Doubtful. It’s a very old joke. I first saw it in a Dilbert cartoon like 30 years ago but it certainly predates that.
Eh, the reason the joke works is that there are idiots out there who would fall for it. It’s not too implausible that the boss @Ruken tells of was one of them.
To be fair, I wasn’t there. The joke may well have been inspired by Dilbert. Or it may not have happened.
This was the same company that initially pitched a fit when my father, who was responsible for projecting and meeting financial targets, bought contracts for foreign currency instead of paying the spot price. Although they eventually saw reason there.
Separately, any current/recent federal employees who travel? I had federal clients a while back who had to rent the cheapest car possible on trips. I’m not talking Hertz vs National, but taking a thinly-scheduled shuttle waaay off-airport to Joe’s Rental Shack and waiting in line forever for a junker. This added enough time that they’d sometimes need to add a day to their trip.
Some lawyer eventually said it was ok for me to drive them if we were traveling together, but we weren’t always traveling together.
Not federal, but I worked for a company where it was nearly impossible to rent a car above a compact. You had to get prior approval that took 2 weeks minimum. So there were plenty of times when 3 or 4 employees travelling to the same location would rent 2 or more cars because no one wanted to risk getting an SUV or minivan for everyone to use and getting denied reimbursement.
Hah - travel rules when travelling with a Federal employee can be loads of fun. I guess that specific scenario is because it might be construed as offering the employee something of value, but it’s a pretty absurd example. In that scenario, you’re not rewarding the employee, you are saving the government money.
Years back, at one of our periodic “don’t bribe the coworkers” training session (I work for a large contracting firm), the example given was: You and a colleague (who is a government employee) have just landed at the airport, which is 30 miles from your house, after a long business trip. It’s nearly midnight. It’s raining. The taxis are all on strike. Your colleague, who lives fairly near you, has no ride home - while your spouse is picking you up. Do you give him a ride?
And the answer was “Well, the value of that cab ride would be a lot more than 25 bucks” (or whatever the cutoff is for “nominal gifts”) “so officially, you don’t give the guy a ride. But let’s get real: you are NOT gonna strand the fellow at the airport”.
All in all, it’s based on very valid concerns over some fairly rampant bribery in the past, but taken to absurdity.
Second-hand story: Most companies would have their employees fly the day before and stay at a hotel the night before a seminar. One company’s policy was to have the unfortunate attendee take an early-early flight on the day of the seminar. Of course, being fatigued, the employee had a hard time learning anything - but, but SAVINGS on the hotel bill.
Several years ago a team from [my company] was on a business trip looking at a vendor’s manufacturing site. At the end of a LONG day one of the middle-managers piped up with “If we go to the airport now we can catch an overnight flight that will arrive tomorrow morning and we can go right to work.” (At the time, back at [my company], I was checking out some machinery in the plant environment. It had the possibility of serious injury for anyone not alert.)
I attended a workshop titled “The Corporate Athlete” which was all about eating right, getting enough sleep and exercising regularly, as well as some psychological stuff.
The workshop started at 8:00am, most of the participants had worked until 11pm and had to drive 3-4 hours to the meeting, so they were there on 3-5 hours of sleep.
But that’s okay, they provided a breakfast laden with sugar, fat and caffeine!
That’s a flashback to college economics classes where I spent endless hours doing such problems.
I get the same stuff as Die Capacitrix and what it does, when you get so many, is make you immune to them so if you get a real one you don’t report it because they are from HR, right? Also, their phishing examples are the low-level ones. One like:
Hey! I finally got that paperwork you asked for. Just click the attachment below.
Signed, your favorite secretary
They don’t try to get people to recognize the newer ones that are a lot more clever. And when you get so many ALL of the time it gets to the point where you either recognize a phishing attack or not so now you’re just wasting my time.
Great news, everybody!! We’re saving a ton of money by switching to soft phones!! (No more physical handset in your office. You get a USB headset and place/receive calls on your computer using Skype or Jabber).
Corporate security here: We’re pushing out a security update that will reboot your machine and will lock your password. To unlock your computer, call the help desk.
Uh…
(They backed off the security update. Still have the crappy soft phones.)
This reminds me of the day we upgraded our Berkeley Unix 4.2 system to 4.3, which required a full back-up and full disk wipe, as the new system had a totally redesigned file system.
I was the sysadmin in charge of this at my company. (This was circa 1986.) I got the whole back-up done and the new system installed. Then, surprise, surprise . . .
