Ask a Manager

{ 694 comments… read them below }

1. Lonely Monster* November 27, 2019 at 12:14 am

   #2 Op, My husband is in the IT profession and you don’t know how many times he’s had to fix computers because someone clicked on a link from a phishing/Malware email!

   I’m talking people from lawyers to graphic designers. It’s insane and so frustrating when he tells me the stories about how the same clients always fall for the “click bait”, even after being told so many times not to….

   At least your office has been sufficiently trained not to fall for it
   1. Ann Onny Muss* November 27, 2019 at 5:53 am

      Yeah, my company runs these tests all the time. I’ve gotten these emails before, except it was “Tangerina Warbleworth” from “fake vendor” saying “click this link for your invoice.” Since I don’t deal with a “Tangerina” or anything to do with vendors or invoicing, I sent it along to our computer security team. I got an email saying “Good job, you passed.” My company is pretty good about sharing results and there has been marked improvement over the years they’ve started doing this. Of course, there are always those who unthinkingly click any link or open any attachments sent to them.
      1. Thankful for AAM* November 27, 2019 at 6:31 am

         In my workplace of about 80, maybe 4 people deal with invoices yet many click on the “click this link for your invoice” in the phishing emails.

         It happens pretty regularly.
         1. Shadowbelle* November 27, 2019 at 9:35 am

            I don’t find that surprising. Some people use their company email addresses for their personal shopping contact info. Some people only have company email addresses.
            1. Observer* November 27, 2019 at 10:50 am

               So? If you get an invoice the the Watchamacilts Shop and you’ve never been in there, why would you open their “invoice”?
               1. Shadowbelle* November 27, 2019 at 12:08 pm

                  Personally, I don’t do that. However, if a person regularly shops at Amazon and uses their corporate email as their contact and gets an invoice that appears to be from Amazon …

                  I have gotten phishing emails purporting to be from Amazon, Fedex, Microsoft, and others that I have forgotten.
            2. soon 2be former fed* November 27, 2019 at 11:39 am

               I wouldn’t do this in a million years. Email addresses are free.
            3. Emily K* November 27, 2019 at 4:58 pm

               Not to mention even if you have a private email address you’re still potentially checking it on your work computer.
      2. it's me* November 27, 2019 at 7:53 am

         We have a very similar test. Our senior network admin fell for it last week.
         1. One of the Spreadsheet Horde* November 27, 2019 at 10:35 am

            Well that might be awkward around review time.
            1. msk* November 27, 2019 at 12:48 pm

               Our security group runs these periodically. It’s surprising the people that fall for it as the emails often have serious spelling or grammar errors. One team member fell for it and got teased by having dozens of flyers with the signs to look for posted in his cube by just about everyone in the area. He left them up for months I think as a sign that he wasn’t offended.
               1. Emily K* November 27, 2019 at 5:03 pm

                  It’s surprising the people that fall for it as the emails often have serious spelling or grammar errors.

                  The problem is, so do emails from a lot of the senior staff where I work.

                  I almost fell for a scam early in the morning with an email purporting to be from the company prez, who only ever dashes off short cryptic emails because he’s too busy to write more than that I guess, and it’s often from his phone and has an autocorrect error or two. I went back and forth with the scammer for 3 or 4 messages until they told me what they wanted me to do (buy gift cards and scratch off the backs and email photos) that my alarm bells went off because that’s a seriously shady and illegitimate thing to be asking me for.

                  I remember thinking at the time that’s that it’s kind of ironic that C-suite often have email skills about on par with scammers who don’t speak English as their first language.
      3. Amethystmoon* November 27, 2019 at 9:28 am

         Mine does that as well. I received several such emails last week. They were a little too obvious.
      4. Jules the 3rd* November 27, 2019 at 9:49 am

         My company does this; I fell once, for the first one, but not since. The additional focus on security came in very useful when I got a phone call from someone spearphishing. They hung up when I asked them to do one of three fairly easy things, any of which would prove they were who they said they were.
   2. Staja* November 27, 2019 at 6:43 am

      Heck, even being in the IT profession doesn’t make you immune. My husband’s in tech support and been burned more than once….the ink on his master’s is still wet.

      At my company (software dev, finance dept), I’ve had 3 trainings this past year. I was a Q3 IT Security Champ! (No monetary prizes or printable awards offered – just the knowledge that I am quick on the draw when clicking Report Phishing)
      1. AlexandrinaVictoria* November 27, 2019 at 10:14 am

         Oooooh, I think we work for the same company! So was I!
      2. AKchic* November 27, 2019 at 12:30 pm

         We had a phishing attack and everyone got an email to forward any and all phishing attempts to a designated person.
         I got another phishing attempt, so dutifully, I forwarded it on. The person got huffy with me and asked *why* I was wasting her time with such nonsense and didn’t need to bother. It was a good email and if I didn’t want to receive it, just delete it.
         She was wrong. It WAS a phishing attempt. 3 people got hit with it within 2 hours because she had told other people that it was good (because she didn’t actually check, and she forgot she was the designated person to check). She was gone before the end of the month.
   3. Super* November 27, 2019 at 6:57 am

      Any company that isn’t doing simulated phishing tests is not going to make it in the long run. So not only is it routinely done, but you should be alarmed if any big company isn’t doing phishing training and tests.

      If it’s a media company, a gossipy clickbait title seems like a reasonable test, though I get the ick factor. But if you’re internalizing the idea that phishing emails (which could be from your cybersecurity team, or by actual criminals or hostile nations) must be in good taste… that would be a problem, right?
      1. CL Cox* November 27, 2019 at 8:46 am

         You can have gossipy emails without reporting on a celebrity’s death. Divorce, firing, breakups, etc. are all bad news that’s not crossing the line.Heck, they could even report the death of a celebrity who died a few years ago, many people will still click on it, they forget in the moment that it’s old news.
         1. T2* November 27, 2019 at 9:48 am

            Sorry, there is no such line. The bad guys will not follow a line in the sand, and neither will I. I have sent, “OMG, they just shot the president” emails with a link. The bottom line is that hoaxes are a part of the fabric of the internet, and I am training my users to not fall for them.

            The proper response to getting a email like that is to open a browser and google to see if it is true. You don’t click on the link. ever.
            1. RussianInTexas* November 27, 2019 at 9:54 am

               You WANT a jarring click-bait headline.
            2. BB* November 27, 2019 at 10:32 am

               They could still get the effect they want, and maybe even more so, if they went with a “mystery” death. Such as “Emmy award winning celebrity dies in mysterious circumstances”.
            3. Mallory Janis Ian* November 27, 2019 at 11:35 am

               “The proper response to getting a email like that is to open a browser and google to see if it is true. You don’t click on the link. ever.”

               That’s what I do if I get an email like that: Immediately go on Google or Facebook to see if other outlets are reporting the same thing.
            4. Autumnheart* November 27, 2019 at 2:47 pm

               Yep, the whole point is to send phishing tests that imitate real phishing attempts. Real phishers are darn well going to send fake articles like that.
         2. Super* November 27, 2019 at 10:51 am

            I get why you’re saying that, but the phishing attack that works is the phishing attack that works. Expecting cyber criminals or national hacking teams to be nice is not really reasonable. I could see why a cybersecurity team might go for a highly clickable topic that was very relevant to that company’s industry, and so could be EXACTLY the attack an adversary might choose.
         3. Tiger Snake* November 27, 2019 at 4:55 pm

            There is no line in the sand. The more click-baity or “this could possibly be a legit email” a phishing test is, the better. That’s what attackers actually use, and is what we see thousands of day to day.
            Not only is the email LW#2 described exactly what I would expect this test to contain, I guarantee you that the security department has built their test email off of dozens or hundreds of real phishing emails that have been sent to their company.

            I also need to speak on the idea of something being ‘too far’, because this is a detail that the industry doesn’t talk about, as it upsets us. So many of the spam and phishing emails that we protect you from already are so much worse (especially in larger companies). I’m talking, enough 18+ violent/sexual content to leave you speechless for weeks. The shock factor has no limit and no extremes, and the people who create phishing emails maliciously have no shame (and yes, those emails get clicked on too). Anything we create is already so far removed from the actually bad stuff we protect you from day to day that there is no comparison.
            We do have a line in the sand; but to do our jobs and protect the company, it can’t be “but this one was tricky and feels distasteful”, it needs to be calibrated to “let’s not have anyone outside of our cyber security team need therapy”.
      2. Quill* November 27, 2019 at 8:58 am

         Honestly, it might be because I work in areas that are never client facing, but I just don’t get emails at work that are external to my team unless they’re about fedex deliveries or the Survey Monkey account that I established for a team survey that one time.

         Not that phishing isn’t a problem, I’m just wondering if it’s a far more major problem in areas I haven’t worked in than I give it credit for.
         1. Jules the 3rd* November 27, 2019 at 10:15 am

            For reference:
            I’m in procurement for an obscure group in a Fortune 100 tech co. I’m probably a good role to target, except that my supplier base is small, 6 regulars and 2 – 4 ‘once a years’. I’ve had one attempt to divert payment and one attempt to harvest contacts, both this year. I think they got my email by hacking a supplier’s email, though we treated it as if the supplier contact were involved, since his account was probably still hacked.

            Leoni AG lost $45M in 2016 to a one-time business email compromise (BEC) fraud – never recovered, never solved. The description given looks a *lot* like the payment diversion request I got. Always check email addresses carefully – the request I got had the equivalent of ‘UnitedHealthGroups.com’, versus UnitedHealthGroup.com, the right company.
            1. Super* November 27, 2019 at 10:49 am

               A lot of times threat actors will mine public information, like LinkedIn, and figure out the email convention. So if your LinkedIn says you work for X company and you are a procurement officer, they’ll take your name and guess email address.

               Or they’ll buy, for pennies, compromised credentials on the Dark Web.
            2. Arts Akimbo* November 27, 2019 at 12:33 pm

               Business email compromise is my BEC!
               1. Super* November 27, 2019 at 2:13 pm

                  Ha ha that’s perfect.
         2. Alicia* November 27, 2019 at 10:27 am

            I also don’t work in client facing and I’ve received actual phishing emails. One was “click on the Excel icon for your bonus info”. I forget the details of the other, but it was on a subject I don’t work with, am nowhere near, that department is more than 50 miles away in the corporate office…
         3. Thit'se Man, Becky Lynch* November 27, 2019 at 10:28 am

            The problem is they’re spoofing internal emails as well now.

            I’ve started getting emails “from my boss” requesting I transfer money or change banking details.

            I know that many now have flags for external emails for this reason but the phishing people will find hacks and manipulations over time to override that. Meanwhile they’re just banking on Betty not paying that close of attention one day and taking the bait.

            They’re all about that off chance they catch you off guard.

            They also will spoof accounts you know. I’ve got phishing emails from clients I’m familiar with but know that it’s not them for varying reasons.

            Fake shipment emails are also done!
            1. EventPlannerGal* November 27, 2019 at 1:56 pm

               My company had a phase a few months ago where we kept getting emails that appeared to be coming from our own company email address, with some message about how the “hackers” had seized control of our email accounts and info and webcams and we would need to transfer bitcoin to blah blah blah. The actual emails were obviously not very convincing, especially when you get eight in a row with slightly different wording, but they did definitely appear to be coming from our own email address so it was kind of startling to realise that that can be spoofed so convincingly. (Computer ignoramus here, lol.)
               1. Rainy* November 27, 2019 at 2:28 pm

                  Every few months a few of us will get an email “from” our director saying she’s in a meeting and asking us to buy iTunes cards immediately.
            2. DrRat* November 27, 2019 at 4:09 pm

               My company does multiple types of phishing exercises, which is a good thing, because we also get a lot of authentic phishing from the outside. One outside phishing attempt was very impressive, as it appeared to be from the person who was then the head of HR for the whole company. The phishing attempt that the most people actually fell for recently? One that appeared to be from an internal source that said “problem with your paycheck.” Brilliant social engineering! People freaked out and forgot all their anti-phishing training as their brains screamed, “WHAT DO YOU MEAN, A PROBLEM WITH MY PAYCHECK?!?” And they took the clickbait. Which was fortunately only a test. Was it possibly in poor taste? Maybe. But extremely effective!
         4. Observer* November 27, 2019 at 10:55 am

            You may just be very, very lucky. Because there are all sorts of phishing scams that come to folks like you too. Fake FedEx (UPS, DHL, random “delivery service”) tracking / delivery emails and emails that LOOK like they are from your team but are actually spoofed are two very common tactics. And, boy do they work!

            Yes, it’s a major, MAJOR problem.
            1. Quill* November 27, 2019 at 11:02 am

               I think R&d might just be uniquely unsuited to phishing, because it would be really hard to know what’s relevant to us without being in on the trade secrets we’re working on.
         5. Oaktree* November 27, 2019 at 3:17 pm

            I don’t work in a client facing role either- I’m a research librarian at a corporate firm who works solely with our internal staff. However, I regularly get emails from people outside the firm who want me to sign up for such and such a seminar or training, or buy their product, or subscribe to their publication… this isn’t phishing, either; it’s just spam and unsolicited advertising. I have no clue how these people get my email address (I imagine there are companies who sell work email addresses and phone numbers in bulk), but yes, this is very much A Thing, even if it hasn’t happened to you. I get probably half a dozen emails like this, and as many calls, in any given week.
      3. Works in IT* November 27, 2019 at 10:16 am

         I try to make sure my phishing tests follow examples of phishing emails seen in the wild, and are also seasonally appropriate. Different people are vulnerable to different kinds of attacks, and there are probably some people who wouldn’t fall for a messy divorce email and would fall for a oh important person died email. It’s important to test every possibility, so you can educate the people who happen to fall for that kind of attack.
         1. DrRat* November 27, 2019 at 4:12 pm

            +1
      4. Gumby* November 27, 2019 at 11:13 am

         I’m concerned about the assertion that one aspect of the problem is Especially since we are a media company, so a fake story like this could end up being reported as actual news?

         The problem in that case is not that the phishing test was sent but that apparently your “media company” reports news to the wider public based on random un-vetted emails. Please, OP, encourage your company to institute at least some basic fact checking before releasing news stories!!!!
   4. OP #2* November 27, 2019 at 7:31 am

      OP #2 here. The thing is, my company isn’t really training on how to avoid phishing. In Alison’s breakdown of train everyone, say you’ll be testing, test, report, retrain, retest, the only steps that are happening are test and retest. I don’t remember any training on this at all in the year-plus I’ve been here, other than basic instructions in the employee manual (although co-workers who have clicked on one of these say they have been taken to a page with a warning about phishing). So it’s not coming across to employees as part of an effective cybersecurity program … it’s coming across as our employer trying to trick us, in this case, with a false email about someone’s death.

      I find the suggestion down thread that maybe I’m “internalizing the idea that phishing emails must be in good taste” kind of insulting. I’m not talking about the content of real phishing emails sent out in the real world. I’m talking about whether my employer is training people in a way that’s both effective and respectful, which in this case seems like “no” to me. Actual people make these fake test emails and actual people read them, and there are plenty of spammy clickbait topics that aren’t the death of a real person with the vague suggestion that maybe it was something like an overdose or suicide (which I didn’t get into in my original letter).
      1. Hello* November 27, 2019 at 7:40 am

         The email is the training.
         1. Sabira* November 27, 2019 at 7:51 am

            No, as part of an effective security awareness program, there really should be training that’s separate from the tests. Training would help employees to more clearly understand the organization’s official policies for what to do with potential phishing emails, and also get insights into the reasons why this all matters. And ideally, the training should be held periodically, rather than just being a one and done kind of situation.

