My It department does mandatory phishing training every year, and then for the "test" e-mails, they spoof a domain and whitelist the DMARC on their side so it goes through.
So we get e-mails from @microsoft.com and it's only if you dig in the metadata that you see it failed authentication. The only tell in the e-mail is checking the URL, which doesn't tell you much because tons of regular e-mails use tracker redirects too. They even send emails from our own domain or the domain of our payroll company.
I won't type out my rant, but our IT department is a few guys who couldn't figure out what to do when their competitive xbox FIFA 2006 dreams failed, heard IT pays a lot with not much work, and then sat through the certs.
I know teachers that make $50k and no pension, with others making $93k, halfways to their pension at 35yrs old, get almost 12 weeks off total a year, and work from 8am to 3pm (1 hour lunch, 1 hour for 'prep' aka Netflix) and home by 335, and no, they basically never do any work at home. She technically has students (10 year olds she sends links to for their chrome books) about 5x53 minutes a day.
That sounds like a good semi-retirement gig just to get out of the house for a little while. If you're teaching the tech-related electives rather than mandatory core courses, the students are likely a lot more pleasant to deal with. I took German just to get away from the all the kids taking Spanish or French who were just there because they have to get their foreign language credit.
Yes, just what we need, retired people with a whole career of making income behind themselves taking another decent entry level job someone one just out of college can get. (No teaching credential needed for substitute teachers usually)
If a semi-retired engineer with 2-4 decades of work experience makes a better public high school STEM teacher, then I hope a lot more engineers do it as a semi-retirement gig.
The aspiring career schoolteachers will just have to find a job in a field that is short-staffed, like registered nurses or one of the trades. I'm sure that comes across as "let them eat cake" to some Bernie moron, but going back to school for 6 months is small potatoes, and doing a little market research before making big financial decisions like choosing your college major in the first place is basic adult responsibility.
If we apply the "lump of labor" fallacy everywhere else honestly and consistently, we would have to be opposed to immigration and trade because "those damn foreigners" went and "took er jerbs".
My university pulled the same BS 10-15 years ago. The worst part is that they sent the "test" email from the same email address they use for all of their other announcements, and then had the gall to send an automated "shame on you" reply if you clicked their link.
Knowing what I know now about the IT staff and professors and knowing in hindsight only 3-4 of my CS classes were of any relevance to my work, I seriously regret not cheating my way through undergrad. I wish I could take back the time I wasted on Java and spend it with my N64.
The problem is that if you click one of the links, you need to do (well sort of) the hour long phishing class and testing again. But of course, nowhere in the class do they say anything about not trusting e-mails from a known safe domain.
Whats funny though is that if you click the link in a phishing test, they will e-mail you to complete the training. But there is no enforcement (general management doesn't care), so you just get a daily e-mail telling you that you are overdue. It also however stops them from sending the fake phishing emails. So a bunch of us clicked the phishing link, marked the "do your training" e-mail as spam, and now never get bothered.
Where I was, they tracked who didn't do it, and came down on them, then their manager, and then it became an HR issue. Only one or two people went down the HR path, and then they did the training pretty quickly. Of course it didn't start harsh, just "hey, a reminder, we are tracking this and you need to do it" but when you blatantly ignored it the response got more firm.
Also, the last one I took they talked about phishing using a malicious Google docs link IIRC.
Anecdotes don't mean you know everything about a system.
For anyone subjected to these, they usually contain the header X-PHISHTEST which you can create a filter for, and then either send them to trash or put them in a special folder so you can report them later.
In Europe there are legitimate and extremely established services that require you to input your bank login details into something other than your bank's website. It's madness.
PSD2 is just MFA, it doesn't prevent shady companies still asking your login credentials, even if you must authorize that login from your official banking app. Klarna is one of many examples - they ask me for my bank credentials on their own website so they can crawl all my finance data .
Plaid and Finicity do this in the USA for some linking of banking to other financial products. Feels SO insecure. Connecting my credit union checking account through Plaid even ironically brought me to a login page which explicitly states I should never give my banking password to any other entity.
If I need to link my accounts and these services are the only choice then I change my banking passwords immediately after.
Plaid whole business model is that it uses OAuth2 on banks that support it and export the data through APIs; and for the banks that don't, they ask for name/password and scrape it through "fake" web browser that mimick user behavior on the backend.
