Thursday, May 30, 2024

Interesting security idea

Actually, it's a breath of fresh air:

A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit.

Matt Linton leads Google's security response and incident management division. Tasked with rolling out phishing exercises every year, he believes tests should be replaced by the cybersecurity equivalent of a fire drill.

Today's phishing tests more closely resemble the fire drills of the early days, which were more like fire evacuation drills – sprung upon a building's residents with no warning and later blaming them as individuals for their failures.

Yeah, that's about right.

Linton's idea of a possible alternative is considerably different compared to the tests office workers have become accustomed to over the years.

Hello!  I am a Phishing Email. 

This is a drill - this is only a drill!

If I were an actual phishing email, I might ask you to log into a malicious site with your actual username or password, or I might ask you to run a suspicious command.

You can learn more about recognizing phishing emails at and even test yourself to see how good you are at spotting them. Regardless of the form a phishing email takes, you can quickly report them to the security team when you notice they're not what they seem.

To complete the annual phishing drill, please report me.

Thanks for doing your part to keep

A. Tricky. Phish, Ph.D

This seems like a much more productive approach, IMHO.  Which means that it will be ignored by The Usual Suspects.


SiGraybeard said...

In my experience, Google isn't the problem. Gmail does a pretty good job of keeping crap out of my inbox. The only problem I have is one or two people whose domain gets them thrown in the SPAM bucket.

The problem is my "main" email ISP, which comes from a large cable company whose name, ironically, is extremely reminiscent of the word rectum. It's just misspelled slightly. They have a trash box online that I have to log into to check. It regularly that gets valid emails thrown into it, along with things they deliver to me most of the time.

I get at least a dozen emails a day that are obvious frauds and attempts to steal ID.

Kurt said...

Several firms have interactive videos that walk people through spotting phishes, and while some are better than others, they are all much better than playing gotcha with an email out of the blue.

Some are even free - I am at home and don't want to spend time searching, but a few minutes on your search engine should reveal them.


Richard said...

And how would we know that the link in the example email isn't itself malware of some sort. I would immediately delete such an email. Anybody that clicks the link fails the test. Perhaps that was your intent but if not think of the likely response by the bad guys.

STxAR said...

I remember the gotcha emails when I was a corp IT field service drone. After that, I flagged every info-sec email as phishing for at least a month. "Thank you for noticing and reporting the phishing email" would be marked phishing. The "end of test" email and everything else they sent until I got too busy to remember that I was flagging their output.