My classmate just fell for a phishing email from "PayPal."

She was talking about her payment being declined to her friend.

It peaked my attention when she said after logging in, she was lead to a blank page.

I asked if I could see it and it was definitely a phishing email

I will admit, it's one of the most professional phishing email I've ever seen, but the grammar wasn't very professional and the PayPal logo wasn't completely accurate.

Why do these idiots fall for everything?

Dev: *Recieves email from manager with several typos/grammar mistakes asking to open attachment with strange name and click on tinyurl style link*

Dev: *Flags as phishing*

Manager: Hey how come you didn’t action my email?

Dev: That was actually from you?

Manager: Yes.

Dev: …

Got a phishing email with name-pw sent as get parameters so i did what ever respectable human would have

How do I un-idiot my users when it comes to clicking on dodgy email-links??

Got a forwarded email just there from a user who said;

Good afternoon,
Is the below ok to open?
I just tried but got a popup saying I've been blocked from opening it.
I'm not sure who it is coming from and I am not waiting on anything but as it says its from dropbox and is important, i know it's okay.
Can you unblock the link ASAP please?
This is really impeding my work-day as I need to know what it is and act accordingly.
Regards... user.

The Original email came from a random jumble of letters with a subject line of 'important dropbox program' - not only does it look dodgy but its english is horrible! It said;

"Hi tu my freind,

You tu still read a pending verrry important document sent by one of your own contact to be vieweddd.

Install "Highly Confidential english.pdf" by clickinggg here

*insert link leading to something called 'viral-update-trojan.exe'*"

I mean, seriously... help!!! 😢
We have sent emails explaining how to hover over links and to not to click them if it looks wrong.
No one does it.
We hired a company to send fake phishing emails to train users in what to do.
It made no difference!
We now make people 'verify' their email addresses when opening any sort of link to try get them to actually look at what they're opening.
We also strip emails of original attachments and create 'safe' html copies as we can't trust them to look at what they're opening.
Everyone complains about it but Jesus Christ, this is why!!!

Its so exhausting!! What is wrong with people!!! Argh!!! 😤

I’m almost sure it’s a phishing email...

We had a short power outage this morning. 30 min later I got an "urgent" call that someone's "computer" was not working in another branch of our company.

Not one person in that branch could figure this out so after them repeatedly messaging and calling me for around an hour I decided to come over.

I found out that the power wall plug to the monitor has a switch on it which this person accidentally kicked...

I fixed his problem in around 20 seconds. This same employee was one that somehow had his email account previously "hacked" and 8000 phishing emails were sent from his account in 1 hour.

I honestly think it is amazing people like this can even use a computer at all...

Corporate: Phishing Emails are serious. We need you guys to take this awareness training. Please report if you get any suspicious email.

*Sends the awareness training in a format that screams Phishing

Everybody: Wait... is this a test?

The company I work for have this obsession of sending phishing emails to employees. If you report the email you get a message saying good job. If you fail, and you open it you have to have a meeting with your boss and stuff. They do this multible times a week.

So now we have this situation where a lot of important emails get deleted as collateral damage, as the employees are parnoid of opening them. Fantastic system with no flaws at all.🤔🤔

OK I can't deal with this user anymore.

This morning I get a text. "My laptop isn't getting emails anymore I'm not sure if this is why?" And attached is a screenshot of an email purporting to be from "The <company name> Team". Which isn't even close to the sort of language our small business uses in emails. This email says that his O365 password will soon be expiring and he needs to download the attached (.htm) file so he can keep his password. Never mind the fact that the grammar is awful, the "from" address is cheesy and our O365 passwords don't expire. He went ahead and, in his words, "Tried several of his passwords but none of them worked." This is the second time in less than a year that he's done this and I thought we were very clear that these emails are never real, but I'll deal with that later.

I quickly log into the O365 admin portal and reset his password to a randomly-generated one. I set this to be permanent since this isn't actually a password he should ever be needing to type. I call him up and explain to him that it was a phishing email and he essentially just gave some random people his credentials so I needed to reset them. I then help him log into Outlook on his PC with the new password. Once he's in, he says "so how do I reset this temporary password?" I tell him that no, this is his permanent password now and he doesn't need to remember it because he shouldn't ever need to be typing it anyway. He says "No no no that won't work I can't remember this." (I smile and nod to myself at this point -- THAT'S THE IDEA). But I tell him when he is in the office we will store the password in a password manager in case he ever needs to get to it. Long pause follows. "Can't I just set it back to what it was so I can remember it?"

Red flags in your first week of your software engineering job 🚩

You do the first few days not speaking to anyone.
You can't get into the building and no one turns up until mid day.
The receptionist thinks you're too well dressed to work in this building, thinks you're a spy and calls security on you.
You are eating alone during lunch time in the cafeteria
You have bring your own material for making coffee for yourself

When you try to read the onboarding docs and there aren't any.
You have to write the onboarding docs.

You don't have team mates.
When you ask another team how things are going and they just laugh and cry.😂😭

There's no computer for you, and not even an "it's delayed" excuse. They weren't expecting you.
Your are given a TI PC, because "that's all we have", even though there's no software for it, and it's not quite IBM compatible.
You don't have local admin rights on your computer.💀
You have to buy a laptop yourself to be able to do your job.

It's the end of the week and you still don't have your environment set up and running.
You look at the codebase and there are no automated tests.
You have to request access every time you need to install something through a company tool that looks like it was made in 2001.

