SiliconANGLE reports:
[C]ode repository management firm GitLab Inc. decided to phish their own employees to see what would happen. The result was not good: One in five employees fell for the fake emails…
The GitLab team behind the exercise purchased the domain name gitlab.company, then used G Suite to facilitate the delivery of the phishing email. [“Congratulations. Your IT Department has identified you as a candidate for Apple’s System Refresh Program…”] The domain name and G Suite services were set up to look legitimate, complete with SSL certificates to make the emails look less suspicious to automated phishing site detection and human inspection.
Fifty GitLab employees were targeted with an email that asked them to click on a link to accept an upgrade. The link took them to the fake gitlab.company website where they were asked to enter their login details. On the positive side, only 17 of the 50 targeted employees clicked on the provided link.
However, 10 of those 17 then attempted to log in on the fake site.
Six of the 50 employees reported the email to GitLab’s security operations team, the article notes.
“Those who logged in on the fake site were then redirected to the phishing test section of the GitLab Handbook.”
of this story at Slashdot.
Source:: Slashdot