this post was submitted on 02 Nov 2025
174 points (97.3% liked)
cybersecurity
5119 readers
48 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Ironic thing a company I use to work for would send out both email you need to click links to do your job then do training to not click links or even open the same kind of email. Then even test that by seeding in very realistic test email. Total stupidity. Your expected to tell the difference when there is no way to do so. The training was more CYA then anything, just blame the employee for shit company processes and security.
It's also such a dumb metric because most of people's jobs are to click on links elsewhere on the internet, yet when it's in an email, it's bad? Unless you're running an old browser or there is a 0 day, simply opening a link isn't going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don't account for that.
Clicking the link hypothetically confirms to the spammer that yours is a valid and monitored email address, and that you're a sucker suitable for more targeted phishing.
Of course, it seems like every random user will also happily type their password into any text box that asks for it, too.
Unless the email client is blocking external images, a tracking pixel in the email would be enough to see that the email was rendered, and that the address is valid. The trainings specifically instruct you to review the contents of the email and check the email headers before clicking links, so that alone would confirm to a spammer that the email is valid.