Belgian Government Phishing Test Goes Off-Track

alphadogg writes: An IT security drill went off the tracks in Belgium, prompting a regional government office to apologize to European high-speed train operator Thalys for involving it without warning. Belgium's Flemish regional government sent a mock phishing email to about 20,000 of its employees to see how they would react. Hilarity and awkwardness ensued, with some employees contacting Thalys directly to complain, and others contacting the cops.

How many handed their credit card info over?

[ASDFnz]

That is what we really want to know.

Re:How many handed their credit card info over?

[paul_metcalfe]

Enough people believed it was legit to the point they called Thalys. So... looks like they need some more anti-phishing training.

Re:How many handed their credit card info over?

While it would be nice if people were good enough at recognizing phishing to even escalate stuff to this point, calling the claimed company's customer service to give their poor staff an ear-full is not quite as bad as sending their personal information to wherever the email told them to. We don't know how many people actually did the later.

But did anyone hit reply-to-all?

[thegarbz]

I've seen a similar type of system go off the rails, except the company forgot to put the target mailing list in the BCC field. Instead an unprotected mailing list with all 50000 employees was emailed out to everyone, so naturally someone hit reply-to-all.

After 4 hours of an endless stream of reply-to-all "TAKE ME OFF YOUR MAILING LIST" emails it all quietened down.

Then the Americans woke up and went to work...

Re:But did anyone hit reply-to-all?

[techno-vampire]

Back when Melissa and The Love Bug came out, I was working at an ISP. You'd be amazed (or maybe you wouldn't) at how many techs sent out emails warning everybody not to click on those emails and how many responded by using reply-to-all. It was quite entertaining while it lasted, especially as I was one of the few people in the company who wasn't using Outlook, meaning that my email client wasn't vulnerable.

Re:But did anyone hit reply-to-all?

That happened at a company I used to work with, except it was 85K employees. It actually took out our internal email servers. The IT was managed by HP, and they had to put in a global spam filter to stop it.

A few weeks later, some part of me wanted to hit "reply all" and say I hadn't heard if the original issue had been resolved and what the current status was just to be an ass.

Re:But did anyone hit reply-to-all?

[operagost]

That sounds similar to what happened at Microsoft with the Bedlam DL3 incident.

Re:But did anyone hit reply-to-all?

[nitehawk214]

Had one of those bouncing around several thousand employees at a company I worked for. I don't even know why they had the mail server configured to allow to send to so many people. Probably lazyness on the part of IT.

It was repeated rounds of "TAKE ME OFF YOUR MAILING LIST" and "STOP HITTING REPLY ALL" (which was reply-alled, of course) And then people ironically sending the same just to piss people off.

It eventually took threats from someone in senior management to get people to quit it.

Re:But did anyone hit reply-to-all?

Happened at a company I worked at too. Provided hours of quality entertainment during an otherwise boring workday.

Can email service providers do more?

[Jeremi]

It seems like relying solely on peoples' good judgement to figure out which emails are legitimate vs which ones are phishing spam (or worse, spear-phishing spam) is asking for trouble.

I can imagine email service providers using cryptographic signing techniques to assist the email client in reliably identifying which emails are definitely coming from their boss (or at least, from their boss's legitimate email account) vs which ones are unauthenticated and could have been written by anyone.

With that implemented, after a few weeks people would grow used to seeing the happy green "sender authenticated" sign at the top of each email from their boss, and if an email came in purporting to be from the boss, but with a big angry red "WARNING -- UNAUTHENTICATED MESSAGE -- MAY BE FRAUDULENT" (or whatever) sign at the top, they'd be less likely to hand over the company jewels without first confirming the email's validity.

Does something like this exist? If so, it seems like it's not widely used. If GMail/hotmail/yahoo could agree on a method and then start implementing it by default, I think that would go a long way towards reducing the effectiveness of email phishing attacks.

Re:Can email service providers do more?

[guruevi]

How about just rendering everything as text? Avoid rendering URL's or HTML and you'll solve most of the problems.

Re:Can email service providers do more?

Yes. PGP does this. Various mailers support it natively or by extension, complete with friendly icons to report on valid or unverified origin. There is a mail standard for such messages, supporting signed, encrypted, or signed and encrypted mails.

Re: Can email service providers do more?

They are already working on to make this possible, see End-to-End project by Google https://github.com/google/end-to-endend-to-end ... No release date yet..

