Watch out! That spam email it's a security test?

Something I have been noticing since 2018 is that I really don’t get SPAM emails at work except the ones that my employer generates and sends to me.

I never use these work email accounts for anything other than work related communications, so no 3rd party accounts etc. setup on the email accounts, It’s just for work use. So everything in this work account are work related, and I am required to check the email accounts daily while working.

And I am not talking about spam work emails that I would prefer to not have to read at work. This is part of the never ending security awareness and self reporting system. The idea is our organization has tools built into the email program, for reporting spam, phishing and other kinds of potentially malicious emails.

I imagine these emails are crafted from the organizations information security response team.

So while your reading through legitimate work emails, there will be sprinkled in emails that are essentially honey pots and trying to trick employees into clicking a link and providing information.

When you find an email its usually pretty obvious, you click the report button. And you get a confirmation pop up from the reporting plugin something like “Congratulations thanks for detecting and reporting this simulated thing, its people like you that help keep the organization secure”.

Never been a fan of this and I do find it disturbing and annoying, especially when I was first exposed to it back in 2018. As I recall it was near or around Christmas the company had sent out Amazon gift cards in the mail for real. And we got a spam test email from Amazon about gift cards. Ended up reporting since links and stuff look off, but it was like wow this is having good targeting.

There is enough real spam out there and having to deal with this simulated stuff just feels wrong, I am curious if this stuff actually improve security.

Also disturbing is the unsaid expectations associated with this, is this tracked? How is this information used, what if I don’t report and just delete the emails, is that better or worse than reporting it. Also, hopefully they are not testing embedding exploits into the emails. Am I reading the emails wrong, should I be using pine?

The way this is done is kind of dangerous in its own right. We probably should not be encouraging folks to open and read spam, even if not clicking any links happens, and just reporting it as spam is all that’s done. Kind of a false sense of security if all the spam you get is fake, and when that one real one hits that does not require a link click to work hits then we may have a problem, since I think I would even get caught by that one, based on the way I am doing things. Look out! Better not use Outlook Express.