If you’re going to send out a “fake phishing attempt” for a security audit, try to make sure that the IP Address of the server that’s hosting the fake website ISNT ON THE INTERNAL NETWORK USING A NON ROUTABLE ADDRESS.
I just got “popped” by security for falling for a phishing attempt. The thing is, I recognized it as looking, well, phishy. So I investigated it. It’s a virtual server on the same frakking machine as our NAS.
So after determining that the server in question actually belongs to us, I submitted my info.
And I got a nastygram, my account got locked, and now I have to go to some stupid training about how I shouldn’t trust our NAS server.
UPDATE: Apparently they tested about 30% of the users enterprise-wide, and a large percentage failed. Too many people to pull out of production for a class, so the classes are cancelled.
Also, I relayed my story to my manager, who replied, “You’re too nerdy for your own good, I see!” Apparently the rest of my team (I sit in a seperate part of the building) got the email and every single one of them failed, too. Including my manager.
Sounds like you punked them….and they didn’t like being outsmarted at their own game…
I might consider filing a complaint with HR for harassment.
You tried to submit the information requested to a legitimate source and now they are trying to get you in trouble for doing what they asked.