Yeah. Even worse(?) is banks like Citizens sending customers emails and text messages with links to shady-seeming domain names. No wonder so many people fall for phishing attacks.

Definitely worse. This sort of thing still happening in 2025 is completely bonkers to me. Recently a financial institution sent me an email asking me to "re-validate my ownership" of a linked account by uploading a bank statement. The link was to a completely unrelated and unknown domain (not even a shortener). The message itself didn't address me by name but simply said "Dear Customer". It also didn't including any legitimate info like partial account numbers. And when I logged into my account, there was no notice or message mentioning any re-validation requirement. I was convinced it was a low/medium-effort phishing attempt and submitted it to their support channel so others could be warned. It turns out it was actually their legitimate email. I told the CS rep that they're basically training their customers to fall for the next real phishing attack. Won't do any good, I'm sure.

"Company: Stop clicking on links to third party sites.

Also Company: All of IT, HR, benefits, cloud storage, customer management, and employee portal is moving to its own third party platform!"

Smart companies validate and tag those third party emails as "partner" or similar. That way the users are only using the extra scrutiny on the non-partner external emails.

Yes although this runs the risk of what you commonly see at daycares and schools.

There'll be a sign that says "Peanut free zone" and everyone will read it and respect it.

Then there'll be a sign that says "Please be sure to pick your kid up by x o'clock." And everyone will read it and respect it and silently stop looking at it cause they know.

And then there will be a sign that says "Please keep your child at home if you suspect they might be sick." And everyone will read it and be a little offended because why would they do that knowingly?

After a while the entrance will be plastered with notices and warnings that get put up and not taken down. And nobody reads them because they probably already know and it's not worth spending 20 minutes reading the entire wall.

I get the external/partner emails. And a notice that outlook removed extra line breaks from the message (whew). And a notice that if there are problems reading the email I can view it in a web browser. And a helpful suggestion that Copilot can give me the tldr.

Outlook is beginning to feel like daycare.

What’s to stop a phishing email putting a “verified by IT anti-phishing software” line at the top of the email? People don’t pay attention to special verification flags when they are there, so they don’t see them when they’re missing.

You have ingress filters that strip the subject tag out of anything and only add it back if it is verified. It's really not that hard and the training is supposed to train people. Nothing is perfect, nor does it need to be with defense in depth.

Why is clicking the link a failure? I thought this was the point of keeping my browser up to date, so I can trust the sandbox!

A couple of times, I got emails that seemed suspicious, but I figured I would click the link to investigate further. I was on high alert and would not have entered login credentials or opened an executable or anything like that, I just wanted to check it out and see.

Of course, it was a phishing audit and I failed. WTF?

Phishers are working completely blind, thus any amount of info going back to the phishers is a benefit to them.

Just getting server logs from an opened link lets them know their messages aren't being quarantined and their server is reachable through the target's firewall.

The user agent and how the links are accessed give info about who is opening them (A few every couple minutes == all good, 10 links sent to 10 different employees all opened within seconds with a non-standard user agent == you're being investigated and should burn the domain)

It's been a few years since I've done phishing engagements so details may vary with how things are done today. But the goal is to limit any information going to the bad guys. Let them think their messages are being blocked until they go elsewhere.

*edit: That being said, phishing at least one person at a large company is not particularly hard. There's too many companies using domains indistinguishable from shady links for one thing. Limiting engagement is good, but companies also need to be prepared for the eventuality that somebody will get fooled.

I just received an email from one of our financial partners advertising a free iPad if you click on a image link to another domain and do a survey.

It's an impressive level of DGAF.