Re:Can email service providers do more?

In short yes, email sender authentication exists (SPF, DKIM et. al.) but requires effort on the part of email senders which means not everyone does it.

https://en.wikipedia.org/wiki/Email_authentication#Authentication_methods

Re:Can email service providers do more?

[Obfuscant]

Does something like this exist?

Many mail clients have provisions for PGP signing of messages. It is one of the options I have set up on my tablet for K9 mail.

For it to work in a corporate environment, it must be mandated by the company so that everyone does it, everyone must have a client that supports it, keys must exist and be distributed, and only then can everyone rely on an unsigned message being invalid. If your boss forgets to sign a message telling you to do something and you ignore it, you better have a company policy backing you up.

That puts it in the realm of a social problem, not a technical one. And it does not solve the problem of external sources of email that don't sign anything being the alleged source of the email asking you to "click here" because your train reservation has changed and you need to pay a bit extra.

Re:Can email service providers do more?

[Obfuscant]

How about just rendering everything as text? Avoid rendering URL's or HTML and you'll solve most of the problems.

There are too many broken email clients that send HTML documents without the correct headers saying it is HTML, so too many broken email clients automatically render messages that LOOK like HTML because that's probably what they ought to do.

And then you get idiots who think they need to send 50k of HTML for a one-sentence email, and get pissy when you tell them that you don't read HTML and to resend whatever the hell it was in text if they want you to get the message.

I'm pretty sure that none of the clients I use can be told to completely ignore HTML, not even a text-based client like pine. I used to have procmail strip every "Mime-Version" and "Content-Type" header in incoming email just to force the client to show it as text, but I got tired of dealing with the pissy folks from above.

Re:Can email service providers do more?

[Jeremi]

For it to work in a corporate environment, it must be mandated by the company so that everyone does it, everyone must have a client that supports it, keys must exist and be distributed

Of course in a non-corporate/general-email environment, all of those things won't happen (or at least, not all at the same time), so there is a big chicken-and-egg problem if we require all of that. Fortunately, I don't think we need to require all of that.

then can everyone rely on an unsigned message being invalid

I don't think it is necessary to rely on an unauthenticated message being invalid. An unauthenticated message is just that -- unauthenticated. It might be valid or invalid. If it's something important, the "unauthenticated" flag is an indication to the user that he should verify the message's authenticity using other means (e.g. by calling the boss and asking him about it).

If your boss forgets to sign a message telling you to do something and you ignore it, you better have a company policy backing you up.

You wouldn't ignore it, you'd call the boss (or email him) and ask him if he really send the message you received.

And hopefully the boss would almost never "forget" to sign an email, because all of his emails would be automatically signed simply as part of the act of sending them from his regular email account.

That puts it in the realm of a social problem, not a technical one. And it does not solve the problem of external sources of email that don't sign anything being the alleged source of the email asking you to "click here" because your train reservation has changed and you need to pay a bit extra.

True, you can't fix stupid. But you can at least make it easier for people to see a difference between a known-authentic email and an email of unproven origin.

Re:Can email service providers do more?

[cheater512]

It's called DKIM.

The problem is it works very well for boss@company.com but it would also give the green light for boss@c0mp4ny.com if they also used DKIM.

Re:Can email service providers do more?

No, it's called S/MIME. Corporate IT can provision keys to employees, keeping a copy for data retention purposes; or, on an internal webmail like Outlook, the server can handle the keys and signing/encryption, although it's usually done client-side. Internal recipients validate against the X509 cert stored in LDAP or AD or whatever the company is using, and external recipients validate against a signature that they've stored in an address book from a previous mail. boss@c0mp4ny's fake cert gets flagged hard with a giant warning.

The US Department of Defense uses S/MIME.

Re:Can email service providers do more?

[unrtst]

Two AC's already mentioned GPG/PGP and google's End-to-end project, but there is a more standardized and widely available option: S/MIME signatures.

S/MIME sigs have (at least) one "problem"... they require a centralized certificate authority. However, you can get a personal S/MIME cert for free from several of the big CA's: http://kb.mozillazine.org/Gett...

That said, there are two HUGE problems with expecting this to solve the phishing problem:

1. Bad email doesn't look bad. You end up with:
a) email with a valid cryptographic signature (yay, that was definitely my boss)
b) email with an invalid signature (see item #2)
c) email without a signature (traditional email). You can't raise a big red flag on every one of these or 99% of your messages will have big red flags.