            Security awareness is one of my specialties, so it’s always interesting to hear how companies are doing it in ways that could be improved. IMO, having so many tests without actual training typically leads to people feeling tricked, and far less likely to want to buy into the company’s larger security initiatives.
            1. OP #2* November 27, 2019 at 8:01 am

               IMO, your opinion is correct. At my company this definitely seems to do more to make people feel tricked/distrust our employer than train us all to avoid phishing.
               1. Works in IT* November 27, 2019 at 10:21 am

                  In that case, they aren’t doing it right. My phishing emails are designed to identify the people who fall for that type of email, so I can then get them into follow up training to teach them how to recognize that type of phishing email. Sending just the emails with no follow up training is not a good idea… because it tends to make people start treating it as a game, and not training for a very real danger.
               2. Super* November 27, 2019 at 2:39 pm

                  Have you asked people who have been there longer than your just-over-a-year if they had received security awareness training?

                  If they haven’t done it in 5 years, that’s a problem. If they did it 2 years ago, it could be delayed due to new privacy laws, for example.
            2. Quill* November 27, 2019 at 9:04 am

               Yeah, training is usually an e-learning that sounds like it was recorded in a garbage can by someone who couldn’t figure out where their microphone was. Can’t miss it.
               1. Kyrielle* November 27, 2019 at 11:03 am

                  I love the slideshow presentation ones that make you click between every page, because so many people have started the video and then ignored it that they want to make sure you’re awake and at least paying enough attention to click ‘next’.
                  1. Quill* November 27, 2019 at 11:05 am

                     My favorite is the ones that won’t let you click next until the person in an alternate dimension that runs at 40% speed reads through everything in a drab mumble, even when the text is on the slide.
                     1. Alicia* November 27, 2019 at 11:43 am

                        Yes, I’ve always liked reading better and am a fast reader. Having to listen to a slow speaker takes more than twice as long!
                     2. Super* November 27, 2019 at 2:17 pm

                        I laughed heartily at this. So glad it’s not just me!

                        Even worse is when you have to develop training, you have to watch that over and over and over again to test to make sure things are right.

                        Stab – self – in – eye!
                     3. Nerfmobile* November 28, 2019 at 4:55 am

                        Oh, I had one of those once. It was a mandatory refresher training on a topic I know very well. Also a mandatory minimum time on each slide of over a minute, with all the text on the slide. So I kept a browser window open on my other screen,and clicked back and forth between the two. 45 minutes later I passed the final test with flying colors, and had also read quite a lot on other topics! Not the training context the instructional designers had imagined, I think.
            3. ThatGirl* November 27, 2019 at 9:08 am

               Yes, we have yearly security trainings that cover phishing emails along with a range of other stuff (the ever-popular “don’t pick up USB drives you find on the ground and put them in your computer”) and then the occasional fake phishing emails throughout the year. It’s not so much a heads up that you might get them as a “here’s what to look for if you do”.
               1. Quill* November 27, 2019 at 9:33 am

                  you’d think the number of action movies where all someone has to do to hack your computer is plug in a USB and suddenly your evil plan is revealed to the world would have trained people better…
                  1. Ival* November 27, 2019 at 9:48 am

                     I absolutely loathe movies that use USBs in this way. Or Sherlock. Really Gatiss should have known better. Ugh.

                     In the real world, I worked as a subcontractor at a defense firm 15 years ago. USBs were absolutely barred from he facility. If you had one on your person you were summarily dismissed AND all your computers were confiscated and checked by the feds.

                     I’d hate to say it, but you can’t underestimate the number of people who don’t know how dangerous links and USBs and other similar things are.

                     I think people either don’t understand the risk or don’t think it will happen to them.
                     1. Quill* November 27, 2019 at 9:50 am

                        “Gatiss should have known better” is the subtitle of that entire show, unfortunately.
                     2. Ival* November 27, 2019 at 10:04 am

                        Amen. But let’s not derail!
                     3. Super* November 27, 2019 at 10:54 am

                        I’ve worked at too many places that allow USBs (shudder whyyyy?) and have actually seen people at Starbucks leave their laptops when they go to the bathroom.
                     4. Rainy* November 27, 2019 at 2:34 pm

                        I work in higher ed and the number of students who just want me to stick a USB drive in my computer on their say-so rather than email me a file or bring me hardcopy is SHOCKING.
                     5. EH* November 27, 2019 at 5:58 pm

                        My partner and one of my friends are both in web security (at different companies with very different focus, too, so I get a wide representation of best practices), and I’ve wound up becoming pretty knowledgeable in self defense.

                        People are so, so naive sometimes. The horror stories I’ve heard from my partner and my friend are astonishing.
                     6. SusanIvanova* November 27, 2019 at 10:23 pm

                        At my last tech company, there was a meeting for managers – just general manager-level stuff – and they all came back with a key-shaped USB stick.

                        Our company made virtual machines – software equivalents to the box on your desk that looks just like a real machine to your OS and the code running on it. One of the things you can do is pause it while it’s running and inspect what’s going on in ways you can’t do with real hardware.

                        So that stick went right into one of our testbeds, where we watched it pretend to be a USB keyboard, detect what OS it was on, and feed the machine the appropriate keystrokes to open a browser and go to a website.

                        *This was not a phishing test*. It might actually have been a good use of resources if it was. But it just went to an internal website for the managerial bureaucracy that they’d just covered in the meeting. And also trained all those managers that it was perfectly fine to just stick a USB device in anywhere, and to not throw a fit if it started opening websites.
               2. Jules the 3rd* November 27, 2019 at 10:17 am

                  Ditto – annual security training video / webpage, about an hour, that includes examples of what to look for (ie, spoofed email / web addresses, attachments), and is updated every year or two as hackers change tactics.
               3. SS* November 27, 2019 at 1:05 pm

                  I loved seeing the rule about “don’t pick up strange USBs” and then I go to a conference and our company has a big table set up with a hundreds of free USBs that are sitting unattended on the table for the 3 days of the conference for giveaways to anyone walking by. So anyone could come along, toss a handful of infected USBs onto the table mixed in with the freebies. Or slowly take handfuls of the existing USBs, load malware on them, then put them back later and slowly infect all of the USBs being handed out.
                  1. Elitist Semicolon* November 27, 2019 at 1:56 pm

                     Depending on where the USBs were made, a good number of them are probably already pre-virused. Our students who are studying abroad in China often find this out when they buy a new USB in in perfect packaging and then put it in their laptop. We do tell them before they go not to do this and that they should bring their own and never put it anywhere except in their own computer, but there’s always at least one student who blanks on it.
                  2. notmichelle* November 27, 2019 at 2:03 pm

                     My state bar used to pitch a fit about lawyers who went all digital and used the cloud. The oldsters thought it wasn’t safe.

                     Then, at the state bar events, guess what they did? Handed out USB sticks with info on them.
            4. Super* November 27, 2019 at 11:01 am

               Yeah they should definitely do training! Depends on what your industry is and which regs you have to comply with, but the general requirement is annual security awareness training, an awareness campaign (posters, e-mails, newsletters, events, etc), and specialized Secure Code training.

               Sometimes when a program is just being stood up, they start with benchmarking with a phish test – so they may have other awareness and training in the hopper. Or they may not have funds for a dedicated Awareness & Training cyber position but are still trying to pass audit. Could be several explanations.

               But being “insulted” because of something you know and we don’t is kind of silly. It sounded like you had internalized an incorrect rule – that’s what humans are inclined to do. We’re explaining why that’s not actually the rule, based on having been on the other side of a phishing campaign.
         2. Jojo* November 27, 2019 at 7:55 am

            If IT really did not provide training before running tests that everyone knows will occur occasionally (who knows, OP has only been there a year/year and a half, maybe it happened before companywide) then this would be a really great launching point for such training. At the least, it’s a teachable moment. There are few things more click-baity than fake celebrity news, and clicking on embedded email links are THE way phishing works. (Also, all sorts of PR email have links that could easily be phishing scams.) Publishers/reporters would seem a ripe target for so many reasons and also perhaps as likely or moreso than many types of employees to click on such links.

            But the subject matter? I mean, people clicked on it, I’m sure; this is the classic stuff online that draws people in. What’s the point of IT making tests that are obvious tests? IT, the company, and employees need to know where they are vulnerable and where they need to be on guard.
         3. it's me* November 27, 2019 at 8:03 am

            No, they are supposed to give you a heads up to be on the lookout for the emails at least.
            1. Hello* November 27, 2019 at 8:20 am

               That misses the point of being able to spot a true phishing email lol
               1. Librarian of SHIELD* November 27, 2019 at 9:05 am

                  How on earth would a training that tells people how to spot phishing emails and to be on the lookout for a test email prevent someone from recognizing a real one? If anything, a person expecting a test email is probably MORE likely to spot a real one, because they’ll actually be looking.
                  1. Mockingjay* November 27, 2019 at 9:14 am

                     There are excellent videos and interactive online trainings out there. Interactive can be really good; the one I take every year has examples of “real” emails and runs you through scenarios to show what you should open and what you shouldn’t click on.

                     Phishing is insidious. I take this course every year and I still pick an email I shouldn’t. *eyeroll
                     1. Shadowbelle* November 27, 2019 at 9:41 am

                        Betcha anything those excellent videos and interactive online trainings cost money, though. And what evidence is there that they actually work?
                     2. Mockingjay* November 27, 2019 at 10:04 am

                        It works. Employees at my company have caught and reported phishing attempts, which our IT department promptly warned the entire staff about. The mistakes I make during training means I pay attention in real life, because I don’t want to repeat them.

                        Of course trainings cost. Investing in them can be a reasonable business decision, if the outcome provides a secure network and savvy employees to conduct the company’s work.
                     3. Jules the 3rd* November 27, 2019 at 10:20 am

                        It works – I’ve had two attempts this year, neither succeeded, in large part because of the training, and stop gaps we build into our processes. We have to call to confirm payment diversions, for example.
                     4. Super* November 27, 2019 at 11:08 am

                        @Shadowbelle – it’s all documented, thoroughly! There are extensive metrics kept from test to test on how well it worked. You can see exactly who clicked, when, where, from what platform, what they did, which reported the phish. You can crunch all that data – which groups are most vulnerable, which roles, any vulnerable platforms. You definitely compare between tests – click rate, compromised credential rate, which groups are getting better vs worse, and the pool of people who keep falling for phishes. You can analyze which phish campaigns were more effective and make better future campaigns – having a lame test doesn’t help protect the company against clever actual criminals or countries that hack.
                     5. Elitist Semicolon* November 27, 2019 at 2:08 pm

                        PBS has an online game based on an episode of NOVA that is set up as a role-play: you have been newly hired to oversee cybersecurity for a small company and have to make decisions about how to respond to various threats based on the information provided. The game includes basic instruction on various threats, then requires you to apply that knowledge in increasingly complex scenarios. It’s not intended to take the place of focused training, obvi, but it covers the basics (including how to tell a phishing email from an email with a lot of careless typing) and is actually rather fun.
                  2. pentamom* November 27, 2019 at 9:16 am

                     Because they’ll be particularly looking at that time, and then once it has come and gone, possibly drop their guard.
               2. Ethyl* November 27, 2019 at 9:16 am

                  Lol you are extremely misinformed about how “training” works lol
         4. Lance* November 27, 2019 at 8:05 am

            A simulated phishing e-mail alone is not training. Training requires feedback, context; training requires guidance most of all. If all they’re doing is sending fake phishing e-mails out and saying ‘pass/not pass’ after the fact, then what are people learning? Well, that they didn’t pass a test that they were never told about.

            That’s not helpful.
            1. Washi* November 27, 2019 at 9:27 am

               Right! I can see doing an initial test without warning/training just to get the scope of the problem, but just sending out test after test doesn’t seem effective. The people who are bad at spotting phishing emails and click them over and over are probably the kind of people who will need explicit training on how to avoid them.

               My husband’s grandpa was easily tricked by phone scams. You could have called him every week with a different one and he would have fallen for each of them, without putting together a pattern of what made them suspicious. He had to be specifically told about common scams, questions to ask, information to never give out on the phone, who to call if he’s not sure, etc.
               1. londonedit* November 27, 2019 at 9:52 am

                  Definitely. I can imagine that you might not alert people to the first test, but that’s because you then want to get everyone into a mandatory training session and say ‘OK, we sent out this test email last week and 27 people opened it. 11 of those people clicked on the link. Only 5 people reported it to IT. This is a serious problem and one that could leave us open to major security breaches, so this training session is going to identify ways to spot phishing emails, and set out the steps you should take if you think you’ve received one’.
               2. Artemesia* November 27, 2019 at 10:05 am

                  My husband used to prosecute securities fraud and the first question asked a victim is ‘do you have any other investments?’ Invariably the guy who just bought the one caret investment grade sapphire for 10 times what any sapphire is worth now carefully stowed in his safe deposit box will also have ‘invested’ in other dubious schemes. People who are scammed tend usually to be people who are easily scammed and the lists of ‘marks’ gets circulated.
                  Phishing scams can happen to anyone who doesn’t know about them and so getting caught once especially when this was a new phenomenon is understandable — but there is a subset of people who seem to fall for it every time and sometimes them not having access to the internet is the only solution.
                  We taught my mother about them and even in her 90s she was great at NOT getting cheated by the countless phone and computer attempts to cheat and steal. Old people are very much the target of crooks often playing on their honesty and desire to make sure they always pay their bills; it would not be exaggerating to say that such attempts were almost daily.
            2. Super* November 27, 2019 at 11:11 am

               We mark up the phish email – highlight the clues to look for next time, and explain how to keep from getting taken. We put that in the page that pops up after you fall for the phish, so you get immediate feedback.
         5. Rainy* November 27, 2019 at 2:31 pm

            A fake phishing email is not the same as training.

            My organization has a whole online course module with a quiz at the end and frequently updated info about who and how to report phishing emails. It would be better in-person, but the people who most need the in-person training would skip it, whereas if they’re required to have a score in the system completing the course module, they’ll do it. So it’s definitely better than nothing.
      2. Lady Ariel Ponyweather* November 27, 2019 at 8:00 am

         I agree with you and must say I’m baffled by the response. What you describe isn’t like any phishing training I’ve heard of. It sounds like shocking people to get a reaction and then blaming them for the reaction. People get genuinely upset about celebrity deaths. And implying that the death was an overdose or suicide?! That’s even more gross. Shocking employees just to say ‘PSYCH! You shouldn’t have clicked on that’ isn’t effective training, it’s just emotional manipulation. Your employer is lucky no one forwarded the email to a tabloid site or posted on Twitter. As for what to do, can you get feedback from an actual trainer to give your own feedback more weight? You’re right to push back on this. Good luck and hope everything works out.
         1. Super* November 27, 2019 at 11:15 am

            That not the point though. If a team of hackers or say China gets into your network, your whole company, and your pay and all your private data, could be at risk. Cybersecurity isn’t spending tens of thousands of dollars on phish campaigns for titillation or to gloat at employees. They’re just not. Cybersecurity is desperately trying to plug holes in a leaking seawall, to keep the whole country from being washed away.

