a potential hacker access to our systems and that’s what the test is for
My understanding is that the phishing awareness mail is part of the training, and NOT a test. But company culture varies of course
I can only imagine how frustrating it would be to get a financial punishment for clicking on links.
They tried a similar one on me once. Sent a email saying my boss (by name) sent me a virtual gift card. I immediately knew it was one of their “phishing tests” as my boss is a giant douche who would rather take the time to throw me under a bus than do anything that nice.