Not helped by companies themselves
A few months ago I started a new job at <companyname>. Where all internal emails use the usual yourname@companyname.com format.
A few weeks after joining, I get an email from 'companyname via Workplace <notification@fbworkmail.com>'. We all (should) know that the name part of these formats of emails addressees (the 'companyname via Workplace' bit) is just free text, so cannot be trusted.
As I've never used or even looked at Facebooks' Workplace site before, the fbworkmail.com domain was not familiar to me, and so this email immediately looked suspicious.
All images in the email were blocked by Outlook by default (company laptop with Office365 installed), so added to the suspicion (surely if this was a legit email, then policy would have allowed the images by default for that domain?).
All links in the email (many of them,), went to a 'clicktime.symantec.com' URL, these were huge in length and included embedded data in them, such as my company email address, and seemed to be specifically designed to obfuscate the real target URL. Symantec is not used by the company for AV etc. So looked odd at least, even though I know of Symantec itself as a company.
At no point did the company contact me to let me know that they were using Facebook Workplace, or to expect anything from the fbworkmail.com domain.
At best this looked like spam, at worst it looked like a phishing exercise.
I reported it, turns out of course it was legit!
How are users (especially none technical users) expected to stand any chance of recognising a real phishing attack, if this is the state of official emails!!
Dear Company <insert name here>, make sure all your official communications use companyname.tld at all times, no exceptions allowed.
Also make sure all links in all emails are to internal company sites and/or using companyname.tld,again no exceptions allowed.
If you do need to reference external URLs, then create an internal page (i.e. sharepoint page or whatever you are using) with the details on it, and link to that page instead.
People would quickly get used to everything being to/from/linked to companyname.tld and would be far more likely to then notice even the most sophisticated of phishing attacks.
Biting the hand that feeds IT
