Embed Notice

@cas ffs i hate those trainings. A lot to be said about them. Also I scan QR codes as much as I like pfft (long rant incoming)

Honestly, trainings that just make you "scared about all the danger in the Internets" are bad. They drive the notion that computers are black boxes that cannot be understood (which, yes, is not completely wrong of course but ...). Instead you want users feel that afterwards they know better and feel more in control:

1. Give them easy options to report mails. Usually it's your goal is to try for /everyone/ to /never ever/ fall for a phish – which is unrealistic. This way you crowdsource spotting, thus increasing your chances to pull the mail/put out some IoC/block the URL/... and empowers users to contribute to overall security.
2. Ensure they're not ridiculed by the IT Dept for asking whether something is a phish, a healthy atmosphere is crucial. They shouldn't feel as if they're a liability but that they can contribute!
3. In the training, don't make them the victims. Either choose someone "up there" as example victim in any demo or *show the users how it's done*. Prepare some evilnginx to 99% done and let the users play "hacker" by doing some finishing touches. This piques interest in the topic and makes them understand much better how this works!

1/x