2. Messages frequently get tampered with in transit, causing the signatures to fail.
The primary purpose of cryptographic signatures is to prove that the content was not tampered with and is what that person wrote.
If the content changes, the email client MUST raise a big red flag. This shows up as MUCH WORSE than something without any sig at all.
This would be fine, except that lots of things jack with email along the way (spam filters, virus filters, attachment filters, 3rd party servers, exchange sucks, etc). Normally, those won't change things TOO significantly, but just one extra space character or newline between parts and the sig fails. It's very fragile, and since the message isn't some binary blob, servers take apart and re-assemble the message many times along its way.

The worst part about #2 is that it makes unsigned messages more reliable (in a way). I sign most of my messages, but if I'm sending something important, especially with attachments and to multiple people, I'm now prone to skip signing just to avoid having several important people get very worries about the big red exclamation point on a message saying my message may have been forged or tampered with.

IMO, S/MIME *should* be the solution (with GPG/PGP as a close second.... others will have those reversed), but we're better off moving to something else if we want that feature, especially now that webmail is so prevalent (ex. gmail)... webmail can't do S/MIME without some client side tie in, which makes it no longer "webmail".

Re:Can email service providers do more?

[mwvdlee]

It exists and It's called DKIM
https://en.wikipedia.org/wiki/...

Re:Can email service providers do more?

[quantaman]

How about just rendering everything as text? Avoid rendering URL's or HTML and you'll solve most of the problems.

Not going to happen, HTML email is a feature, a feature a lot of people find very useful and will not give up without a big fight.

Re:Can email service providers do more?

[91degrees]

For it to work in a corporate environment, it must be mandated by the company so that everyone does it, everyone must have a client that supports it, keys must exist and be distributed, and only then can everyone rely on an unsigned message being invalid. If your boss forgets to sign a message telling you to do something and you ignore it, you better have a company policy backing you up.

I don't see this as a big problem. Most people will use whatever's installed on their machines, because setting up a new client is too much hassle. And surely even Outlook has PGP add-ons.

To deal with the other issue, we do need extra utility - clients that will automatically sign, and automatically reject and return unsigned emails from addresses with known keys.

Re:Can email service providers do more?

How does plain text solve the phishing problem discussed in the article?

"Hey Mike, I forgot the admin password, can you send it to me?"
"No, you're clearly a scammer and I know this because our email doesn't include any html!"

Re:Can email service providers do more?

[KGIII]

Are you saying I have no right to control the content on my computer? How odd... If I want to read email in plain text, and I do enforce this and reply only in plain text, then I am going to. That you think I have no right to do so is absurd. I am not obligated to allow any content on my system nor am I obligated to view something in the way which you intended. Fucking moron. Get off my internet. You *are* the problem.

Re:Can email service providers do more?

[KGIII]

Regarding your number 2... Frequently get tampered with in transit? Really? I have, literally, never seen this. I suppose I could be not seeing it because it is done in transit but I never even hear of this happening other than proposals as to why it is a problem. I am subjected to countless spearphish attacks and regular phishing attacks. I still have my *ceo*@tld.com address (when I sold the businesses I was allowed to keep the address as I had used it for personal emails way back when the company was very tiny and no business emails go through it any more). That email gets _everything_ thrown at it. Fortunately, I do not need to manage it but it gets more attack emails than emails of any other type.

Re:Can email service providers do more?

[jc42]

Regarding your number 2... Frequently get tampered with in transit? Really? I have, literally, never seen this....

You're lucky there. I see such tampering several times per day, and fixing the problem often takes a lot of time (and soto-voce swearing ;-).

The reason is that I deal with a lot of data that's "plain text", but is computer data of some sort, not a natural language like English (which is sorts stretching the meaning of "natural", but you know what I mean). Or it's in a human language, but not English, and the character encoding uses some 2-byte or longer characters.

The simplest example is computer source code. The tampering is often caused by the "punch-card mentality" coded into a lot of email software, which often doesn't allow lines longer than 80 (or 72) characters, and inserts line feeds to make everything fit. Many programming languages consider line feeds to mean something different than a space, usually "end of statement". Inserting a line feed in the middle of a statement thus changes the meaning, and very often introduces a syntax error.

