My company “evaluates” phishing propensity by sending employees emails directing them to “honeypots” which are in the corporate domain and signed by the corporate ssl certificates. Unsurprisingly, many employees trust ssl and enter their credentials. My takeaway was not that people are bad at security, but that they will tend to trust the system if the stakes don’t appear too high.
My partner says that as a kid, their school did something similar as part of “don’t talk to strangers” teaching. The “stranger” in question was someone the class been working with all day, introduced by their teacher.
My company “evaluates” phishing propensity by sending employees emails directing them to “honeypots” which are in the corporate domain and signed by the corporate ssl certificates. Unsurprisingly, many employees trust ssl and enter their credentials. My takeaway was not that people are bad at security, but that they will tend to trust the system if the stakes don’t appear too high.
My partner says that as a kid, their school did something similar as part of “don’t talk to strangers” teaching. The “stranger” in question was someone the class been working with all day, introduced by their teacher.