If Chris could be confident it came from the admins I’d agree, but with my current knowledge (and assuming the admins would have been honest had Chris messaged them on their normal accounts) it feels more like pentesting.
My company “evaluates” phishing propensity by sending employees emails directing them to “honeypots” which are in the corporate domain and signed by the corporate ssl certificates. Unsurprisingly, many employees trust ssl and enter their credentials. My takeaway was not that people are bad at security, but that they will tend to trust the system if the stakes don’t appear too high.
My partner says that as a kid, their school did something similar as part of “don’t talk to strangers” teaching. The “stranger” in question was someone the class been working with all day, introduced by their teacher.
If Chris could be confident it came from the admins I’d agree, but with my current knowledge (and assuming the admins would have been honest had Chris messaged them on their normal accounts) it feels more like pentesting.
My company “evaluates” phishing propensity by sending employees emails directing them to “honeypots” which are in the corporate domain and signed by the corporate ssl certificates. Unsurprisingly, many employees trust ssl and enter their credentials. My takeaway was not that people are bad at security, but that they will tend to trust the system if the stakes don’t appear too high.
My partner says that as a kid, their school did something similar as part of “don’t talk to strangers” teaching. The “stranger” in question was someone the class been working with all day, introduced by their teacher.