The 4.3 restore program couldn’t restore backups done by the old 4.2 backup program. Oops.
Most all of ours are from ‘HR’. This is going to have the affect of people ignoring anything from the real HR.
I almost never get real phishing emails (thanks GMail) but I do get the fake phishing-training emails. They are transparently fake, and clearly identifiable as “training phishing” because they generally look different from real phishing attempts. The company also sends out real legitimate emails with links to click that sometimes look more like phishing attempts then the training emails.
I agree with this. The weakest link in cybersecurity is people, and these fake phishing emails are one way to strengthen employees against real phishing… and to measure how vulnerable the company is on that front. My company does it pretty well, but yes, it can be done poorly.
To be clear, it’s not HR that manages these programs, it’s IT and/or the Cybersecurity department if you have one.
I work for a large multinational, we have many factories and offices worldwide and lots of layers and bosses we’ve never met. There are company-wide systems for setting your Goals in accordance with the Company Business Model and aligning them with the Broader Goals of your Leaders, and recognising the Importance of Ethics, and having to write a few paragraphs on how important these Goals are, then Reviewing your Feedback, etc. And occasional sessions by HR to tell us how Exciting it is that this System has been redesigned yet again.
(To be fair, I acknowledge that it’s relevant to have some discussion about goals and satisfaction and feedback, and it’s appropriate that the company forces these events to happen. I was once a supervisor, and I neglected employee reviews, and I shouldn’t have.)
Once a year, we’re strongly encouraged to fill out the company-wide Employee Survey (sometimes, our boss confesses that they get “penalised” if they don’t have enough subordinates responding to the Survey). This is supposed to be about adapting the company to employees’s needs, etc. It’s a series of scale-of-1-to-5 questions, and it’s anonymous… in the sense that every supervisor gets to see the all the responses of everyone under them, only without names, and so on up the pyramid. The Survey includes some questions about how Useful and Relevant we find the above-described Company Business Model and attendant HR systems. Everybody I know finds these particular HR systems unpleasant or worse, so eventually some of us respond truthfully.
But if the Survey shows the general degree of satisfaction with the Corporate Goals stuff decreasing year-on-year, then some action is mandated from on high. The solution, it turns out, isn’t to revise the systems to be less complex and silly, it’s to educate the employees on how Useful and Relevant these systems are, by forming remediation committees, etc. I’m pretty close to my boss, and he’s stuck with having to educate us on this while finding it pretty silly himself.
I don’t ignore them - I just report every email from HR as a phishing attempt, and wait for IT to tell me it’s legit before reading it.
I think the goal isn’t to get you to report real ones, it’s to train you to don’t click anything that looks weird. It really doesn’t matter if the reason you don’t click is “Blergh, another stupid training email (delete)” or “Gee Willikers Batman, that’s phishing! (report)” it’s the don’t click part that matters.
We’re switching to soft phones, too. Ironically the “communications group” running the switch, has been very poor at communications. They’ll send out an email saying “migration will start in 3 months,” and then we won’t hear anything from them for 6 months.
They recently had a meeting to discuss the change over. We do subject interviews over the phone, so I asked about recording calls. They said they would think about it and get back to me. That is the same answer they gave me a year ago when they first announced the change.
Other people asked about the shift from a physical device centered numbers—whoever is at the desk answers the phone, to user based phone numbers—a call rings the user account associated with the number. A number can ring multiple users, but will it ring them all even when only one is on duty at a time? Is that easy to manage by a supervisor, or does it have to go through the service center each time?
No answers for any of that.
Another good non-fraud reason to force people to take some vacation is to discover that you’ve accidentally developed a dependence on that person.
Like, Sue has an excel sheet that has some useful automation in it, but it’s not quite 100% automated. Every Monday she updates something manually, regenerates some tables, and 4 or 5 other people use the info in it to do their job. Sue hasn’t missed a Monday in years, but when she goes on vacation, come Wednesday someone notices that something is wrong and they have to redo hours of work done on Monday and Tuesday because they used some stale inputs. No one else is 100% sure exactly how to update the spreadsheet or which sources Sue takes her input data from.
It’s a lot better to figure that out on the Wednesday that Sue went to Florida for a week than it is on the Wednesday after she leaves the company!
Our last cybersecurity training was, as usual, given as online videos by a third party provider. Not as usual was that the training was not announced through the regular channels. We just got an email from the TPP with a link to click.
I don’t know if it was supposed to be a test, but after most of us tagged it as phishing, admin sent an email saying that it was real, authorized training and we should click on the link.