Various tasks can only be performed by one single person and they are either out sick or on vacation.
You have to keep track of your time in 6 minute increments, assigned to projects you don't know, by project numbers everyone has memorised (and therefore aren't written down).
You have to fill in timesheets and it takes you 30 minutes each day to fill them in because the system is so clunky.🤮

Your first email is a phishing test from the IT department in another country and timezone, but it has useful information in it, like how to login to the VPN.
Your second email is not a phishing test, but has similar information as the first one. (You ignore it.)
Your name is spelled wrong in every system, in a different way. 2 departments decide that it's too much trouble, and they never fix the spelling as long as you work there. One of them fixes it after you leave, and annoys you for a month because you haven't filled out the customer survey.

High quality phishing email.

Email: "we have carried out a phishing test company wide"

Me: Nice!

Email: "results are here"

Me: wow, already done? Didn't even see the email. I must've subconciously discarded it! Damn, I'm good!!

Email: "the test was carried out yesterday"

Me: *was OOO y-day*

Me: fuck

My job sends out emails with things like "You won a prize!" In the subject line with embarrassingly vague reasons to click the links in the email. If you do, the links take you to a site where they slap your wrists for clicking an unknown link and teach you about the dangers of phishing.

It's fake spam. Ironically enough, though, it's the ONLY spam I ever get. It's more annoying than real spam because it never gets blocked by the system like an actual phishing attack would...

It is driving me crazy having to delete these stupid messages every day and they're clogging up my otherwise clean inbox! I don't even know who to contact about this bullshit because they're so "haha we got you!" about it, there's no department claiming responsibility. They're creating their own spam trying to prevent spam. What the hell?

This is the last part of the series
(3 of 3) Credentials everywhere; like literally.

I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.

This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.

However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.

So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.

The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.

My university alerts all student and staff any time a phishing email is reported. I've yet to attend one class, and I've received a few dozen emails alerting you of phishing emails being sent. It's sad people can't notice the pattern of the emails, and realize right away "Hey this is a bullshit email" and not rely on the alerts.

It's the 21st century; basic computer competency is a necessity.

Oh no, someone hacked my PayPal account, and it seems... PayPal’s too, they can’t spell properly anymore 😰

So some asshole keeps sending phishing emails to every student and prof in our university and the IT department is too pathetic to block it. They all come from the same email and contain the same text yet they cant filter it and just send warnings not to click it.

Im getting sick of recieving 5 of these a day, i scanned and viewed the page and its just a simple form copying the outlook login page with a redirect to the actual page after submission.

Whats the easiest way to write a script that will spam them with thousands of fake accounts? How can i fuck with these guys?

I'm the only one who keep receiving phishing emails about not existing Netflix subscriptions from evident scam email addresses on a daily basis?
I tend to have more of those than newsletters I never subscribed to.

Come on, man, at least try harder to steal my data or money.

The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.

Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.

I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.

There is a new phishing site going around called "rogstrike.com" that is being spread by Steam DMs.

Infected asks victim to "vote for their team" and in order to do that, you need to login with steam. The steam login part is sketchy af, litterally spawns a fake new window in the same tab. Doesn't matter what OS you use, it's always Win 10 styled. Lol.

I reported on twitter and via email, i'll see what they will do.

Meme quoting one of our employees who sent in a ticket asking if something was a "phishing technique without the use of email."

Why is it always THIS freaking user??? Yes, this is the same one from my previous rant. ALWAYS emails me with a subject line composed of whatever random, vaguely-related-to-the-topic words happen to be jiggling around in his arsehole at the time of writing, vomited out in no particular order. Email body full of typos, wildly incorrect punctuation, and the actual content is completely nonsensical. Accompanied by a screenshot which is always cropped down so small as to be useless. And from what I can gather from this latest one, it looks like he's fallen for yet another phishing email. I SWEAR if that's what happened again......

So I just got a mail from a bank.
The email address ended with .gmbh

If people want to make phishing emails then please use at least a fucking viable email address

All mail clients are intentionally made not to show sender email address, but rather their chosen name to then launder money on anti-phishing trainings.

A couple of weeks ago my work email got hacked, I found out because he/she was sending phishing mails to yahoo emailaddresses, but they couldn't be delivered because they were marked as phishing.

I've immediately changed my password and turned on two-factor authentication, shared my story with my boss and now we use two-factor authentication for every service where it is possible.

Got a phishing email with a link to a website hosted by wix. The only thing on the site was a form and submit button so I’m sure it’s for collecting credentials. I was able to report them and wix shut it down which was nice. But I was thinking, if someone were to ddos the web server, what action would wix do? Would they let the requests keep coming and increase the customers bill? Or would they just shut down the server?

Second phishing victim of the year.
F*ck our email service provider, the service sucks so much. The deny list DOESN'T EVEN WORK. I'm so fed up with this.

Me: This spam email looks a little weirder than normal.
Phishing team: Its just spam don't waste our time.

*15 min later*

Phishing team: Nevermind. Its trying to take your log in info off your account. Thanks

...Jerks

I just experienced a new level of wut at my job. Web Engineering has a Google group email. This morning someone at work sent us an email about canceling a work order (and he didn’t know how to cancel it)…for a plumbing issue 😑Wrong engineering department, my dude. And you can cancel your work order by going to the request system where you submitted it or the email receipt of you request, which was certainly not to this Google group email. You have the work order number, so you must have an email somewhere about your request. And how’d he get this email?? I’m seriously wondering if this is a weird phishing attempt.