I’ve sent out a fake scam message at work and always have at least two or three clicks. No matter how many times you tell people there’s always a few that just can’t get it through their skulls.
Even if I make it super obvious, spelling errors, poor grammar, and write “do the needful” at the end. They still click the god damn link. Some people just need to have their internet access restricted for their own good.
Sounds more like bad browser programming if it can’t handle all content safely. Any risky action should pop up an administrator password query to activate.
… admins and/or CISOs (ie employees) send such emails to other employees regularly as an additional form of cyber security education. It’s a controlled environment. (And you can’t really proof against social engineering irl anyway, you just gotta educate folk.)
Regularly educating employees is often even mandated by law directly (financial, public, etc sectors), or by any normal risk officer.
This usually includes lectures/vids/slideshows, questionnaires (mandatory for all), and irl testing/running scenarios.
Much like how to deal with anything regarding personal data.
I’ve sent out a fake scam message at work and always have at least two or three clicks. No matter how many times you tell people there’s always a few that just can’t get it through their skulls.
Even if I make it super obvious, spelling errors, poor grammar, and write “do the needful” at the end. They still click the god damn link. Some people just need to have their internet access restricted for their own good.
Sounds more like bad browser programming if it can’t handle all content safely. Any risky action should pop up an administrator password query to activate.
… admins and/or CISOs (ie employees) send such emails to other employees regularly as an additional form of cyber security education. It’s a controlled environment. (And you can’t really proof against social engineering irl anyway, you just gotta educate folk.)
Regularly educating employees is often even mandated by law directly (financial, public, etc sectors), or by any normal risk officer.
This usually includes lectures/vids/slideshows, questionnaires (mandatory for all), and irl testing/running scenarios.
Much like how to deal with anything regarding personal data.