At work they have hired a company to improve IT-security by teaching the employees to spot and report phishing attempts.
This was also in focus way back when I was hired, where part of the general introductory course included somebody talking about "pishing" (completely missing the f-sound), which was phun.
Since then the company has decided that allowing Microsoft to modify every email with a link in it to go through Microsoft is a good idea - this makes it harder to see where a link is going - oops!
Now there is this phishing training going on. At first I didn't know why I had an automatic reaction of not liking it. Not until I described it in a blog-comment yesterday did I realize some of the problems.
The way this "training" works is that a company has been hired to send fake phishing emails to the employees, which employees are then supposed to report as phishing, and when we do that correctly we get a star! Who doesn't want to earn stars?!
The first thing that annoyed me was that due to the rewriting of every link, it is - in general - hard to do what I normally do with suspicious emails, check the link(s).
The second thing was that what you get points for reporting fake phishing mails. Should you be reporting things that are not really phishing? Also, while you get stars for every correct report, you don't get minus points for every wrong report (how would the training company know about those?) So you could just report ALL email as phishing, and get a perfect score. Hm.
I couldn't help sharing with my colleagues that if I was to try to phish somebody, I would certainly do that by pretending to be an anti-phishing training company!
I didn't like the whole idea, so I just did what I usually do with spam and phishing - moved it all to the spam-folder.
What I only realized when writing about the training is the third reason: what are the incentives for the training company, here? If phishing was eradicated, they would have nothing to peddle. So the thing they are providing training against is also what keeps them going. Hm, not a great setup, from a customer perspective.
So the uneasy feeling that this whole concept gave me is not unfounded, I think, and so I will continue ignoring it.