(I worked for a Plaid competitor. The long-term goal for all similar companies is of course to use OAuth and APIs, because it breaks less often; but since the banks don't offer that, scraping it is!)
I have a Klarna account I opened when their flex account rate was amongst the best you could get and I don't remember them ever asking for my bank credential.
I think Bankin' used to before PSD2 and to get a bit more information from some banks but then again Bankin' is a financial agreggator whose explicit purpose is crawling your banking data so it's not too surprising to see them asking for your credentials.
Not sure what you mean specifically, but generally the organisations doing screen-scraping¹ would prefer to use compliant APIs as they don't require anything like as much maintenance (bank adds a button to the login flow? Kaboom! Integration is broken...) or resources (e.g. running headless browsers).
Some markets are pretty much exclusively compliant - I don't think there are any Nordic banks that don't have fully PSD2 compliant APIs for example whereas, if I remember rightly, the Spanish banks were all over the place. I'm fairly out of date though, so things may have improved or exceptions for scraping expired.
¹ Note that I'm talking exclusively about banking integrations here, not AI nonsense.
If you used the first gen "pay later" services they'd scrape you for "compliance checking" or simply mask it as a transaction which is actually just personal information scraping.
Most of the times you did not see it, as it's obfuscated as a part of the transaction.
They are also the companies complaining a lot about the "failure" of the PSD standards since it limits how much and how obfuscated they can scrape everything (and there are records).
I find it very difficult to inspect the email headers in Outlook, I think for the iOS app it's not even possible. It's almost like they want to make it less transparent and secure
I have often wondered why we don’t see more usage of the brand gTLDs, which many of these big firms own. I muse that this is (part of) the reason why – there simply isn’t the understanding or recognition outside tech circles (or even within tech circles) to comprehend that it is possible to use such a gTLD without a conventional .com or similar suffix tacked on the end. I tend to see it localised to use for marketing micro sites that do not ask for credentials so have no need to establish user trust, or occasionally internal technical uses that will never touch the typical customer’s eyeballs.
The other reason I hypothesise is that corporate big brother snooping systems that have whitelists for their trusted services – with entries like mail.google.com or calendar.google.com – are simply too painful at this point for big tech to break for their customers by dropping the .com suffix, so big tech doesn’t bother.
I don't think you can put cookies on a TLD. So if Google used mail.google and calendar.google , the login system would be more complex, because they can't share cookies.
Modern auth systems do not work by exposing multiple services on a single domain with shared cookies.
Instead, they authenticate using a common auth service (say, auth.google), which by virtue of being a single domain can persist shared cookies for all its consumers. This would yield a valid token (possibly a JWT) that the authenticating application can then use however it would like, including as a cookie on the application's own domain.
Whenever you go to a service that temporarily sends you to a different login domain (often just immediately redirection you back), this is why.
I created a separate Chrome profile, and logged in to gmail. Then I disabled javascript, then deleted all my google.com cookies (but left my mail.google.com cookies). Then I reenabled javascript and visited mail.google.com again. I was logged out. So Google is using the google.com cookies.
Yeah, it does make things more difficult in terms of teaching people a simple rule. Instead of "ends with @<company>.com", the rule is "ends with @<company>.com or .<company>".
OTOH, there were probably a lot of places already violating the "ends with @<company>.com" rule, e.g. by using subdomains, or even other domains. So very little of the online population was likely using the rule. And with email spoofing, even "ends with @<company>.com" can't be relied on to ensure the email is legit. So the rule of "don't click links in emails" is the only foolproof rule. Though you also need to add "don't copy and paste things from emails".
Yay for third-party email services that From: be a no-reply address from an entirely different company (and therefore only authenticity validation for that company), and a Reply-To: to some obscure mailbox from the supposed sender. I'm sure that makes perfect sense to most people.
> So the rule of "don't click links in emails" is the only foolproof rule.
The only truly foolproof rule is "don't open emails". Also helps a lot on mental health and associated expenditures!
My IT department use the official Microsoft phishing test. The emails arrive in inbox with 0 headers. (There's also a helpful Microsoft page of all the dodgy sounding domains they've registered for this.)
I just don't check my emails anymore. If it is important, people will complain on teams that nobody answer with some sort of urgency and then I'll look for it specifically.