            You’re taking it personally, as if cybersecurity thinks YOU’RE the enemy; you’re not, you’re the -mark- the enemy is trying to use, in order to take it all down.
      3. it's me* November 27, 2019 at 8:03 am

         It doesn’t seem like this background information is in your original letter.
         1. Lance* November 27, 2019 at 8:09 am

            Sometimes things just slip people’s minds, or they don’t just think to include it.
            1. OP #2* November 27, 2019 at 8:37 am

               I’m not sure what background information you mean. If you mean that we’re not getting training, just tests, part of my email was asking whether these tests are a real thing. Alison’s response outlined the type of program they’re ideally part of. I didn’t have that information until after I read Alison’s answer, which is why it wasn’t part of my original letter.
               1. Super* November 27, 2019 at 11:22 am

                  I think it’s that you got “insulted” by our telling you your gut wasn’t necessarily right… it feels like you just wanted a bunch of agreement rather than – as it sounds when one asks for advice – for education from those of us who have actually run phishing programs.
                  1. OP #2* November 27, 2019 at 4:32 pm

                     That’s not what you did, though. You suggested that maybe I was saying that real-world phishing attempts shouldn’t be in bad taste. That’s absurd, and I never said or implied that, so your comment came across as patronizing. The fact it that you then brought it up in at least three more comments as some kind of evidence that I was insulted by something completely different is also frustrating.
                     1. Super* November 27, 2019 at 4:57 pm

                        Okey doke. Good luck getting the confirmation you want rather than the advice you asked for.
         2. Witchy Human* November 27, 2019 at 9:17 am

            As I read it, the letter basically asked:
            1) is this normal?
            a – yes, kind of
            2) is this as tasteless as I think it is?
            b – yes, definitely

            The follow-up information that LW’s company isn’t conducting this “training” in a productive way isn’t really relevant to those two answers.
            1. Ival* November 27, 2019 at 9:27 am

               Yes, OP needs to figure out what she wants to address. Is it the efficacy or the content?

               I think she won’t get far on the content. The best argument is the need for follow-up training.
               1. OP #2* November 27, 2019 at 9:42 am

                  My letter was asking for a gut-check about whether this is a real thing, as well as about the content. The efficacy conversation has come up from comments to my letter, not from the letter itself.
                  1. Works in IT* November 27, 2019 at 10:28 am

                     Considering the number of attacks that have made the news this year… it is a real thing.

                     As far as whether it’s in poor taste….everyone, naturally, has triggers that people who right phishing emails can use to get them to do what they want. Some of those triggers are things that are in poor taste. Some people might ignore a phishing email about a messy divorce, and click this email. Some people might ignore this email, and click a messy divorce email. Some people might ignore both because they don’t care about the celebrities in question, at all, but send them an email saying the President’s dead…. or the Queen of England…. and they’ll click on it. The point is identifying the triggers so you can sit down with the person who fell for it and walk them through see, this is how someone played on your emotions, watch out for this in the future, here are some examples of the same methods, can you identify what to watch out for?
                  2. Observer* November 27, 2019 at 11:11 am

                     So, the answer to your question as stated in the letter is:

                     Yes, it’s a real thing and the content is totally appropriate to your industry.

                     I’m going to push back on Alison’s advice to bring up how tasteless this is – that’s the POINT because that is WHAT WORKS IN THE REAL WORLD.

                     Also, that testing is ideally done in the context of training you’ve already received. That’s just not the case. Yes, testing is ideally done in the context of a wider security program that most definitely SHOULD include training. But testing also should be done NOT in conjunction with the training – both BEFORE training to understand what is going on in your organization and on a rolling basis.
                  3. Kramerica Industries* November 27, 2019 at 11:50 am

                     My company did this and the simulation was “There was an error in recording your vacation time. Click here to retry.” And I fell for it.

                     I was mad because I thought it was tasteless that they would toy around with something like vacation time and compensation. Upon reflection, I was just looking for a reason to justify my real feelings: I was embarrassed that I fell for it.
                     1. SS* November 27, 2019 at 1:09 pm

                        Same here. I have only failed *1* phishing test in my company even though they send out at least 1 every couple months. We had just gone to a new employee feedback process for our internal performance review. I had sent out a request for feedback to a specific manager the previous day. I received an email claiming that it was from the performance system telling me that my requested feedback was attached. Since I HAD just requested feedback, and I wouldn’t know the sender’s email address from the new system so I didn’t know it was coming from an invalid address, I had no reason to believe that it was fake. That one still makes me mad.
                     2. Super* November 27, 2019 at 2:41 pm

                        The same people who get mad that they were embarrassed would also get mad if they were the victims of identity theft because of poor company cybersecurity.

                        Darned either way!
      4. BRR* November 27, 2019 at 8:21 am

         Your IT department definitely failed at training because they’re not doing anything before or after sending it out (are they possibly following up with people who click?). But what I’m getting, and I’m sorry if I’m wrong and putting words in your mouth!, is that you’re more upset about the subject matter of the email than the test itself. The email is definitely in poor taste. I would guess their thinking is that they wanted to send a realistic email out that is relevant to work and that people would click, and they should have explored other options. And as Alison said, you can raise this. But I’m also getting a feel from the comments and myself that a lot of people are bothered, but not to the same degree as you. I would suggest figuring out who to raise the issue to instead of spending energy on justifying your position, which you shouldn’t have to because again the email was in bad taste, or trying to get others to the same level as you.

         If you don’t like phishing tests as a whole, that’s an entirely different story since they’re incredibly common and best practice. Having the advantage of being an objective third party observer, I’d pass along to IT that the subject wasn’t appropriate and move on. This is not the hill to die on.
         1. OP #2* November 27, 2019 at 8:28 am

            Yes, as I said in my letter, I think we’ve gotten at least four of these in as many months. The one that prompted me to write to Alison was the fake celebrity death one.
            1. BRR* November 27, 2019 at 8:38 am

               I think it would also be appropriate to ask IT if there’s anything you should do with it if they haven’t said anything yet. In my current job they have a dedicated email you forward spam to and as part of our ongoing training they remind you about it.
               1. Jules the 3rd* November 27, 2019 at 10:22 am

                  Our company email system has a ‘report as spam / phishing’ button on the menu, super easy.
      5. Ival* November 27, 2019 at 9:14 am

         Just asked my husband who is a CIO at a fortune 50.

         They don’t do the training before. They don’t let people know it’s coming. That defeats the purpose.

         What they do is to monitor who clicks the links, then give online training. If you click a link more than once, you get more extensive training FTF . If you are a repeated link clicker, your boss and HR are notified. It may be that your email and internet access is curtailed. It may be that you are put on a PIP wrt internet and email usage.

         They have fired people for repeatedly clicking links after training and discipline b/c they work with very sensitive data.

         Most “hacks” aren’t coming in from outside with brute force. They are things like this where the people inside let someone in.

         So I don’t think training before is a problem. Many people don’t need it. I think the failure to follow-up after is an issue.

         The content is a whole not her ball of wax. However “dead celebrity” is a common training tactic because it’s a common phishing tactic. It may be offensive to many, but it’s pretty wide-spread. Why? The research shows there are several types of phishing attackers that work. Young dead celebrity is pretty high on the efficacy list.
         1. Beep Boop* November 27, 2019 at 9:32 am

            This seems like a terrible practice. With no training or information, you’re expected to know this stuff? And then put on a PIP if you fail? Wow.
            1. Shadowbelle* November 27, 2019 at 9:45 am

               Yes, you are expected to know this stuff. It’s a standard survival skill in the digital world. It doesn’t just apply to one’s employment, but to one’s personal life as well.

               PIP if you are an egregious repeat offender? Seems reasonable to me, since you are putting the company at risk.
            2. Elizabeth Proctor* November 27, 2019 at 9:48 am

               Looks like you didn’t read very carefully. The first email is a test to see how big the problem is and who might need the training (which looks to maybe be virtual at first). If you continue to click on them, you get more training in person. If after extensive training you continue to click on them, you get put on a PIP.

               If you were trained in something multiple times and still kept messing it up, don’t you think a PIP would be in order?
               1. Ival* November 27, 2019 at 9:51 am

                  That’s exactly it. They don’t put people on a PIP for ignorance. They are put on a PIP for repeatedly risking sensitive, extensive, personal data (think health care records or government benefit records) after repeated training and personal coaching.

                  There are some people who, in spite of all the training, still discount the risk and think they know better. Those people end up getting told they need to work in another industry.
               2. Super* November 27, 2019 at 11:27 am

                  This is how my program was too.

                  1) Security training (annual)

                  2) First phish test for benchmark

                  3) Feedback on phish test – what to look for, why it’s important

                  4) Rolling phish tests

                  5) Targeted training and management notified for repeat offenders

                  6) Work with HR & IT for serious repeat offenders – counseling, training, and technical solutions (eg some roles have external roles where they need to click even dubious links, so find solutions like sandboxes and daily new images so infected images are deleted)
                  1. Autumnheart* November 27, 2019 at 2:55 pm

                     Same at my company.
            3. Ival* November 27, 2019 at 9:54 am

               Did you just miss the point where I said there is both online and extensive face to face training before a PIP?

               What you are Wowing is no where mentioned in my post.
            4. Lucette Kensack* November 27, 2019 at 10:01 am

               It sounds like people are being put on PIPs after, at a minimum, two warnings and two rounds of (scaled up) training. That seems reasonable.
               1. Ival* November 27, 2019 at 10:06 am

                  Yes, the PIPs come after repeated trainings and repeated violations. If, after six months of training, you are still a serial link clicker, then I’m not sure what else the company can do. It’s either a PIP or firing the person.
            5. Artemesia* November 27, 2019 at 10:10 am

               They pointed out that it was for repeat offenders. Of course the initial overture should be without warning; that is how you determine who is clueless or vulnerable. They noted that training then occurs and more intense training for those who do it again. It is after training and repeated fails that the PIP becomes a thing. Seems pretty appropriate to me.
            6. CRM* November 27, 2019 at 10:26 am

               It sounds like the PIP only happens after multiple conversations and trainings.
            7. anon at work* November 27, 2019 at 10:34 am

               I think you are expected to know not to click on links in emails you are not expecting. It is like drivers should know you are not supposed to turn left on a solid green light without looking (you don’t have the right of way). Or knowing not to run with scissors.
               1. Super* November 27, 2019 at 11:32 am

                  I know firsthand how clueless most people are about cybersecurity. I don’t know many cybersecurity people who work with everyday employees who have that expectation. The lack of knowledge about the basics is breathtaking. I have people tell me all the time that they have an excel sheet on their computer with all their passwords, unencrypted of course – I try to tell them that our Cyber team has seen that file and all their passwords, and any hackers can find that in an instant, dear heavens please use a password vault instead, but it’s crying into the wind.

                  We DO expect that after you get trained and have failed a test or two, THEN you should start to clue in. And that’s fine – there are so many things to keep up with, and that’s why people like me have a job in the first place, to educate and eventually force compliance with the security that keeps us all employed.
            8. LQ* November 27, 2019 at 12:37 pm

               Clearly said you get more training, face to face training and that it’s not just one click and you get a PIP.

               If your personal information got leaked because a company wasn’t bothering to fire the person who repeatedly had fallen for every phishing scheme you’d be (rightfully) pissed. If you had to spend years cleaning up your credit because of a leak that could have been prevented, but instead that person was left to continue to dump your info on the dark web would you just hand wave that away?

               There are real consequences to this. And they aren’t just firing after the first click. Ival clearly explained it was multiple steps with help and support along the way.
         2. RussianInTexas* November 27, 2019 at 9:51 am

            Yes, it was the same thing in my old large company. You see how many people fall for it, then you train. You isolate the repeat offenders and train them extra.
            Boyfriend does cyber security in his Fortune 500 company, and they do this too.
            If you are working with internet in this day and age, you should KNOW not to do stupid thing like clicking on a link you don’t know. It’s like you know not to clip your fingernails in the open floorplan, or let people who don’t work on your floor in without asking.
            1. Ival* November 27, 2019 at 9:53 am

               The other think this does: Let IT know where it has vulnerabilities so it can know what types of content to block/look out for.

               If say, you are in an area where no one watches NASCAR, you don’t need that in your filter. If you are in certain areas of the south, you might.

               Frankly, my personal policy is never to click a link unless I’m expecting one (e.g., password reset) or have had independent verification (e.g., a text from my friends) that the link is legit.

               I never, ever click unsolicited links. If it’s legit, you can google and usually get there.
               1. RussianInTexas* November 27, 2019 at 9:56 am

                  My boss fell for the PayPal testing e-mail three times in a row. It was a source of much merriment.
                  1. Ival* November 27, 2019 at 10:04 am

                     My husband is a member of several CIO groups. Most of them cover their cameras on their devices, disable Siri/Alexa, and won’t use USBs to save their lives. They also don’t like links in emails when there is any other choice (e.g., instead of a a link, a direction to go to the company server in a spot to find something).

                     People grossly underestimate the risk and grossly underestimate whether or not “smart” people will fall for scams.

                     It sounds like what OPs company needs isn’t just this testing, it’s training and a guide for what to do/not to do.

                     How important it is really depends on the type of business. If it has lots of private data on it’s customers, this is critical. All companies should be testing.

                     The spammers and scammers are getting better. I just received a call a few days ago that looked identical to the Apple helpline. Except I was sitting in the Apple store at the time. They told me it was a scam that was going around.
                     1. Jules the 3rd* November 27, 2019 at 10:29 am

                        Hah! I am glad to know I’m not the only one who won’t camera / Siri / Alexa / USB. My coworkers think the ‘not camera-ing from my personal devices, just from a conference room’ is weird, but… tough.

                        I do send links, but only to specific internal company sites. The company knowledge base is way too complex for directions, and our search is really bad.
                     2. Pennalynn Lott* November 27, 2019 at 10:52 am

                        I mentioned my use of laptop camera covers at a party a few weeks ago and a 20-year old said, “OMG, that’s such a Boomer thing to do!” I was like, “Yeah, I suppose that not sharing sensitive information with the entire internet is soooo old school.” In fact, at my Fortune 5 company, InfoSec requires everyone in my department to use them. And privacy screen covers. And locking your computer if you so much as walk to the mini-fridge that’s 5 desks over. And we already have tight security on who can enter the building.

