Wednesday, January 17, 2018

So much for that test...

So, yesterday afternoon I received a phishing scam in my inbox.

Problem is, it was a fairly convincing one: the email address had been spoofed and looked more-than-reasonably legitimate, the text was clear and simple and didn't have a lot of typos (some, but not many, and nothing that was obviously a non-native English speaker). The only real "tell" was that if you hovered over the link, it went to something random and definitely not anywhere on our site/network.

And I looked at that and thought, "Holy hell! If I got this, then other people are getting it too, and it's too good - somebody's going to fall for it." So I immediately stopped what I was doing, and composed a warning by forwarding the thing with the link removed and a big note at the top that said:

This is not from Information Technology. This is a phishing scam.
Do not click on the link, do not fill anything out. If you already did, please contact the help desk immediately.

Being the good little IT person that I am, I sent the warning to everybody in the organization.
...And immediately got a visit from the Director of IT, because apparently this was a test they were running on the IT staff and I'd just spoiled it.

I make no apologies for this.


  1. Yeah, seems to me that you acted appropriately. At the very least, I'd say you passed their test.

  2. I passed it so hard I broke it!

    Yeah, it was more funny than anything else (especially since they should have seen it coming). But nobody was demanding apologies, and I got a "good job" for it this morning.


Feel free to leave comments; it lets me know that people are actually reading my blog. Interesting tangents and topic drift just add flavor. Linking to your own stuff is fine, as long as it's at least loosely relevant. Be civil, and have fun!