Conversation

Notices

1. Embed this notice
   Rabbit (ra6bit@infosec.exchange)'s status on Thursday, 10-Apr-2025 22:49:36 JST Rabbit

   The "phishing training" industry and practice has lost the plot. You'd be far better off building your security program around the idea that sometimes users get phished than to invest the same money to constantly harass them with phishes that don't even reflect what actual phishes look like.

   We’ve created a type of control which can be bypassed by spelling things correctly, since we've trained people to believe phishes will always be misspelled or come from an obvious domain.

   This is why your company still gets rocked with ransomware from some 14 year old who sends your users a plain looking URL from a gmail account with the subject “You’ve received a Dunkin' Gift Card!”

   KnowBe4 can't save you.

   • Phantasm likes this.
   • Ryan Castellucci :nonbinary_flag: and GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Rabbit (ra6bit@infosec.exchange)'s status on Friday, 11-Apr-2025 03:09:46 JST Rabbit

     in reply to

     “But after two years of annoying our users with condescending 'gotcha!' phishing training, our response rate fell from 50% to 20%!”

     Congrats. This will certainly slow me down as an attacker when only 20% of your org gives me their passwords. Good jorb.