                        The entire company also gets phishing emails at least once a month with no pre-training or warning because, seriously, basic security knowledge is assumed when you’re working in front of a computer all day, every day.
                     3. Ival* November 27, 2019 at 12:02 pm

                        Husband was at a CIO conference once. The heads of the big IT firms (e.g., Microsoft, Apple, Cisco, etc.) all had their cameras covered. Every single one.
                     4. corporate engineering layoff woo* November 28, 2019 at 4:44 pm

                        Depending on what corporate installs on your computer, you also may want the webcam covered by default so *authorized insiders* can’t access it through IT security/monitoring systems. Yes, the work-issued laptop might come loaded with spyware standard.
                  2. JessaB* November 27, 2019 at 10:12 am

                     In this day and age I thought even if you were expecting an email, you go to your bank’s site independently. That includes PayPal. It’s like when you get that phone call from the so called fraud department, if they get upset when you say “Okay I am going to phone the fraud department via the number on the official website/back of my credit card,” you know they’re phony.
                     1. RussianInTexas* November 27, 2019 at 10:16 am

                        Yes! You would think so! And yet, people fall for it time and time again.
                        Even when my bank calls me legitimately, I tell them that I will call them back myself. They understand.
         3. Malarkey01* November 27, 2019 at 11:01 am

            I was going to say this exactly. I have training I have to implement if someone on my team clicks one of these, but we do not do regular training on this. The first time you click it’s a standard warning that oops you need to be more aware, the second time it’s a serious training with examples to work through, the third time is your final warning and your internet is curtailed. We have internet and email codes of conduct and we absolutely expect people to be aware of this at our company. If you somehow weren’t you get the one “oops” chance to correct.
      6. Hey Karma, Over here.* November 27, 2019 at 9:25 am

         Oh, that’s weird and kind of pointless then. My company (international, about 1500 people) does exactly what Alison listed. We had an online class. We had an in person class where we were given a check list of things to look for (typos, mouseover hyperlinks, urgent, etc.) and then the phishing emails started. You got busted and your manager came to you and said you got busted, please take the online class again. It’s been two years, and I learned to control the impulse to click.
         Even when the message read, “issue with your medical benefits” which got a lot of grief from coworkers. We thought that was unnecessarily stressful for a test.
         Oh, IT also has a banner appear on all outside email, marking it as external. Which is awesome.
         1. OP #2* November 27, 2019 at 9:45 am

            We have an external flag in the start of the subject line and a banner at the bottom (it used to be at the top). I personally find it annoying because most of my email is external, so it makes my inbox harder to manage. But for people whose work email is mostly or entirely internal, it probably helps.
      7. T2* November 27, 2019 at 9:56 am

         OP2, Listen.

         I have spent several years doing penetration testing. This includes things like breaking into offices, cracking your passwords, getting people like you to click on links, downloading information from your computer, and leaving my business cards on the desks of people just like you.

         In this role, I will look and behave exactly like a bad guy. I am not, of course, the difference between me ant the bad guy is that I have ethical standards and would never exploit the type of access I am capable of. But every single person on the Internet is constantly and relentlessly under attack every second of every day by virtue of existing.

         My goal is not to embarrass you, it is to demonstrate a threat and identify and recommend what to do about it. Much of this work is completely invisible to you. You would not know it.

         In this case, you know not to click on links and you know that testing is going on. Which is itself the lesson. The virtue of you being irritated and writing about it means that your company is already better off than most.
         1. Super* November 27, 2019 at 1:48 pm

            Excellent points!
      8. Akcipitrokulo* November 27, 2019 at 10:09 am

         Yeah, they do need to do actual teaining as well – I can still see justification for a shocking attempt like that, but it needs training too. BEFORE the test emails.
         1. Artemesia* November 27, 2019 at 10:18 am

            I disagree. People assume when training occurs that it is ‘not them’; they are not stupid enough to fall for it. All training is more effective if it follows experience rather than preceding it.
            1. Akcipitrokulo* November 27, 2019 at 10:31 am

               I should have been clearer that it’s before as well as after… and frequently!
            2. Sunflower Sea Star* November 27, 2019 at 10:52 am

               Well, then, let’s get med students treating patients (including performing surgery!) on day one of their training. Because “All training is more effective if it follows experience rather than preceding it.”
               Sounds ridiculous, doesn’t it?
               That’s because your statement is false.
               1. Aitch Arr* November 27, 2019 at 11:23 am

                  C’mon, that’s a false equivalency.
               2. Super* November 27, 2019 at 1:52 pm

                  That’s kind of ridiculous. The equivalent of surgery would be if these everyday employees suddenly had to RUN a cybersecurity program, without training. That’s not what is happening. They were part of a vulnerability assessment, and revealed that indeed they contribute to the company’s vulnerability.
      9. Observer* November 27, 2019 at 11:03 am

         Well, your company should be training. But it’s simply not the case that testing should only be done in the wake of training. It’s just absolutely not true.

         Testing is necessary, even in the absence of training. And test that is done separately from a formal training also happens to be a surprisingly effective tactic, although it can also backfire (which makes it tricky.)

         You also seem to be missing the fact that good testing is not about “being respectful” but about mirroring the kind of stuff that is likely to get through your filters and that is likely to trigger people to click. It sounds like your test people created something that looks A LOT like a real spam email. That’s what they are SUPPOSED to do.

         If you are going to complain, what you should be highlighting is that the company should be providing training and periodic reminders on a regular basis.
      10. Tiger Snake* November 27, 2019 at 5:07 pm

          Well, training has to start somewhere.
          But as for the idea that the test was respectful; when security creates these test emails, they create them from the most common phishing emails that they have seen recently. We’re not creative, we’re replicative. They built a test with a ‘guess who died and why’ email, because those are precisely the emails that attackers are trying to target you with.

          But, the short notes of what that training should encompass:
          1) Always be untrusting of emails you receive. Yes, even internally.
          2) Who you should report suspected phishing/spam emails to
          3) What to do if you did click on a phishing email or download a suspicious document
          4) Always check, triple-check and quadruple check every detail of the sender email address (but be aware this can be spoofed, so that alone won’t be enough)
          5) If you’re not expecting a document, don’t open it until you’ve checked
          6) Just because it go through your company’s firewall, gateway or ‘force field’, doesn’t mean its safe. Be aware of your responsibilities
          7) Don’t click on links. Research the topic through appropriate means.
          8) Phishing emails don’t look like fakes. All that stuff about poor engrish is basically falsehood
   5. Jojo* November 27, 2019 at 7:32 am

      Agreed. And, the OP seems to want IT to … get in trouble? IT needs to teach employees how to spot fake/phishing email land maybe to put giant warning signs on incoming email that it is NOT INTERNAL EMAIL or BEWARE OF EXTERNAL LINKS? Mine does. It’s amazing, really, to know even tricks phishing scams use in the email addresses, or how accurate (identical?) logos will look, etc. But it is the links in particular that are at the heart of these scams. My own company has sent out very real-looking bank phishing tests, and tests that appear to come from real publishers. (Is OP mad that this is how people and their corporations actually get scammed and lose private and company information? I’m confused. Did she click on it?)
      1. OP #2* November 27, 2019 at 7:46 am

         OP here. I definitely don’t want IT to get in trouble for doing their jobs. I understand that phishing exists, and that employees need to be trained to avoid it. My issue with this email was the subject matter. Sending a false report of someone’s death seems tasteless. Since we have employees who are currently dealing with recent deaths or dying family members, or have been through loved ones’ deaths by overdose or suicide (which was hinted at in this email) it also seems cruel.

         No, I didn’t click any of the links in the email, but I’m not sure how that’s relevant to my question.
         1. Marny* November 27, 2019 at 8:04 am

            I get that it’s the subject matter that seems… gross. Since it sounds line your company may regularly receive celebrity info in the normal course of work, I don’t think it would be out of line to ask that the phishing emails be a bit less maudlin. Maybe clickbait about a surprise celebrity wedding or someone popular doing a scorched-earth quitting of the industry would be more tasteful topics that still accomplish their goals.
         2. Jojo* November 27, 2019 at 8:20 am

            I just meant that it’s an example of such classic internet clickbait, and would exactly the kind of phishing link a publishing company would want to test for/see how vulnerable it and its employees are to clicking on. But if the company hasn’t actually done any training, then maybe this should be the leaping off point for it.
         3. Trainer* November 27, 2019 at 8:21 am

            I’m a corporate trainer who has been tasked with running our security awareness program – while it does sound like your employer could use some guidance on creating an effective program (including training!), most programs do come pre-loaded with template content that many companies just push out. In this case, the person scheduling the phishing emails may have selected “current events” as the topic and elected a random email be sent out. They may not be aware of the content of the email that ended up being sent. There’s not always a person sitting down and evilly cackling while creating these phishing emails. It’s also possible that, since you work for a media company, someone wanted to see if anyone would try to report unsubstantiated news. Your company may be testing for baseline data to see how savvy their employees are and how aggressive their training campaign needs to be. As for your opinion of the content, I would encourage you to express to IT that you found the content tasteless. They may or may not take that into consideration for the next phishing campaign – a hallmark of a good phishing email is that it affects you emotionally/mentally and makes you act. However, don’t assume how others may feel about the content. Let them speak for themselves.
         4. Mockingjay* November 27, 2019 at 9:21 am

            Your company might want to research subscription training courses, if they aren’t going to train your employees. My company uses them; we’re small and don’t have a huge budget. The service they use does light customization; inserts company name and information, such as POCs, phone numbers or links, etc. The videos are pretty good and present plausible scenarios and interactive tests, and are updated every few years. (We have EEOC, ethics, IT security, and a couple of other videos.)

            Might be a cost-effective solution that provides real value instead frustration.
         5. fhqwhgads* November 27, 2019 at 9:45 am

            I think sort of the key here though is the test emails need to mimic what real phishing emails are like. I don’t have any way of knowing if they’re actually doing research on this, but if there’s a common phishing scam that involves celebrity-death, then it is actually reasonable that among their test emails include that type of scenario, along with other test scenarios. Especially if there is maybe a recent new round of that type of phishing recently, it’d make sense they’d be testing how people react to that in particular. I’m not saying it’s in particularly good taste but avoiding it entirely may to an extent defeat the purpose.

            “Testing” your staff without having previously given any training on how to spot and what to avoid half defeats the purpose also. But that’s a separate issue. So you could raise that you found this one particularly disturbing – because you knew it was a fake and a test from them – but it may not gain much traction if their reasoning is “but that’s what the real scammers are doing”.
            1. Artemesia* November 27, 2019 at 10:20 am

               But it doesn’t ‘defeat the purpose’. Falling for the fake phish creates a teachable moment. People ignore training that they feel is for things that don’t really apply to them.
            2. Oh No She Di'int* November 27, 2019 at 10:46 am

               I tend to agree with you fhqwhgads. I don’t actually get the squeamishness seen here around whether the email is in “bad taste” or not. People trying to access sensitive data, personal information, financial records, etc. aren’t going to hew to notions of good taste. In fact, limiting the test to only good taste may even backfire if employees are trained to be wary of wedding and divorce announcements, but when it comes to shocking deaths would think: “Oh my God, this is about a death. No one would have such bad taste, so this must be real.”

               It makes me think of physical self-defense training. At some point, the trainers have to come at the trainees with the full physical force that an actual assailant would use. It does no good to soft-pedal that.
               1. OP #2* November 27, 2019 at 11:01 am

                  People choose to go to self-defense training and can logically be expected to know that there will be real, physical defense involved.

                  People sitting at their desks just trying to get their work done, who may be grieving the loss of a loved one, or may have lost people previously to overdose or suicide (which were part of the suggestion of this email) haven’t made a similar choice.

                  I find all the “I don’t care if it bothers you” language floating around in some of these comments really callous. Yes, cyber security is critical, but employees are people. It’s totally possible to craft an intensely clickable email without ambushing people with such potentially sensitive subject matter at their desks.
                  1. Observer* November 27, 2019 at 11:30 am

                     People sitting at their desks just trying to get their work done, who may be grieving the loss of a loved one, or may have lost people previously to overdose or suicide (which were part of the suggestion of this email) haven’t made a similar choice.

                     And they don’t GET to make that choice! I know it stinks, but you simply can’t opt out of basic security because you have something big going on in your life. These people sitting at their desks shouldn’t be required to take regular physicals because it doesn’t really affect their job, but there ARE professions where it is mandatory. And, people sitting at their desks DO need to take the equivalent of a physical that is relevant to their jobs – and that’s the ability to recognize phishing attempts.

                     It’s totally possible to craft an intensely clickable email without ambushing people with such potentially sensitive subject matter at their desks.

                     Nope. Not relevant. The email needs to mirror the real world.

                     You need to accept that you don’t know how security works. You really, really don’t, and criticizing the program from a basis of ignorance is not going to help your case.

                     The thing you have standing to complain about is the fact that there is apparently no training program. That IS a genuine problem and something you have standing to raise. The other stuff? Any good security person will be polite to your face and then decide that they are never, ever going to pay attention to anything you have to say. Because they know that as bad as this email may be for some people, the results of someone clicking on a REAL phishing email that could look exactly the same are likely to be far, far worse.
                     1. Super* November 27, 2019 at 2:47 pm

                        Well stated.

                        A cybersecurity program that is too “kind” can potentially destroy lives. I recently dealt with a family overdose death, and it SUCKED. What would have been worse was dealing with all that, AND my private data getting sold to identity thieves, or my company abruptly laying people off to counter the data breach costs, or folding altogether.
                  2. Ival* November 27, 2019 at 12:00 pm

                     As someone who really believes in trigger warnings and gives them often, I don’t think we, the commentariat, are being callous. We are trying to be honest because we want to help you. We want you to deal with this in a way that is beneficial to you. That may mean that it’s uncomfortable for you.

                     Truthfully, if you are getting this type of pushback here, from commentators who are predisposed to want to help you and who are, for the most part, kind and considerate, I think you’d get a massive eye roll if you brought this up to your IT department. Didn’t you want a gut check on that? To see if this was normal and if others found it as distasteful as you did?

                     Further, I have seen only few people straight up saying they don’t care if it bothers you. Most people aren’t saying that. You are reading into what they are saying because. Please reconsider their POV again.

                     What they are saying is this: Even if this bothers you, which is ok, there’s a strongly compelling reason to do this. Your discomfort weighed in balance with the security of the company and the protection of the data of it’s employees, vendors, and clients, is not so important as to compel them to stop the practice.

                     It’s ok to be upset with the death emails. That’s not a compelling reason to stop them.

                     Also, on balance, most of the commenters here are not upset by the subject matter. Death is common. IMHO, we need it to be discussed more, not less.

                     While your discomfort is perfectly fine, it does not seem to be widespread among the commentariat. If any group of people are likely to be upset by something insensitive, it’s the commentariat here. (Or that at Captain Awkard’s site) The fact that most people aren’t, tells me that this probably would not be viewed of as out of lien for the majority of people.

                     TLDR: Your discomfort is understandable. It is not, however, a justification reason for these emails to stop as their are overriding factors that mean they need to be done.
                     1. Super* November 27, 2019 at 2:50 pm

                        Yes – this is pretty much the nicest commentariat on the Internet. If you (in the general sense) think people here are being mean to you, it’s more likely you’re being overly defensive and seeing insult where there is none, or rude.
                     2. OP #2* November 27, 2019 at 4:51 pm

                        What I actually see in these comments is several people who work in IT talking about how these types of tests need to happen (agreed) ideally in the context of an actual training program (also agreed) and that this specific subject also needs to be used as a test because real phishing attempts might involve something similar, often in multiple comments.

                        Then I see a lot of other people, not in IT (or at least if the are they haven’t said), many of whom also see a need for these tests, expressing that they find a fake celebrity death email to be in bad taste. Most of them are in individual comments and not in these giant threads.

                        It’s really interesting to me that the IT/cybersecurity folks who are weighing in haven’t really said anything like, “Oh, I never thought about how the content of these test emails might affect the people who read them.” I think that’s an important thing to think about, not just for the employees’ well-being at work, but also for whether the training is actually being effective. It’s incredibly clear in my workplace that it is not. The phishing test emails are mocked. It’s treated as an eye-roll, not a learning moment. We had a huge conversation about how this particular message was in poor taste and upsetting to people, and how it made a lot of people in my office more suspicious of the company. That’s not the outcome anyone is looking for. I work with smart, thoughtful people, most of whom have been in digital media for at least a decade. This message didn’t make them more aware of phishing, it made them less trustful of our employer.

