A simulated phishing email emulating anti-phishing training...
Evil doesn't play a part in this equation. That implies a phishing program is designed to "get you" and not help you. This is no more evil than fire-team training the U.S. Marine Corps go through.
The malicious actors really don't care about your feels, and in order to condition/train individuals properly you need to utilize the same tactics that they are going to use... otherwise your security program is literally checking a box, and nothing to do with actual hardwning your userbase.
@White_Rabbit @0x56 has this type of phishing attack been observed in the wild? Cause if it's actually occurring, then it's appropriate to include in training.
If this is purely hypothetical then it sucks. Neither evil nor brilliant, just pointless and aggravating.
I promise you, someone has done this somewhere. I have no proof currently, but there's no doubt in my mind that it has occurred.
The funniest thing to me is when "good" people think they are more clever than career criminals and state-sponsored actors.
@White_Rabbit the goodwill of ppl being trained is a precious resource tho and this type of training by its very nature erodes that goodwill. Clever tricks like emulating anti-phishing training to simulate a theoretical phishing attack are not worthwhile for the vast majority of trainees.
@White_Rabbit those leverage fear of punishment and greed. They're much better imo.
@0x56 I'm gonna stick with "meh".
Phishing disguised as anti-phishing training lacks the emotional hooks that characterize good scams/tricks. What emotion does this actually leverage? Fear of not completing an assignment? Annoyance? All thoroughly mid as far as motivators go.
@White_Rabbit @0x56 I should be clear I'm assuming we're talking about training for like xerox or citibank employees and not national security stuff.
I choose to disagree. If I were a malicious actor phishing anti-phishing simulations would payout two-fold.
1) Compromising the effectiveness of your phishing program, even if you are doing it "right" -- may help for future phishes if I am targeting you
2) If your company has a phishing program you likely will let your guard down and trust the message as it is relevant to you.
Both fear and anger are used in a phishing simulation phish. Fear you got caught, or angry you got accused of being caught. Annoyance works too, that's an emotion very easy to manipulate (associated with anger), take a look at the firehose
@White_Rabbit engaging in this microcosm of a much wider security debate is peak coso but I will not be taking a look at the firehose lol I don't need that kinda drama.
@White_Rabbit @Expecting_Words @0x56 One of my most effective phishing samples was: "Building facilities here, we found mold in your workspace! Contact us on this 'internal' form to arrange cleanup!"
@Expecting_Words @0x56
Which is why they will use it.
Here are some similar tactics utilized in the real world and have been involved in real compromises:
-Sending yearly bonus information in the 4th quarter
-Sending training/education emails also during 4th quarter (most companies do theirs around November)
-Disciplinary action being taken, click here (this is good year round)