Re: Testing the staff
I work for a company who deliberately send spoof emails to staff to see who opens them so they can berate us.
Mine did the same. It was hilarious.
Although the intent was to show upper management that the peons didn't understand the IT issues involved, it actually showed the reverse.
IT sent out an email purporting to be from the parking authority, saying each user (identified by name) owed something like $70 for a month old ticket about parking illegally in the building (identified by address). So, it already had a great deal of personal info. It concluded with a spammy "click here to see the photo the officer took of your car" link.
The idea was to see how many people "foolishly" clicked on the link.
The thing is, we're an Exchange based shop. And the "spam" message arrive, not via the external internet gateway, but internally as an Exchange message. That meant it was sent from an internal source. Who would have that authority? Well, the actual parking authority would. Secondly, the spam email's "click here to see the photo" had a url that pointed to an internal server, by name, within our network.
Something like 45% of the users reverse engineered it, and reported it to IT. Some even escalated it higher, as it looked like our IT infrastructure had been compromised.
Of course, quite a number of us backtraced the internal machine reference to see if it had been breached, with many checking out the URL in sandboxes and virtual machines.
IT's response to all these probes was to say that "45% of users clicked on the link!" to upper management. When asked by upper management "how many of those were done by people who reported it was a scam, who were attempting to reverse engineer it?", IT sort of shuffled their feet and had to admit they had no idea. They were also forced to admit that maybe they should have not sent it internally with valid Exchange credentials, since if those are compromised, people clicking on links is the least of our worries.
In the end, they were forced to admit that, yeah, the entire exercise was pointless. But at least they learned that the user base was more savvy than the IT department...