                        Also … I’m not sure why you construed “I find all the ‘I don’t care if it bothers you’ language floating around in some of these comments really callous” to mean that the commentariat as a whole was callous. That’s not what I said or implied. At no point did I suggest that everyone was callous or “mean to me.” But replying to someone’s concern about the well-being of their co-workers with “I don’t care” *is* callous, regardless of what position you are in or how important you think something is.
                     3. Observer* November 27, 2019 at 5:24 pm

                        It’s really interesting to me that the IT/cybersecurity folks who are weighing in haven’t really said anything like, “Oh, I never thought about how the content of these test emails might affect the people who read them.” I think that’s an important thing to think about, not just for the employees’ well-being at work, but also for whether the training is actually being effective

                        Actually, people have REPEATEDLY acknowledged that it’s in bad taste, have spoken about why it is NECESSARY and spoken about why this is actually effective.

                        People may roll their eyes, but the people who fell for these emails have hopefully actually learned a lesson. And hopefully your company is also following up with those people even though you don’t know anything about that.

                        In short, the fact that these emails are in bad taste and that some people roll their eyes does not change that basic reality that these tests are actually appropriate. Sure, better communications around this would be a good idea, but I would not expect too much else to change.

                        You say that most of your coworkers have been in digital media for years. Are they really unaware that this is exactly what a lot of phishing looks like? Are they so unaware of the concepts of security that they are unaware of what “pen testing” is?

                        I don’t expect a lot of people to know this stuff. But for people who are supposed to know about digital media? That honestly smacks of complacency, people who have 1 year of experience 10 times (rather than 10 years of experience), and lack of current competency.
                  3. Alicia* November 27, 2019 at 12:40 pm

                     OP#2, your feelings about this remind me of my feelings about animal-rescue commercials.
                     I find them very traumatic, and I was very disappointed in the TV stations for not protecting me from them.
                     So I stopped watching those stations and got Netflix and Hulu.

                     Since your problem involves security at your workplace, you may not have the option to not see these emails. As other commenters have pointed out, the emotional impact is the point of the phishing – to shock the recipient into clicking the link without stopping to think.

                     Maybe you could delete one as soon as you see what it is, but that’s the only solution I see.
                     1. Avasarala* November 27, 2019 at 9:21 pm

                        Agree with this. Phishing tests are like vaccinations. They need to have some of the virus to be effective so they test your immune system. You can’t have a shot of saline solution to prevent measles. It sucks to have crap delivered to your inbox but this is a basic safety procedure.

                        And honestly, unless the details are quite gruesome, celebrity deaths aren’t that traumatizing in my opinion. It’s the kind of thing you can glean from skimming Google, headlines, Twitter… Robin Williams was very beloved and his death hit many people hard but he’s also a stranger, and most people wouldn’t be traumatized by hearing about his death.
         6. A Non E. Mouse* November 27, 2019 at 9:46 am

            If they are using a service (we are, and I’m in charge of the training/testing at my org), they don’t write the emails themselves – I pick what categories and level of difficulty I want the session of testing to use and be at, and the service does the rest.

            Now I can provide feedback to that service, so I’d recommend you bring it up to your IT department not like you believe one of them penned this email themselves, but that the service they are using should exclude this particular type of “celebrity news” items from future testing because it was upsetting.
            1. T2* November 27, 2019 at 9:59 am

               I would absolutely and categorically refuse such a request. Limiting training to specific subjects defeats the purpose of the training.
               1. A Non E. Mouse* November 27, 2019 at 10:06 am

                  Not the category (Celebrity News is one of our top Clicks when I test!) but a particular email type (i.e. Death) within that category.

                  It’s a service my company is paying for and using – I can and should provide feedback to them.

                  Now they can tell me other clients like the death emails so they will be keeping them OR that death emails are a top clicker and they strongly recommend I keep using it, and I’ll then have to choose if I would continue using that category.

                  Incidentally, we get our most hits on Social Media, then free stuff like pizza.
                  1. Ival* November 27, 2019 at 10:10 am

                     You are aware that the Brad Pitt death hoax was one of the biggest phishing scams? The reason they are testing this is because it is what gets people to click.

                     There were even an atrocious number of attacks linked to Bourdain and Kate Spade’s actual deaths.

                     It’s fine to be upset by this, but I’m quite sure the company will push back that they do need to do these tests. If for no other reason than that these death scams are common and they work.
                     1. A Non E. Mouse* November 27, 2019 at 10:18 am

                        It’s fine to be upset by this, but I’m quite sure the company will push back that they do need to do these tests. If for no other reason than that these death scams are common and they work.

                        Yes.

                        I’m saying if I got a ton of feedback from my end users that the death email we sent in our last test had the opposite effect (was obviously fake, and super upsetting to my end users) I’d be obligated to provide that feedback to my provider.

                        So, OP#2 can take it to his IT department and provide the feedback from his perspective. IT can then decide if it’s something worth passing on. But the only action #2 can take is providing feedback to IT.
         7. Observer* November 27, 2019 at 11:21 am

            Phishers and spammers ARE cruel. And it’s not just that they are callous to the feelings of the people who they are spamming. It’s that they have no compunction whatsoever in emptying the bank accounts of people living on low, fixed incomes. They have no compunction in destroying the credit of people who have done nothing wrong but had their data in the “wrong” place. They have no compunction about using people’s most sensitive information to hurt them. And they certainly have no compunction about doing things that could cost a company more money than it can afford and could even put them out of business.

            So, they are not going to worry about the fact that their subject lines are going to hurt some people. That’s such small potatoes that they wouldn’t even know what you were talking about it you smacked them in the face with it. And IT needs to mirror what the spammers are doing. Otherwise there is no point.
            1. Aitch Arr* November 27, 2019 at 11:26 am

               +1
   6. Hello* November 27, 2019 at 7:40 am

      My company does fishing emails several times a year. Not everyone will get every round and it’s random as far as I can tell.
      Also our infosec team created a fun computer game to play called spot the phish.
   7. New Job So Much Better* November 27, 2019 at 7:49 am

      My company sends these tests often, but it’s usually something like “your package has arrived” or some kind of fake coupon. The death thing is tacky.
   8. Goldfinch* November 27, 2019 at 8:10 am

      That Synchrony/Amazon e-mail blast on Monday sent HAVOC through my company. We get a lot of phishing tests, and I was taken aback at how many people apparently send personal finance notifications to their work e-mail.

      TL;DR: It’s easier to detect these phishing tests if you stop using your work e-mail to sign up for everything. Make dummy accounts.
      1. Quill* November 27, 2019 at 9:07 am

         The number of people who don’t have a personal email always astounds me. What happens to all your accounts / contact info / your ability to job search when you get laid off?
         1. ThatGirl* November 27, 2019 at 9:51 am

            I always wonder this too. It’s 2019, even if you don’t check your email regularly, you need to have your own.
      2. RussianInTexas* November 27, 2019 at 9:52 am

         I got that one too! I actually called the bank, since I do have a card with them.
   9. RussianInTexas* November 27, 2019 at 9:45 am

      My old office tried to train people not to fall for it, and yet my boss did, 3 times in a row (the test e-mails).
      Like, dude. Do you not remember the stern talking to last time???
   10. T2* November 27, 2019 at 10:18 am

       I will make it easier for everyone.

       Question: Is this standard practice?

       Yes. Or at least it should be. We do this for the same reason automakers do crash tests. We need to undertsand the risks.

       Question: Should I be warned about the test?

       No. You will not be warned. Warning defeats the purpose of the test.

       Question: is the subject matter offensive or in bad taste?

       Possibly, but frankly I do not care. The bad guys will not limit their attacks to those in good taste and neither will I.

       Question: Why does IT do this?

       We are trying to identify users with a tendency to fall for this. When we do, we may train you up or document your issue. In worst case examples, you could be fired for repeated violations of policy.

       Question: should you know this?

       Yes. It is basic common sense. If you don’t know how to protect yourself, Here are the rules:

       1.) do not click on email links unless your know for certain that it is legit and safe. You might google the information, or call the sender to verify. But if you are not sure, DO NOT CLICK ON THE LINK PERIOD.
       2.) people lie and spread hoaxes on the Internet. If you want to find out if something is true, google it.
       3.) If someone is asking you to perform any task with money, call them to verify the request.

       Simple rules. I am legitimately sorry you were offended. but my job is protection of the company, not your sensibilities.
   11. RabbitRabbit* November 27, 2019 at 10:28 am

       We just had one and a number of people in corporate compliance clicked on it… yikes. At least our IT team was on it fast – they had their accounts locked out and had to be on-site to get unlocked.
   12. many bells down* November 27, 2019 at 11:42 am

       My husband works at a tech company. Once, in the company Slack channel, someone posted “hey I just got this phishing email. Don’t click the link in it!”

       Then they posted the link.

       Then half a dozen people clicked it.

       These are *programmers*.
       1. Super* November 27, 2019 at 2:53 pm

          Oh my gosh. I would gather those names and THEM I’d recommend we consider firing.
   13. Frea* November 27, 2019 at 11:55 am

       My first day of training, the IT guy told me about a specific way to identify the phishing emails the company sent. I’ve been diligent about it ever since. Spotting them is pretty easy, but it’s even easier when the Cyber Security department decides to use a comic book villain’s alter-ego name as the sender. I had a good time filling out the feedback form on that one. “How did you know?” “Well, ________ shouldn’t have had access to email since Batman put him in Arkham last week.”
       1. Oh No She Di'int* November 27, 2019 at 2:04 pm

          Am I missing something here? Telling you how to tell the test emails apart literally sounds like the worst training practice I have ever heard on this subject. That prepares no one for ANYTHING in the real world, and may even lead to an increased false sense of security. I feel like if a trainer told me that, I’d ask if I could be reassigned to a different test group or something if there is one–because if I’m in a test situation, I want to actually BE TESTED so I can learn something, not just game the system.
          1. Frea* November 27, 2019 at 2:18 pm

             Yes, you’re 100% missing something. A lot of things, actually. The company designs phishing emails to mimic real emails that might be enticing to click on. Ergo, being able to recognize the company emails is a viable real life skill that I might have to use one day. Also, the ability to recognize sketchy emails, whether sent in a test or a real life scenario, keeps me out of trouble with the company. This wasn’t an act of cheating. There’s no testing group. I’m not gaming anything. I don’t really appreciate the implication that I was, but I understand that comments can be misread.
             1. Super* November 27, 2019 at 2:58 pm

                I really don’t understand if there’s any other way to take your comment. The IT guy told you the tells for how to spot the company phish tests. Not how to identify phishing in general. How would that be helpful for anything other than gaming the system?
                1. Frea* November 27, 2019 at 3:33 pm

                   The IT guy’s training was this: “Our parent company sometimes performs phishing exercises. They’re pretty easy to spot, as they won’t fit into specific company norms and will display hallmarks x and y, which are also things you’ll see in real phishing scams. If that happens, or you get an email that’s just suspicious, here are the instructions the cybersecurity department wants you to follow.”

                   I boiled that down to “The IT guy told me a specific way of spotting company phishing emails” because I wanted to preface what I thought was a cute story about a pop culture reference. What I object to was the automatic assumption of dark deeds on my part, re: gaming a system. I understand not giving folks the benefit of the doubt because “everybody on the internet is lying,” but to me that was a long leap in logic.
                   1. Super* November 27, 2019 at 3:46 pm

                      Ah. Sounds like you gathered important information on how to tell that story, so people don’t read it different than you meant it.
                   2. Oh No She Di'int* November 27, 2019 at 3:58 pm

                      Funny. Your story is changing. Based on your original version, all one had to do was look at the sender of the email, identify it as Villain X, and voilà, there’s your test email. Nothing there about looking at any other hallmarks of the email. Not saying that those weren’t communicated, just that you didn’t report that here.

                      As you first reported the story, an instructor told you to look at who the sender is so that you can tell when you’ve got a test phishing email. The only thing that’s good for is gaming the system. My point in bringing that up was to point out the apparent shortcomings of the training as you originally described it, which seemed to include an instructor encouraging his students to game the system. I don’t know what you did or did not do; I don’t know what you did or did not look at it. My comment isn’t about you. It’s about what appears to be problematic training methods and what I would feel compelled to do if I were exposed to them.
       2. Ask a Manager* Post authorNovember 27, 2019 at 5:16 pm

          Free, for what it’s worth, your original comment sounded like the IT guy told you you’d be able to identify the fake phishing emails because they’d come from a comic book villain’s alter-ego name. That’s what people are reacting to — because someone training you shouldn’t tell you how to bypass a test.

          I’m not sure why this got so cranky so quickly, but let’s all leave it here.
   14. ArtK* November 27, 2019 at 11:58 am

       For #2 yes, this is very normal, especially at large corporations. I’ve gotten fake phishing e-mails twice now and I’ve only been here a couple of months! It’s a tad annoying that the 2nd one was identical to the 1st — I wish that they’d give us a better challenge!
   15. Free Meerkats* November 27, 2019 at 12:11 pm

       Truth.

       After the training, we get at least one or two tests a month. And they vary, depending on what the current phishing trends are, so I could totally see this type coming in.

       And, of the three people in this office, I and one other have never been nabbed; the other guy? He’s had to do the retraining four times, so far.
   16. Pay No Attention To The Man Behind The Curtain* November 27, 2019 at 12:15 pm

       My university does the test phishing emails too. But we’ve also had real phishing emails (that unfortunately have been successful) that are super hard to spot and come from spoofed emails that look like they’re from our president or deans or other high ranking people. With all of the people who check their email on their phones, it can be difficult to notice an extra dot or that it’s from a .com instead of .edu address.
   17. Feline* November 27, 2019 at 1:13 pm

       Phishing tests are definitely a thing at other companies. Ours started doing them and had such a dismal failure rate at first they started making threats, like taking away internet access entirely from people who failed repeatedly. That threat just kind of vanished, and I always wondered if there was someone in the C suite who failed repeatedly and they could not carry it out the threat.
   18. nonegiven* November 29, 2019 at 3:48 am

       My husband always passes those tests because he refuses to open an email if he doesn’t know who it’s from. He also doesn’t open the ones that are supposed to be giving him a link to the security training.
   19. TardyTardis* December 3, 2019 at 4:44 pm

       We got specific training on that and had to pass it at the tax office, and boy, has it come in handy at home, too.
2. Heidi* November 27, 2019 at 12:25 am

   My company does phishing tests. Apparently, there are a few staff who will take the bait every single time. The repeat offenders get some sort of personalized training. They did tell us that they would be doing this periodically beforehand, and none of them have been about a fake celebrity death. They have been more like, “Your login info needs to be verified.” Or, “You just received an e-card.”
   1. OperaArt* November 27, 2019 at 12:56 am

      One of the better fake phishing emails we get is about how some of last year’s Halloween costumes were inappropriate, and that we should follow the link to see good and bad examples. There’s also one about a package from Amazon, and one supposedly from HR.
      1. Detective Amy Santiago* November 27, 2019 at 7:29 am

         Oh, I got the Halloween costume one!
      2. The Other Dawn* November 27, 2019 at 7:52 am

         My former company’s information security officer did a great job customizing the phishing tests. Unless you were a fan of Star Trek, other sci-fi, or comics, it was very hard to tell whether it was a phishing test or not.
         1. Quill* November 27, 2019 at 9:08 am

            Honestly I would treasure those.
         2. TardyTardis* December 3, 2019 at 4:46 pm

            Our liked to do Harry Potter ones. Molly Weasley has some killer recipes, apparently.
   2. MistOrMister* November 27, 2019 at 1:22 am

      Same here, we get them fairly often at my office. Some of them are odd enough that I’ll ask IT about them. Which I think sometimes annoys them. Oh wells!
      1. Aquawoman* November 27, 2019 at 8:54 am

         Wait, they don’t want you to tell them about them? Part of the test is to see how many people report them. Because if it’s real phishing, they’re going to want to send out an office-wide email not to click on [the con of the day].
         1. A Non E. Mouse* November 27, 2019 at 9:52 am

            We have protocols in place for reporting – it’s a literal button for them to click in their email.

