the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work!

Reply to the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! on Sat, 30 May 2026 19:41:42 GMT

monkee@other.li — Sat, 30 May 2026 19:41:42 GMT

@fishidwardrobe@mastodon.me.uk @0xabad1dea@infosec.exchange beautiful

Reply to the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! on Thu, 28 May 2026 10:17:22 GMT

[[global:guest]] — Thu, 28 May 2026 10:17:22 GMT

@0xabad1dea
Here I go on a tangent about CEO gifts.

A couple years ago, a now EX-CEO proudly announced his amazing Christmas bonus for everyone.

"It will be more personal than cash!"

Yay, a disappointing box of borrel snacks, we thought.

Somehow, our team's expectations weren't low enough. Cheap corporate merch; a hoodie, a travel coffee mug, and an umbrella. They really GET ME.

So yeah, I'll bet that phishy present will be garbage anyhow.

Reply to the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! on Thu, 28 May 2026 10:13:36 GMT

[[global:guest]] — Thu, 28 May 2026 10:13:36 GMT

@0xabad1dea I think about this so much at this time of year because I help run a car show and my job is to get everyone to register their cars and pay their entry fees. I've learned that most car enthusiasts are not very tech savvy.

We have a limited time to do this and I'm coordinating hundreds of people. Here I am sending them progressively urgent emails, text messages, and occasional phone calls reminding them to confirm something, update their information, and pay their fees.

My first thought: If someone sent me these messages, I'd delete them because they look like scams.

My second thought after almost everyone does exactly what I ask them to do: "Oh shit, I'm conditioning all of these people to fall for scams."

Reply to the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! on Thu, 28 May 2026 10:09:22 GMT

[[global:guest]] — Thu, 28 May 2026 10:09:22 GMT

@0xabad1dea then there's ones from banks, government things, big brands etc.

Reply to the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! on Thu, 28 May 2026 09:55:44 GMT

[[global:guest]] — Thu, 28 May 2026 09:55:44 GMT

@0xabad1dea our phishing training started with an unannounced mail from the training site with a button saying "click here".

we were expected to click on it, to access the training.

Reply to the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! on Thu, 28 May 2026 09:38:17 GMT

[[global:guest]] — Thu, 28 May 2026 09:38:17 GMT

phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”

Reply to the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! on Thu, 28 May 2026 09:37:12 GMT

[[global:guest]] — Thu, 28 May 2026 09:37:12 GMT

@0xabad1dea Every few months, it seems, we get email at work from an address we've never seen before, along the lines of "log into the new HR portal at [dodgy external address]", signed "HR department". Nothing to connect it to this specific employer, no names, etc. Every time I report it as obvious phishing. Every time it turns out the great and powerful overlords have signed a new contract with an even dodgier provider.