Even nastier is the munging a lot of other plain-text data representation that mixes letters and numbers. Inserting spaces or a line feed in the middle of a token like "G2EF" usually destroys the meaning in a way that can't be corrected automatically at the receiving end. Usually the way to handle such tampering is to reply to the sender, saying "Can you send me that in quoted-printable or base-64 form?" And you try to teach everyone in the group that such data should always be encoded in a form that's immune to the idiocies of "smart" email handlers.

Text in UTF-8 form, especially Chinese and Japanese text, is especially prone to this sort of tampering, which often leaves the text garbled beyond recovery.

Anyway, there are lots of excuses for such tampering with email in ways that destroy the content. It's not always for nefarious reasons; it's just because the programmers only tested their email-handling code on English-language text. And because they're idiots who think that lines of text should never be longer than 80 (or 72) characters.

Re:Can email service providers do more?

[KGIII]

I have never seen that problem or, at least, never attributed that problem to interference in transit or by the client. I had, wrongly, assumed you had meant human interference such as a MITM altering data to insert content for the purposes of evil. I have not seen that either.

I have mailed and received mail with source in it. It was usually an attachment however or a snippet. I also do not allow my email application to insert line breaks or to use line breaks - break the text where it was either sent or where the edge of my browser/reader is.

Nor do I get any languages other than the occasional Spanish. We did some work overseas but all email communication was in English. Anything else was translated in person or over a conference call.

One of the benefits was probably that we dealt with mostly government and large businesses. They tend to stick to known formats for interoperability purposes and seldom send 'formatted' text emails. They usually just send plain text with no markup or, if needed, they will send a message and have an attachment that is HTML or the likes. This may have changed but such was the case.

Another saving grace was that we usually stressed the importance of not including information, where applicable, inside the body of the text. Attachments seem to not have nearly as much trouble from what you are describing. An email saying what something is, why it is important, and how it should be used is great. Attach a second bit of information if needed. A lot of email attachments were raw data and really were not conducive to being included in an email body to begin with. A .csv with traffic stats really does not work well as an email itself but as an attachment it works great.

I guess the different use cases, though still similar functionality, resulted in different experiences. This is hardly surprising given the number of bugs that are found by the outlier cases while the program works just fine for the majority. It seems only likely.

Anyhow, thanks for describing it. I was awfully confused. I was having a hell of a time picturing someone manually inserting malicious headers into emails via MITM attacks or someone coding something targeting just this purpose. It seems plausible but rather unlikely to be frequent enough to matter though I do recall hearing of an email provider who did insert ads into message bodies themselves. I had wondered if that was the subject as well.

Re:Can email service providers do more?

[Obfuscant]

Of course in a non-corporate/general-email environment, all of those things won't happen (or at least, not all at the same time),

They won't happen at all in any environment where there is no authority to mandate the use of PGP or anything similar. You can't order Mom to sign all her messages any more than you can order a phisher to sign his.

I don't think it is necessary to rely on an unauthenticated message being invalid.

That's the goal. You want to know that the phishing email is invalid. Simply knowing it is neither valid nor invalid is useless, because if it is valid you should act upon it.

You wouldn't ignore it, you'd call the boss (or email him) and ask him if he really send the message you received.

Imagine a work environment where you called the boss every time he sent you an email asking him if he sent it. Imagine the boss is in a meeting and told you to do something important right now.

Yes, if you work in a company where there is a mandate to sign email, and you get an email from your "boss" that isn't signed, the correct action is to ignore it, because that's the reason for the policy in the first place.

And hopefully the boss would almost never "forget" to sign an email,

An email system where we rely on "hope" that everyone does the right thing is why we have spam and phishing problems today.

But you can at least make it easier for people to see a difference between a known-authentic email and an email of unproven origin.

It is trivial to determine an email is "of unproven origin", and yet phishing attacks are reasonably successful. My local admin has to keep reminding people every time a stream of phishing emails comes through, and every time someone does what the phisher asks.

Re:Can email service providers do more?

[Obfuscant]

I don't see this as a big problem. Most people will use whatever's installed on their machines, because setting up a new client is too much hassle.

At work I use, let's see, ... three different clients depending on where I am. Or is it four? Should I count different versions of Evolution as one or two? Or three?

The fact is, such a system will not work if only "most people" do it.

To deal with the other issue, we do need extra utility - clients that will automatically sign, and automatically reject and return unsigned emails from addresses with known keys.

oooh, cool. A new DDOS attack vector -- send a flood of emails pretending to be from someone with a "known key" but unsigned, to a group of people who have known keys. If the "return" function doesn't sign the return (and if it is automatic, there is probably a security issue if it does sign them) then the mail system will be brought to its knees as everyone returns every unsigned message. At a minimum, you bring down the victim's email.