            Because if it’s real phishing, they’re going to want to send out an office-wide email not to click on [the con of the day].

            Tens of thousands of emails enter and exit my servers each day. I do not want to send out an office-wide email (no one will read it anyway, considering they never seem to know that I’ve already answered their question in an email earlier in the week), I want them all to use the training and tools they’ve been given to handle their own email box appropriately.

            That said, they shouldn’t be rude to your face about it if you report in person – I always emphasize they need to use the report button (even re-send instructions if needed), and thank them for being attentive.

            {Addendum: using the reporting structure allows me to then report out about what we are seeing, more easily block things at the server level, etc. – just catching me in the hallway and asking if something is spam does none of that. Help me help you!}
            1. Super* November 27, 2019 at 3:01 pm

               In my company, real phishes that get caught are deleted system-wide. Which was disconcerting when I couldn’t find it later to reference to Security. It makes sense though – why leave a door open when 10-80% of users will click it?
      2. T2* November 27, 2019 at 10:04 am

         It’s ok. We want you to do this.
      3. Akcipitrokulo* November 27, 2019 at 10:36 am

         It doesn’t annoy them! Seriously. A few seconds to say “nah, it’s fine” vs a major breach… it’s all good.
      4. Observer* November 27, 2019 at 11:34 am

         I suspect that what is REALLY annoying is that this junk is getting through the (expensive) filter.
         1. Super* November 27, 2019 at 3:02 pm

            That’s expected. Your appears tuning the balance between function and security.
            1. Observer* November 27, 2019 at 3:20 pm

               You are right – there is always a trade off and you need to tune. But, it’s still annoying when it happens.
      5. sofar* November 27, 2019 at 12:12 pm

         Same! Whenever it’s time to re-set our passwords for the various tools we use, they come from various email addresses (from various divisions within our company) and include links that go to odd random URLs that ask us to log in with our OLD credentials first. Basically, they’ve all been legit so far, but look iffy.

         So I ask our head of IT (who was designated DURING our security training as the point person for all questions). He definitely gets annoyed. But too bad.
   3. Super* November 27, 2019 at 7:07 am

      Phishing test companies provide sample tests that you can use straight or customize. If you want to benchmark with other companies, you go with the templates. They tend to be pretty generic though.

      Phishers are getting better every day at targeting specific companies (even specific people). It would not shock me at all to see a real phisher using a celebrity death link to get access to the network. So if I were designing that phish campaign, I can see why they might choose that topic, since that is a c real cybersecurity vulnerability.

      I could also see why they might have had it axed in review by HR, though, if they’re wise enough to have cross-team involvement. That’s the other side of this equation – cybersecurity isn’t always just about the technical, there is a place for wisdom.
   4. Construction Safety* November 27, 2019 at 8:12 am

      Ours are along the “you have a new file in Boxdrop” variety.
   5. I Wrote This in the Bathroom* November 27, 2019 at 8:55 am

      Good news: I just reported a phishing-test email that I’d planned to ignore; until I saw LW2’s letter and realized “oh, it’s probably a test”. Bad news: mine was an ad for free Krispy Kreme donuts! Complete with a photo of donuts! It’s a good thing I don’t like donuts very much. Had it been an email about free beignets, I’d be in trouble.
      1. Quill* November 27, 2019 at 9:11 am

         However, absolutely no one this week will fall for the one about free Hawaiian rolls.
         1. Inara* November 27, 2019 at 10:03 am

            I choked on my tea when I saw this. Rookie mistake drinking anything while reading the comments
            1. Quill* November 27, 2019 at 11:03 am

               If you have tea and this site open, you’re taking your life in your hands.
         2. Mockingjay* November 27, 2019 at 10:31 am

            hahaha!
         3. One of the Spreadsheet Horde* November 27, 2019 at 10:50 am

            Only if some insulting jerk else brings in some cheap rolls.
         4. Arts Akimbo* November 27, 2019 at 3:54 pm

            I brought cheap ass rolls, I’m good!
   6. CAA* November 27, 2019 at 10:20 am

      We usually get the one that has an attachment that purports to be salary information for our coworkers. It’s a government agency, our salaries are public info anyway, so the temptation to click on it is not high. Also, they usually send it out during prime meeting hours, so someone in the group always says “look, it’s the phishing test again” and explains it to any newbies who might be at risk of clicking on it.
   7. Laney Boggs* November 27, 2019 at 11:53 am

      We dont have a means of reporting (so who knows if it was an actual scam or IT) but I got one several weeks ago, before any trials started, to watch Trump’s impeachment live.
   8. Sleepytime Tea* November 27, 2019 at 12:40 pm

      The phishing test that OP describes is probably designed perfectly for her company, because as they mentioned they are a media company and this could be of interest. If the phishing e-mail doesn’t contain something enticing, people will ignore it not because they realize it’s phishing, but because they are uninterested, and then the test is not successful.

      But I would agree it’s distasteful to use someone’s death for that. I’ve seen a few phishing e-mail tests go awry, and I’d call this one of them.

      The funniest though was at a previous company when they sent one out saying that your PTO was expiring and to log in to your account to check your hours or whatever. Instead of clicking the link people panicked and called HR. Within a half hour we got a follow up e-mail saying it was just a test and, in so many words, “please god stop calling HR.” As you can see, occasionally phishing tests are… not totally thought out.
      1. Super* November 27, 2019 at 3:04 pm

         We did that, but were gave HR a big old heads up. People lost their minds, but we had prepared and it was expected. Lots of good training opportunity!
3. Tiger Snake* November 27, 2019 at 12:29 am

   #2, I’m in IT Security. What you’re describing is 110% normal industry practice.
   Even the celebrity death part; that’s the sort of thing you find in phishing emails, and these tests only work if they match the sort of emails you expect to see. Have you ever browsed the internet, and seen a bunch of ads on the page going “you won’t believe that this person did to fix __”? That’s also phishing, and its exactly the same appeal.

   And it is a test. Security will use it to target specific areas for additional training. Most of the time, there’s no personal repercussions. If you have one person that fails for the test every single time; despite attending the training, an that goes on for months and years; then the issue would be discussed with their manager for performance management, but that’s extremely rare.

   And… it’s needed. 80+% of cases where a business’ computer systems were compromised by an external hacker, it’s because someone clicked a phishing email (as per Fire-eye’s 2019 report, I think?). Its an widespread, severe problem.
   1. Chocolate Teapot* November 27, 2019 at 1:39 am

      We periodically get phishing test emails at work to see if we are alert enough to notice them. One was an invitation to a training date in the past, and another had odd spelling along the “Aksamangager” line.

      What I have noticed (which I suspect is the intention) is that a quick glance shows the message looks ok, but you need to read it carefully to see all is not as it seems.
      1. Kris* November 27, 2019 at 6:39 am

         My boss got a phishing email that purported to be from his undergrad alma mater! He caught it only because there was something in the text that seemed slightly off, so he forwarded it to IT and they confirmed it was phishing. The concerning things were how targeted the email was to him (he went to a small liberal arts college) and how accurate the college logo and other aspects of the email were.
         1. Super* November 27, 2019 at 3:08 pm

            As you go up the chain, it can get a lot more targeted. Cybersecurity has a somewhat irritating habit of making cutesy nicknames, but spear phishing (person specific) and whale phishing (exec phishing) makes me smile.
      2. Super* November 27, 2019 at 7:09 am

         Yeah, when I made phishing tests, we were careful to sprinkle clues. Phish tests are part training, as well as part test.
      3. CL Cox* November 27, 2019 at 9:01 am

         That’s the sort we get. But we not only have a brief training during orientation, our IT department sends out a reminder email at the beginning of every school year (since the majority of our staff have been away), reminding everyone. But they will point out exactly what you can look for to spot fake emails (sender’s email address, fake logo, etc.), so it’s fresh in peoples’ minds. They also send out reminders if there seems to be a specific email or sender targeting our employees (along the lines of “be on the lookout for emails from sender “you’vegotmail@….”).
      4. RussianInTexas* November 27, 2019 at 10:20 am

         You can hover your mouth over the sender’s address and more times than not it will be weird. And you can do the same with the link, legit links look very different than phishing ones.
         And even then, you probably shouldn’t click on them anyway.
         1. Gaia* November 27, 2019 at 11:09 am

            Pretty sure hovering your mouth would always be weird
            1. Super* November 27, 2019 at 3:08 pm

               Hee hee
         2. Grapey* November 27, 2019 at 12:09 pm

            I don’t want to use my mouth to hover because I don’t like the taste of phish….
   2. blackcat* November 27, 2019 at 7:19 am

      I once got a $50 gift card for being the first person to identify and report a phishing test email! Of course, I didn’t know it was a test…
      1. Grapey* November 27, 2019 at 8:13 am

         Similar story here, and I even thought the follow up email to announce my prize was a phishing scam too! IT laughed at (with) me for forwarding it to them.
      2. bearing* November 27, 2019 at 8:29 am

         It strikes me that IT should hand out small gifts, e. g. mini chocolate bars, to everyone who forwards them a phishing email without clicking. Pigeon pellets for behavioral modification.
         1. Tiger Snake* November 27, 2019 at 4:41 pm

            Cute idea, but no Cyber Security department will ever have the budget for it. I can’t imagine any company’s management ever approving rewards for it either; its meant to be standard housekeeping for everyone after all.
   3. You can't fire me; I don't work in this van* November 27, 2019 at 9:23 am

      You mean there aren’t gorgeous shirtless men in my area waiting to meet me?
   4. T2* November 27, 2019 at 9:40 am

      Also an IT security and Operations guy. Yep. Totally standard practice. Even the best laid security plans can be ruined by a single employee clicking on something they shouldn’t.

      The main thing I want to add here is that we are not really trying to interfere with you or offend. We are trying to defend your company and the livelihood that all of us rely on. Like most, I depend on my company being able to do business to feed my family. A phishing email attack could easily be an existential threat to the company, costing hundreds of millions of dollars and lost jobs. It could potentially take months to recover. And in the worst cases I have seen, the company never does.

      It might seem to be in poor taste, but honestly, I do not care. The fact is that if it is shiny, or topical, users will click on it, and I need them to stop and think. So therefore, my tests are also shiny and topical as well.
   5. Eccentric Smurf* November 27, 2019 at 9:52 am

      Exactly this. My company uses a service to manage IT security training, testing, and so on. This service provides phishing templates that mirror real phishing messages that are in circulation. (The links in these test messages go to safe/educational pages rather than the original malicious sites.)

      A good IT security training program should work like Allison outlined. Training, periodic testing, retraining, and so on. My company recently started doing more phishing tests than they did in the past because we had a few really abysmal test results where a high percentage of people clicked bad links despite years of training. The increased testing is to help generate statistics that can be used to make our security training and response programs more effective. It’s important to note that the testing is not designed to point fingers at specific people but to help us assess the effectiveness of our training programs and identify risks that could be minimized by other security systems.

      We try to avoid using the more controversial phishing templates available, but unfortunately those types of malicious emails are out there and people get sucked into clicking the links a lot more than you’d think. It’s important to help people to spot all dangerous messages, even the tasteless ones. Ideally that would be done by offering actual training, not just random pass/fail testing that exploits shocking images or subject matter.
   6. A Non E. Mouse* November 27, 2019 at 9:56 am

      Hi!

      Verizon’s 2019 Data Breach report is pretty readable. Link to follow separately since it will go to moderation a minute I think.

      I used the data during Cyber Security month to back up the messaging I was sending out to our users.
      1. A Non E. Mouse* November 27, 2019 at 9:56 am

         https://enterprise.verizon.com/resources/reports/dbir/
   7. Perse's Mom* November 27, 2019 at 6:48 pm

      I wonder what the threshold for getting in trouble is at my company; there are waves of phishing tests that go out and then a few weeks later we get a company wide memo on how we, collectively, did – I think our rate of success has gone up, but there’s still like 15% of the company (100+ people!) that failed on our last one and this has been going on for years!

      I know one of my immediate coworkers failed the very first one because it was for free food!
4. Elspeth Mcgillicuddy* November 27, 2019 at 12:32 am

   #1: I’m not wild about the “That’s great that you have that faith” because it could so easily be condescending if the tone was slightly wrong. If you let even a hint of insincerity into your voice it’ll sound like the kind of sarcasm atheists who think religion is stupid would use. Which is obviously not your opinion.
   1. Sylvan* November 27, 2019 at 12:51 am

      It also sounds like granting approval to someone/something that doesn’t really need it.

      If I could say that sincerely (and I’m a terrible actor), still, it’s an odd response.
      1. Mangofan* November 27, 2019 at 2:27 am

         Agreed!
      2. Washi* November 27, 2019 at 9:33 am

         Yeah, I’m a social worker and that’s something I could imagine saying as positive reinforcement to a client – it’s great that you have a good support system, it’s great that you have your faith, etc.

         But it would be really hard to say to a peer without sounding patronizing.
   2. UKCoffeeLover* November 27, 2019 at 2:19 am

      I agree. I think this phrase could come across badly. Personally, I’d just carry on nodding and smiling.
   3. WS* November 27, 2019 at 2:47 am

      Yeah, or as an invitation to talk further about faith, which is also not what the OP wants.
   4. Flash Bristow* November 27, 2019 at 5:49 am

      Yep. I’d be more tempted to tweak it just a little, into something like “well, I’m glad it helps you” or similar.

      And if you say something that comes out sounding more sarcastic than intended – which I know I sometimes do – own it! I’ll say “er, that sounded wrong! I’m just glad you’ve got something, yunno?” and that is that.
   5. Cheryl* November 27, 2019 at 5:50 am

      It’s different, but I’m a vegetarian who never brings it up. But when it comes up, usually at company lunch times or general co-worker food/meal talk, I’m often told, “That’s great that you don’t eat meat!”

      And I’m always thinking, “If you think it’s so great, why do you eat meat?” Of course I never say it but just as with religions or believing/not believing, the viewpoints are diametrically opposed. So the last thing you want is for someone from (for lack of a better term) “the other side” seemingly giving you support or permission to keep doing what you’re doing or believing what you’re believing. It can only be condescending and contradictory because it is.

