Three months ago, my company had a two-hour-long seminar about e-mail phishing and how to prevent it. This seminar also included an update to our email software. Our software has a preview feature; if you hover over a link, it opens a preview of the link. 

I got an email from our “IT Director” saying I was in violation of their internet policy by using social media (a main part of my job), and I was stupid and opened it. It was a phishing test, and they made me do another two-hour-long seminar.

That week, I got the following email from our director:

SENT WITH HIGH IMPORTANCE
Subject: Phishing Email Test

Hello everyone,

This is a reminder to stay aware of phishing emails. Please review the PDF guide and take a short quiz (link) to test your skills by 5 PM.

Thank you,
[IT Directors Name].

Now, on this email attachment, one of the signs to report an email is if it is pressuring you to click a link. I feel like I should report this as phishing, so I did.

I get this email from the director one hour later:

Subject: Reporting Emails

Hello Everyone,

We have received numerous phishing reports about the phishing quiz. Please note that any email sent from: (insert IT director email here) is not phishing. We have included a new link for your convenience.

Thank you,
[IT Directors Name].

To me, this email looks even more suspicious than the last one, so I do the natural thing and report it to “stay vigilant”.  

I have been doing this over two months and everyone keeps getting an email saying that “This email is not phishing”. Please don’t make us sit through two-hour seminars.

Related:
Tell Them To Go Phish!