Re:Can email service providers do more?

[unrtst]

These modifications that would affect message signatures happen in many places.

I was having a hell of a time picturing someone manually inserting malicious headers into emails via MITM attacks...

FYI, S/MIME signatures do NOT sign the email headers. For example, you can alter the "Subject" header of a valid signed message you got from somewhere else, then bounce it off to a different recipient (ie. send as if from that same person), and the recipient will see a valid signature on the message with an altered subject line. The signature is on the message body only (more specifically, it's on a mime part and everything below that, so you can forward a signed message, add your message in a new part above it, and sign the combined message with your cert while the forwarded message will retain the original and valid sig).

Here's an example of an MS Exchange bug: https://premier.microsoft.com/...

Issue Definition: Edge Transport Server mangles S/MIME encrypted payloads

That one affected their IMAP adapter. Viewing the message in MS Outlook via the Exchange protocol, the signature was valid. Viewing the same message in MS Outlook (same client) via the IMAP protocol showed an invalid signature. Their description is flawed.. it was not related to encryption, but just a message signature, which was also unrelated, as it's really just a means to detect the alteration of the message.

You won't be able to view that bug unless you have a premier account with microsoft, but if you search for it via google you'll find a little more info (mostly an email I sent to the alpine list).

This was not the only issue like this. Prior to this, similar symptoms were seen, but it was then solved by adding "SkipDigitalSignedMessageFromAttachmentFilterAgent" key to the edgetransport exchange config.

Note, these two examples don't even have anything to do with systems in transit. It's just the last hop delivery to the user, and the problem is seen via MS clients to MS servers (and also seen from other clients).

Your example of an email account that gets loads of email, especially phishing emails, and you've never seen any altered messages... how would you know? How many of those have S/MIME signatures? I've never seen a single spam/phishing email that had a valid S/MIME signature. Your example would have to be turned on its head to be valid... you'd have to be receiving a lot of legitimate and valid signed messages with no bad signature validations (or sending a LOT of signed messages, and never hearing anyone complain... but then that's quite subjective cause most people don't pay any attention to the warnings).

All it takes to ruin a cryptographic signature is adding an extra linefeed between a Text/PLAIN part and the corresponding Text/HTML part, and you'd never notice that if the message didn't have a crypto sig or you weren't checking it. IE. without a sig, you don't know that the messages you think are legit weren't tampered with (on purpose, or accidentally).

Just like Belgium

[rossdee]

Streetwalkers sweet talk you out of your spare change
And your sweet madame makes it seem just like Belgium

Again?

[meerling]

So yet again a member of a government organization has willfully engaged in Identity Theft and/or Copyright or Trademark Infringement. Will they get arrested? Of course no. Heck, they won't even get a slap on the wrist as soon as the press quiets down. I guess it doesn't matter what country it is, they seem to think the laws apply to other people.

Re:Belgian Science gone wrong?

[guruevi]

Care to elaborate?

Re:Sounds like something the Republicans would do.

Shutup and take your Thorazine, Bubba.

Re:Belgian Science gone wrong?

He speaks perhaps of the infamous Congo Troubles?

Nevada's tax department is sending goofy stuff too

Sounds like standard government cluelessness on behalf of the Belgians. A throwaway address I use on Mailinator has been getting some fails from Nevada's State Department of Taxation. They keep sending out mails like this,

From: nobody@nowhere.us
Subject: Large Test Run

This is a test. There will be 16039 recipients.

The origin is TAXCCVAP03.taxation.state.nv.us. They've sent this crap 5 or 6 times this week and I wonder if they even know what they're doing. I keep waiting for them to accidentally attach some juicy tax records to the next "Large Test Run."

"Mock phishing" was already off the rails

At work, I think every single "phishing" email I've ever gotten has been from one of these test campaigns. At this point, the main source of questionable-looking emails is lazy outsourcing where somebody unceremoniously hires a third party to process $HR_FUNCTION, doesn't bother to tell us that they're legit, and emails start showing up from the contractor's domain. In effect, they're training us to not trust their own supposed signals of legitimacy, then "testing" us to see how easily we're "fooled".

Re:Belgian Science gone wrong?