      Keep nodding and smiling!
      1. Traffic_Spiral* November 27, 2019 at 6:08 am

         Yup. Smile and wave, boys.

         https://www.youtube.com/watch?v=f_B23QGCEmA
      2. Agnes* November 27, 2019 at 9:09 am

         There aren’t things you think you should do (or do more) but don’t? Surely someone could wish they had the willpower to go vegetarian (or go to the gym regularly, or attend church every week, or pray daily), but know that they don’t, and think it’s worth complimenting others on. It doesn’t have to be diametrically opposed.
         1. LibrariAnne* November 27, 2019 at 10:19 am

            As a near lifelong vegetarian and gym regular, I second this. It’s not saying “that’s great, and objectively the only correct choice, I just choose not to do it!” It’s more like “Oh, that has proven benefits and takes willpower and probably has a big influence on your worldview and lifestyle, which is different than mine, interesting!”
            1. Super* November 27, 2019 at 3:14 pm

               I would add – I try to pay attention when people say there are things that hurt them, and not do that. I know certain people (vegetarians/vegans, non-drinkers, atheists, those who cut out toxic family) can get negative responses, so I might be more verbally supportive. It comes from a good intention but filtered through my iffy social skills so might come out awkwardly.
         2. neeko* November 27, 2019 at 12:19 pm

            Agreed. I get it a lot as a non drinker and take no offense whatsoever.
         3. Ice and Indigo* November 28, 2019 at 4:43 am

            I’m a vegetarian, and in that situation I tend to assume that people are afraid I’m judging them for eating meat, and are trying to say something that will appease me.

            As I’m actually not judging them – it’s their business, and honestly judging other people’s eating habits is not my idea of a fun life – I usually reply by saying, ‘Oh, I’m not militant! It’s just a personal thing, I make NO judgements about what anyone else eats.’ That usually resolves the situation.
      3. Artemesia* November 27, 2019 at 10:31 am

         I can believe that a vegetarian diet is a healthy and good thing without having any interest in giving up meat just as I can admire someone who has a great exercise program without getting out of my chaise. I do balk at having to be warm and accepting of religion when expressing my own religious beliefs would be frowned on; it always feels like proselytizing when people push this in the workplace. I did my career in the south where pushy religious talk was common though so I am perhaps oversensitive to it. The first question you get asked in a new town is ‘are you churched yet?’ or ‘you will feel more at home here in Bigsouthcity when you are churched.’ I had to practice the bland response when sarcasm was the first impulse.
         1. Victorian Cowgirl* November 27, 2019 at 11:05 am

            Ugh +1 to your entire comment. “Have you found your home church?” Was something I got really tired of hearing in the SE as a transplant from the more progressive West coast. I was ill-equipped for that kind of… society… in general and really resented it in the workplace.
            1. nonegiven* November 29, 2019 at 12:49 pm

               “Oh, no! I’d never go to church, I might burst into flames.”
         2. somanyquestions* November 27, 2019 at 11:42 am

            Exactly. If this was a situation where I could also be free to talk about being pagan, it would be quite different, but people like this think their religion is the one true path and would be horribly offended. And anyone who even suggests there are other holidays at this time of year is fighting a “war” against christians.
            1. bb* November 27, 2019 at 11:51 am

               So much this. Thanks for saying it better than I ever could.
            2. Super* November 27, 2019 at 3:16 pm

               It gets old.
         3. Vicky Austin* November 27, 2019 at 7:19 pm

            You don’t have to be warm and accepting of religion at work. You merely have to refrain from mocking or attacking them because of their faith.
      4. AdminX2* November 27, 2019 at 11:59 am

         Because eating meat is just as great?
   6. MassChick* November 27, 2019 at 6:11 am

      Indeed, the tone could be hard to get just right. Maybe “I’m glad your faith gives you strength”?
      1. Mel_05* November 27, 2019 at 7:16 am

         Yes, I think that’s better. It makes it clearer that 1. They’re not trying to be condescending and 2. They don’t share that faith, but they’re not annoyed that those people have it
      2. Princess Consuela Banana Hammock* November 27, 2019 at 11:31 am

         I like this, along with being glad it gives a person comfort or support.
   7. KayDeeAye* November 27, 2019 at 6:22 am

      Smiling and nodding is fine, but I think something really generic, such as Alison’s suggestions of “Good luck” or “I hope it works out” are even better. I am a religious person so I’d have no problem responding to these particular phrases, but I feel really awkward responding to statements I don’t share with a smile and a nod. It just feels really fake to me, while “I hope it works out” and similar do not.
      1. Victorian Cowgirl* November 27, 2019 at 11:06 am

         Alternatively, as a religious person, you could consider keeping religion out of the workplace so that your coworkers aren’t put in that position.
         1. Batgirl* November 27, 2019 at 12:17 pm

            I think you’ve misunderstood.
         2. TheFacelessOldWomanWhoSecretlyLivesinYour House* November 27, 2019 at 4:19 pm

            +1000 Cowgirl.
         3. KayDeeAye (Kathleen_A)* December 2, 2019 at 9:16 am

            As a religious person I actually *do* keep religion out of the workplace so that I don’t put coworkers in the position of having to decide how to react. All I’m saying is that if someone at work says something (whether religious or not) that I don’t actually agree with, I personally feel really awkward smiling and nodding. I would feel much more comfortable saying something like “I hope it works out,” and perhaps the OP would feel the same.

            I am also a little puzzled, Victorian Cowgirl, as to what I could have possibly said in my post that indicated that I go around sharing my personal religious thoughts with coworkers? It seems to me that you assumed that simply and solely because I said I was religious, but you know, all religious people are not alike in their missionary zeal.
      2. MarsJenkar* November 27, 2019 at 1:47 pm

         Agreed. I consider criticizing people’s religion (or religion in general) to be bad form, whether intentional or not. A simple “best wishes” is, to me, a good safe option.
   8. Magenta* November 27, 2019 at 7:05 am

      The thing is it is really inappropriate to bring religion up in the work place to begin with, the person who is saying these things is the one who is causing the awkwardness and needs to know that is is not good work practice and will alienate colleagues.
      I’m not suggesting sarcasm is in any way a good response, but I really don’t think it is cool to encourage this kind of thing.
      1. The Cosmic Avenger* November 27, 2019 at 7:43 am

         Yeah, my problem is that I don’t think I could pull off any of the suggested responses. I don’t usually discuss my atheism with people who aren’t good friends or professed agnostics or atheists, but the best I could probably do other than just act as if I didn’t hear it is a surprised look and “Okay…”
         Now I’m realizing that part of it is that I would never discuss faith, or a lack thereof, in the office. So maybe I shouldn’t feel bad that my response (or lack thereof) would not smooth things over. Then again, I’ve lived and worked on the eastern seaboard all my life, in more liberal areas. I have little idea what it’s like living in the Bible Belt, or even a conservative area or an area where most people in the area go to the same church, so it’s hard for me to imagine that.
         1. Artemesia* November 27, 2019 at 10:36 am

            I worked in that environment for my entire career and learned early on how to avoid rather than confront pushy religion. Being asked where you go to church as a prelude to pressure to go to their church if you are not ‘churched’ was common; my husband loved to sing and sang in a church choir as well as other chorus settings like the opera and so I adopted the ‘oh you know Jed sings in the Holy Holy Holy Presbyterian choir.’ Avoiding the ‘but I only cross the threshold if he is soloing or they are doing a special program’ part of the sentence.
      2. same* November 27, 2019 at 9:21 am

         Personally, I’m all for doing what makes you happy… but there are certain modes of expression that can come off really preachy, and sometimes there are people who will deliberately toe that line. Yesterday I got “resurrected in his name” when I made a pretty secular comment about not wanting to get run over crossing the street, for example. In the context of religion being inserted here, there, and everywhere, even religion-based jokes can get old pretty fast.
         1. Artemesia* November 27, 2019 at 10:37 am

            LOL If they are aggressive though it is hard. When asked by a seatmate on a plane ‘do you know where you are spending eternity’, I said ‘yes.’ That didn’t stop them from wheeling into their winning souls for Jesus pitch.
            1. Victorian Cowgirl* November 27, 2019 at 11:08 am

               I always answer “In hell, where I’ll be in good company” and that usually shuts them up, though I’ve never been asked on a plane where I couldn’t walk away! How invasive.
               1. TheFacelessOldWomanWhoSecretlyLivesinYour House* November 27, 2019 at 4:23 pm

                  Oh tell them Hell is a tiny town in Michigan. Nice area.
            2. same* November 27, 2019 at 11:55 am

               Oh my gosh, yes that would be its own “hell”! Many wide eyed heads shakes for your stuck-on-a-plane past self!
            3. Sister Michael* November 27, 2019 at 2:20 pm

               I’ve found that there is absolutely no answer you can give that will stop somebody who feels that they need to explain their exact interpretation of Christianity to you, a stranger. I borrowed my current user name from Derry Girls, but I am a nun and telling people that has yet to get me out of this conversation. Even when I explain, I think the kind of person who does this feels that I’m either the wrong type of Christian (hippie Episcopalian) or that I’m lying.

               I always read these threads with interest in large part to check myself- if people in the thread are uncomfortable with a behavior and I identify with it, that would be good feedback to not do that anymore. But you know, the more I read these conversations, the better I feel about how I’m balancing vowed life and a secular job. That has it’s challenges, and it does come up at work sometimes, but… not like this.

               When the fact of my being a Sister does come up, the context is usually that someone asked what I did over the weekend and the answer is “nun stuff”. But then we still aren’t talking about anyone’s beliefs- we talk about the traffic on the way to whatever it was, or the goofy thing one of the youth group kids said, or how my prioress and her wife have an adorable dog and I have puppy pictures.

               It’s context for large parts of my life, and being secretive about the fact of it would wind up being weirder, I think, than telling the truth. But there’s never, ever been a reason for me to make the conversation about faith itself or my beliefs.
               1. Super* November 27, 2019 at 3:20 pm

                  That’s my line in the sand too at work. Oh, had a nice holiday celebration at my temple, vs launching into theology or proselytizing.
               2. grandzor* November 28, 2019 at 3:51 pm

                  Perhaps you should explain it is nun of their business.
      3. Amethystmoon* November 27, 2019 at 9:35 am

         I agree. I actually wound up deleting a relative on Facebook because she kept proselytizing on my page and insisting I speak about religion. This was even when I had posted about doing a science-related speech in Toastmasters and wondered why I hadn’t put anything about religion in it (because Toastmasters takes place at work, and it would have been inappropriate for the subject matter).

         I’ve only come out as a non-believer to my parents and I make it a point never to post about religion or politics on Facebook. I have work friends and professional contacts from Toastmasters on Facebook. My company’s social media policy is such that if anyone gets offended by anything on our page, they can contact HR and tattle on us. Why would I take the risk of posting topics that some people will be offended by? I can’t say anything about religion at work for the same reasons and would never admit there to being a non-believer. Yeah, officially they aren’t supposed to discriminate, but we all know it unofficially happens.
         1. 42 towels* November 27, 2019 at 1:27 pm

            I am religious, and I wouldn’t put religion into a science-related speech anywhere! Not the topic!
      4. yala* November 27, 2019 at 10:16 am

         I think this might be a regional thing. I don’t know that anyone here would really think of saying that in casual conversation as “bringing up religion at work.” It’s just a thing people say. Maybe a little more meaning than “God bless you” but not really as much as “I’ll pray for you.” “I just have to give it to God” often just has the same meaning as “it is what it is” or “que será, será” for a lot of folks.

         I don’t think “I hope it works out” or just nodding is “encouraging” it.
         1. Oh No She Di'int* November 27, 2019 at 11:03 am

            I agree. I’m actually a little surprised that anyone feels that any sort of “response” is necessary at all. To me this falls in the same category of someone remarking how they have to stay away from those cupcakes in the break room or they’ll ruin their diet. They’re making a comment about themselves, not about you and not about THE WORLD. It just doesn’t require a response beyond “M-hm.”
            1. Super* November 27, 2019 at 3:24 pm

               I’m guessing you’re in the majority religion?

               It doesn’t feel harmless to the third of Americans who aren’t Christian.
               1. Oh No She Di'int* November 27, 2019 at 4:04 pm

                  Welp, you’re guessing wrong.
               2. Arts Akimbo* November 27, 2019 at 4:12 pm

                  +1

                  It’s jarring and awkward to those of us who *don’t* think of it as a harmless linguistic convention, because it’s a convention only of the majority faith.
                  1. yala* December 3, 2019 at 11:00 am

                     I guess I don’t really get the issue if someone is describing their own personal faith actions?
         2. somanyquestions* November 27, 2019 at 11:52 am

            I would definitely consider it religious, and quite inappropriate in a work context. And wouldn’t know what to say to it, because it would make me feel uncomfortable and weirdly judged by co-workers who think this is OK.
            1. yala* November 27, 2019 at 12:24 pm

               Literally no one saying it about themselves is actually expecting you to say something to it.

               I’m not saying that it’s not religious, but when someone says “bringing religion to work” to me that implies, like…talking to coworkers about religion or trying to expect or enforce religious principles in a workplace or something like that. Not just…casually mentioning that they’re praying about a difficult situation for them.

               Now, if the coworker is telling someone ELSE to “give it to God” then…yeah. That’s inappropriate and annoying.
      5. GooseTracks* November 27, 2019 at 12:12 pm

         I don’t think it’s “bringing religion into the workplace” to make the comment LW mentioned in the context of a personal conversation.
      6. Richard Hershberger* November 27, 2019 at 1:06 pm

         I infer from the example that we are talking about Evangelical Protestants. Stuff like “I just pray on it and leave it all up to God, you know?” is just how they say “I think about it for a while and then decide, you know?” Treat it as a verbal tic and get on with your day. This is not a hill worth dying on.
         1. lilsheba* December 3, 2019 at 4:33 pm

            But it’s a verbal tic that gets thrown around way too often, like it’s just acceptable no matter if you’re an atheist or some other religion. I”m an atheist witch and if I made comments all the time in regards to that people would get irritated. This is just as irritating to me.
   9. NoviceManagerGuy* November 27, 2019 at 7:19 am

      I agree, especially given that the OP is somebody who’s uncomfortable with religious people making pretty innocuous religious references, I don’t think the OP could pull that off.

      Smiling and nodding or giving generic well wishes is perfectly fine and if the other party gets upset that you don’t reciprocate their talk about religion, at that point that’s on them.
      1. Magenta* November 27, 2019 at 7:27 am

         Maybe it is a different cultural experience, but to my (UK) ears those comments don’t sound innocuous, they sound pretty full on and not really work appropriate.
         1. WellRed* November 27, 2019 at 7:40 am

            +1. I suppose it may seem less overt if you live in an area where people praise the lord frequently.
         2. tellow* November 27, 2019 at 7:43 am

            Really? It’s not like the coworker is evangelizing. It sounds like the coworker just mentioned that they prey. Is it also inappropriate for someone to mention that they are fasting for Ramadan or mention that they observe Yom Kippur?
            1. tellow* November 27, 2019 at 7:46 am

               *pray
               1. Artemesia* November 27, 2019 at 10:38 am

                  For those of us subjected to a lot of proselytizing, you got the feeling right the first time. LOL.
                  1. Gaia* November 27, 2019 at 11:20 am

                     Same.
                  2. Filosofickle* November 27, 2019 at 12:48 pm

                     ha yes
            2. The Cosmic Avenger* November 27, 2019 at 7:47 am

               Don’t be obtuse, those are usually relevant to work, as in you need to take a day off or at least do very little physical activity on fast days. Saying you’ll pray on something is like the slave OP saying “I’ll have to ask my master when I get home!” It is true and accurate, but there’s no reason to open that black box and make people uncomfortable, they don’t need to know exactly how you make your choices if it involves something that is not work-related (religion or master/slave relationship).
               1. tellow* November 27, 2019 at 7:55 am

                  I’m not being obtuse and I’m not talking about taking time off for Yom Kippur or Ramadan. I’m asking if it would be inappropriate to make any mention of any religion in any conversation with a coworker.
                  1. Magenta* November 27, 2019 at 8:01 am

                     I addressed this down the tread to the commenter who was proselytising.