Are you pretending to now know that the Belgians are literally worse than Hitler? You must be a Republican if you're that ignorant.

At least....

[mark-t]

... now they know how they would react. Mission accomplished, right?

Re:Belgian Science gone wrong?

[Antique+Geekmeister]

It's generally not known to American students, no. The lack of direct US military involvement, and the slaughter of millions by wealth seeking remote nationals doesn't garner the same sympathy 100 years later as the genocide of a nation's own citizens that occurred in Nazi Germany and in their conquered territories, a genocide that American military forces became directly involved in stopping and witnessed directly. There are few people alive who remember it personally, but the availability of popular media and of film evidence lent the later genocide more visual and historical power.

Regional Government?

[houghi]

Belgium is made up of states, so the Flermish Government is like the Government of Texas or any other US state or German Bundesland.

For the rest: do not try to figure out Belgian Politics. It is kind of a clusterfuck that kind of works.

Re:Regional Government?

kind of works

No, it doesn't work at all, the fact that people can get things accomplished is *in spite* of the system here. This is a classic 'belgian government' example - some administrator thought it would be fantastic to do a test and assumed their power was absolute within the definition of this test.

And....it all fucks up and who pays for it? Our tax money. Disclaimer, I'm in brussels and not a more flemish area, i've hear that the north is better about government than we are, and if its as bad as it is in antwerp its a wonder we don't implode from the bureaucratic inefficiency.

Re:Regional Government?

[Nikademus]

It works even without government :)
http://www.washingtonmonthly.c...

Re:Regional Government?

Amen to that.
My personal view is that the only real reason for Belgium's political structure is that there were too many politicians to form a single government, so they decided to add three more.

Isn't that...good?

>Hilarity and awkwardness ensued, with some employees contacting Thalys directly to complain, and others contacting the cops.

That seems like the kind of reaction that would be encouraged, besides just not reacting to the mails at all.

Re:Belgian Science gone wrong?

[SilenceBE]

Americans and their "geographical" knowledge. We now all seem to live in Germany suddenly... . Mendel was german that big country - how the hell can you mis it ? - next to Belgium.

He speaks perhaps of the infamous Congo Troubles?

These weren't medical from nature but had everything to do with the greed of King Leopold II and his rubber plantages. If you need to make a list of colonial crimes you will need to have a lot of time at your hands.

It is also extremely cynical to bring the Flemish government in relation with the stuff somebody from the royal family did. The flemish government is not particularly Belgium or the Royal Family minded. Flemish government is to Belgium as the Catalan government is to Spain, also wanting to get their independence.

Phishing done right

[iTrawl]

Isn't it a point of phishing that you don't tell the impersonated entity that you're using their identity to scam other people? Even when you run a mock test, isn't it better to not tell anybody you're doing it, to avoid any false negatives (people that would have clicked, but won't now, because they know it's not their Nigerian friend, but the government impersonating him) and/or false positives (people that wouldn't click, but will now, to fuck with the government).

Thalys should know how to respond when phished people call their call centres, regardless of who phished them. They shouldn't need to be told by the phishers that they'll start receiving phone calls about unknown emails. That's what happens in real life!

But then... how did these guys get the real number for Thalys anyway? Did the testers forget to put their own number in, so they can take the credit card details in order to "cancel" the booking? Even a link with "click here to cancel" that went to "thalys.be.your.phishing.tickets.here.geocities.com" would have probably worked just as well.

Re:Belgian Science gone wrong?

He said MEDICAL atrocities.
I'm still wondering what he's talking about. If talking is the right word.

Re:Belgian Science gone wrong?

Americans and their "geographical" knowledge

Just some thoughts about that.
1) Take a map of the US and ask a bunch of Europeans to fill in the state names - the result will be worse than this. Much worse.
2) They seemed not to do too bad (for Americans) placing West European countries. I am a (West) European myself, but even I have problems placing some East European names on that map. Probably because that side of the map changed a LOT after I last learned about this stuff at school (about 40 years ago).

A for effort

[The-Ixian]

We conduct internal phishing tests from time-to-time. We find them to be a valuable part of our overall security framework.

I think that their biggest mistake here was not notifying their employees that random phishing tests will be conducted and to stay vigilant.

It probably would have also been better to start small on their first round.... "click here to take a survey and receive a free x" instead of, you know, instilling the fear of financial ruin...

contacting the cops

[roc97007]

Wait... isn't contacting the cops what they're *supposed* to do?