                     It is cool to say “we had fireworks for Diwali”, “can I start and leave early this week because it is Ramadan?” or “I spent my weekend preparing for the church Easter celebration next week”, but comment’s like those experienced by the OP cross the line of professional behaviour.
                     1. tellow* November 27, 2019 at 8:09 am

                        I just don’t see the difference between “we had fireworks for Diwali” and “I’ll pray on it.” Both are just mentioning that the person participates in religious activities.
                     2. somanyquestions* November 27, 2019 at 12:26 pm

                        I consider it really inappropriate. It’s not OK, at all, to constantly say you’ll “pray on it”.
                  2. Colette* November 27, 2019 at 8:11 am

                     Things that are fine to say:
                     “The family came over for lunch after church”
                     “I really enjoyed my prayer group last night”
                     “I can’t come to lunch, I’m fasting”
                     “I went to a talk about prayer last night”

                     Things that are not appropriate:
                     “I’m praying that you …”
                     Anything that passes judgement about anyone else’s beliefs
                     1. tellow* November 27, 2019 at 8:14 am

                        Right, I agree with this and it sounds like what OP’s coworker said falls into the first category.
                     2. Colette* November 27, 2019 at 9:36 am

                        I actually think the OP’s coworker’s remark is somewhere between the two – she’s talking about using a religious practice to influence her work, which is iffy at best.
                     3. yala* November 27, 2019 at 10:20 am

                        @Colette I’m not sure that she is. I agree that if someone is saying “I’ll pray on it” or “Give it to God” to a coworker regarding an aspect of work, then that would be a little over the line.

                        But if they’re just saying it while having a regular conversation, which coworkers do, then that’s…pretty common? Lots of Christians will say that after talking about a problem or a frustration with no immediate solution to just mean “I’ve done what I can do and I’m hoping it works out.”
                     4. Richard Hershberger* November 27, 2019 at 1:13 pm

                        @yala: This. If the conversation is about a major business decision and the decision maker says that his decision-making process is “I just pray on it and leave it all up to God, you know?” then that is a different matter. But if the conversation is about whether to order pizza or Chinese, then “I just pray on it and leave it all up to God, you know?” is merely Evangelicalese for “I think about it for a while and then decide.”
                     5. Vicky Austin* November 27, 2019 at 8:36 pm

                        Yeah, anyone who would have a problem with a coworker saying, “So I went to church this weekend,” has issues IMHO.
                  3. cazfiend* November 27, 2019 at 8:35 am

                     It’s not inappropriate to mention you have activities that involve religion. It’s just a really private, individual thing in the UK so people wouldn’t mention what they are praying about at all. It would feel weird. I wouldn’t scold someone for it but it would be super odd to hear at work. I mean my boyfriend’s family are quite religious but they have never mentioned it only to say they need to go mass. Its not taboo or anything, just not how it is done in the UK.
                     1. KayDeeAye* November 27, 2019 at 8:54 am

                        It’s honestly not particularly odd in the U.S., at least not any place I’ve ever worked. Mind you, even though I’m a religious person, I’m not going to say anything like that unless I’m taking about something personal…but that’s me. It is definitely not at all odd in many places in the U.S.
                     2. somanyquestions* November 27, 2019 at 12:32 pm

                        I have always worked for government, and this makes me glad of that, because it would be so incredibly inappropriate for people to do this at my workplace. I think it’s bizarre that anyone thinks it’s OK to make your religion part of your work or announce it’s part of your decision making, and I feel like it would make so many people of other religions uncomfortable.
                     3. Batgirl* November 27, 2019 at 12:35 pm

                        I’m in the UK and while saying you’re praying on something is not a turn of phrase you’d hear I’ve heard loads of people mention their religious activity and casually reference their praying at work. Granted, I live in a region influenced by Irish immigration but it happens.
                        I wouldn’t reference my own beliefs (pagan) but if your faith matches local expressions (and you’re not talking about anyone beside yourself) I can see how it happens.
                  4. fhqwhgads* November 27, 2019 at 9:52 am

                     Mentioning time off for Yom Kippur or Ramadan are mentioning things one is doing for onself that involve one’s religion. Saying “I’ll pray on it” at work about a work thing is bringing the religion into work. That’s the difference. It’s not any mention of religion. It’s whether it’s about the person themselves vs about the work.
                     1. KayDeeAye* November 27, 2019 at 10:13 am

                        But the OP actually doesn’t say that the person is saying this about “a work thing” – it could be, of course – I have definitely known people who do this – but it could also be that the person is talking about something more personal. From what is said in the letter, it’s impossible to say what the person is praying about, and if it’s a personal thing that happened to come up at work (e.g., an illness or even some sort of major financial decision, such as buying a house), that’s not quite the same as bringing up religion in reference to work.
                     2. somanyquestions* November 27, 2019 at 12:34 pm

                        I think that if they knew the person well enough to be discussing religion this wouldn’t be an issue. These are co-workers, not friends. This wasn’t OK.
                     3. yala* November 27, 2019 at 1:00 pm

                        I mean, coworkers have casual personal conversations all the time, tho?

                        “Saying “I’ll pray on it” at work about a work thing is bringing the religion into work.”

                        Oh, yeah, no, if this was about a work thing, then it’s not ok. But if it was just in a personal conversation, then it seems like it fits the other category: “mentioning things one is doing for onself that involve one’s religion.”
               2. Anononon* November 27, 2019 at 8:01 am

                  Wow. Maybe this is cultural (I’m in the US – not sure where you are), but comparing these religious statements to a sexual relationship is is pretty offensive.

                  I’m an atheist, and overall I’m not a big fan of religion, but I’m like the OP in that I feel more awkward than offended when people offhandedly mention their faith in some way to me.
                  1. Magenta* November 27, 2019 at 8:01 am

                     In the UK religion and sex are both considered private matters that are not appropriate for work.
                     1. Newbee* November 27, 2019 at 8:13 am

                        I would use “Whatever Works!” or “Whatever gets the job done” said with enthusiasm.
                     2. General von Klinkerhoffen* November 27, 2019 at 8:50 am

                        I would agree with this regarding UK culture.

                        You could say you’re a member of a particular faith community or that you attend a particular place of worship (in the context of a relevant conversation) but you wouldn’t go into the details of what you do there. The sex parallel would be that you’d say you were married but not how or how often you have sex.

                        Saying you had prayed about a decision sounds like an enormously intimate conversation to uptight, repressed British Klink.
                     3. Lora* November 27, 2019 at 9:48 am

                        And now I can’t get the potential reply, “yeah, I prefer a hot bath, a glass of wine and a Robert Downey Jr movie, but you do you” out of my head.

                        For me the level of awkwardness associated with a “I just give it up to god” comment is relative to the specific conversation. Like, a hurricane destroyed your house, your family member died in a tragic accident, you just got a terminal diagnosis? OK, totally understandable. The weirdness happens when someone makes a religious comment like that in response to a thing which is totally fixable on your own without invoking supernatural assistance: got a bad review, missed a deadline, forgot to order a Thanksgiving turkey and your whole family is coming for dinner tomorrow, report owed to the big boss by Friday and you haven’t even started, sort of thing. Like, yes it sucks to happen, but you personally can actually do something about this, whereas “I’m gonna pray on it” in those situations sounds a lot like “I’m not going to sit on my behind and complain to someone who won’t talk back, oh well I triiiiiiieeedd.” And if you’re the colleague trying to have a Talk with someone about a work thing that is 100% within their power to fix and their reply is “I’ll pray about it” it’s very much a WTF moment because obviously prayer will not be nearly as effective as putting the meeting on the calendar or whatever you’re trying to do – it sounds very much like they are saying “no, sorry, I am useless and unreliable” even if that isn’t what they meant.
                     4. Richard Hershberger* November 27, 2019 at 1:33 pm

                        In my US context it is totally normal to know the religion of the people you work closely with. It isn’t a big deal, or it shouldn’t be, but it is part of knowing one another. We also know about each other’s kids, their vacations, and so forth. There was one semi-observant Catholic I used to work with to whom I carefully pointed out each Holy Day of Obligation, lest she “inadvertently” forget it. She would glare at me and make plans to attend mass. Good times.

                        That being said, there are those guys who try to proselytize. That is both inappropriate and tiresome. They tend to not to be popular. If there are several of them, they gather together in a clique and complain about how everyone is mean to them. But nothing the LW says suggests that any of this is going on.
            3. Teyra* November 27, 2019 at 9:08 am

               The way I see it (as a British atheist), is that the comment in OP’s statement feels like there’s the expectation that I am religious too, and will either relate to it or agree. Which is great and all when you are a Christian yourself, but when you’re not it can be awkward. It puts you in this sort of situation where you have to either say nothing and allow a misconception to stand (potentially validating it by your silence) or say something and risk being offensive. There’s a difference between ‘I’m going to Yom Kippur’ and ‘What are you doing for Yom Kippur?’, after all, I’d argue that this is more like the latter than the former.

               It’s a bit like when a straight person automatically assumes you’re straight too, except with a much higher chance of offending someone. I can say ‘actually, she’, when someone incorrectly guesses my partner’s gender, and while it can be awkward that’s probably not going to offend them unless they’re homophobic. But religion can be a very sensitive topic, so it puts the atheist in potentially an uncomfortable situation. I admit that the comment is very subtle, but that doesn’t make the expectation nonexistence, it just makes it harder to correct. Saying nothing allows the misconception to strengthen, speaking risks being interpreted rudely.

               It would be really, really odd here in England, where, unlike America, Christianity isn’t considered the default. I’d probably just awkwardly say ‘I’m not religious, but that’s great if it works for you’, or something, and find it very uncomfortable.
               1. tellow* November 27, 2019 at 9:18 am

                  The OP didn’t say that the coworker is Christian. Prayer and God are a part of many religions.
                  1. yala* November 27, 2019 at 10:23 am

                     eeeeeeh, yeah but as a Christian…that’s a pretty Christian statement.

                     Christians and atheists who grew up in predominantly Christian cultures, often assume that some practices or statements are universal when they’re really not.

                     There are some phrases that I guess technically other religions could say, but they’re not very likely to, whereas “give it to God” is a very common Southern Christian thing.
                     1. Richard Hershberger* November 27, 2019 at 1:38 pm

                        “but as a Christian…that’s a pretty Christian statement.”

                        I would say specifically Evangelical Protestant, or perhaps the more fundy side of Catholicism. Dropping the “let God decide” bomb casually is a very Evangelical thing to do. Other versions have different linguistic tics. I was once in an elevator holding a book on a religious subject. Also in the elevator was a middle aged woman. She saw the book and started enthusiastically talking about it, but not in quite the same way an Evangelical would. As we exited the elevator, I asked her “Are you a Methodist pastor?” She looked amazed, and asked how I knew. The answer is that while I am not one, I know enough Methodists to recognize the vocabulary, and the pastor part from frankly pretty obvious.
                     2. yala* November 27, 2019 at 1:43 pm

                        Now that you mention it, I do hear both of these (often) from my Pentecostal mother far more often than I hear either from the-entire-rest-of-my-family (Catholic)
                  2. epi* November 27, 2019 at 10:46 am

                     This whole line of responses comes across as nitpicking and deliberately obtuse. In the US, this is very much something said casually by Christians and few others, regardless of theology. If you weren’t aware of that, then you are uninformed about the cultural context in which many commenters work, compared to those you are arguing with.

                     Many people have said this type of comment crosses a line for them at work and even if it’s not offensive, it makes them uncomfortable. If the comment is totally minor, no big deal, could apply to any religion and has no real content to which anyone could object– why is it so important to you to argue that people should get to say it? No matter how it affects the listener?

                     FTR I am a Chicagoan and I would also find this type of talk inappropriate at work unless I was already friendly with the person saying it. Even if you assume there is no intent to proselytize or to assume you agree, it’s a really personal comment. The person is basically telling you how they spiritually and emotionally process even minor parts of their life. It would be like telling people how skills you learned in therapy are going to help you with this situation. It’s just TMI.
                     1. Shadowbelle* November 27, 2019 at 10:48 am

                        “It’s just TMI”. Exactly; you nailed it!
                     2. Cheryl* November 28, 2019 at 5:07 am

                        If there is one collective takeaway from this entire thread, it might be that while these comments may seem to be common and innocuous to those who say them or hear them regularly, the rest of us would prefer to never hear them or have to deal with them in our workplaces. It’s wrong.
                  3. Artemesia* November 27, 2019 at 10:55 am

                     None of my Jewish friends would say this; in the US this is a Christian dominance kind of thing. And in the US, there is a subtext that anyone who is not a Christian or at the very least religious (but not Muslim of course) is a bad person. I have heard US Christians express the view that a person cannot be a moral person if they don’t believe in God more times than I can count — it is woven into the culture.
                     1. Super* November 27, 2019 at 3:51 pm

                        Yes. It’s said with thoughtlessly benign supremacy, but lands on non-Christians as something closer to … not threat exactly, but … you’re Other and not safe.
                  4. Blueberry* November 27, 2019 at 11:07 am

                     That “give it up to God” phrasing is a very Christian phrasing, as are others the OP quoted.
                  5. Teyra* November 27, 2019 at 11:35 am

                     Not necessarily Christian, sure. But I think it’s likely – America is a Christian-majority country, and this is something that only religious-majority people would do, because it’s based on the assumption that everyone else is Like Them. My point still stands, either way. I’m curious what you think of the rest of my post, as what religion it’s talking about isn’t really relevant.
                  6. Princess Consuela Banana Hammock* November 27, 2019 at 11:41 am

                     I have never met a religious person who is not Christian say they’ll pray on it or give it to God. I’ve heard variations of those phrases in other languages (e.g., Yiddish or Arabic), but I’ve yet to hear a non-Christian employ that kind of language.

                     Those particular phrases are so strongly associated with Christianity (and even more often, American Evangelicals) in the U.S. that it’s safe to assume OP is referring to the dominant religion.
                     1. Kelly L.* November 27, 2019 at 12:53 pm

                        Yep, “Christianese” is the term to google, if people are interested. There’s a whole world of jargon that’s pretty much only used within US Protestantism of the more evangelical variety.
                     2. Super* November 27, 2019 at 3:52 pm

                        Yeah and I’d assume evangelical (born again, charismatic, etc).
                  7. Super* November 27, 2019 at 3:34 pm

                     I GUARANTEE that was a Christian.

                     It’s the whole assumption that they’re the default.

                     Christians don’t understand the genuine fear we minority religious have. Half of American Jews are afraid to even wear any religious sign. (Afraid of bigotry, physical harm or death) It’s even worse for Muslims, who are the victims of skyrocketing hate crimes. Sikhs get attacked for their religious attire (which is confused for Muslim by the stupid and vicious).

                     Religious minorities either nod and smile, while feeling uncomfortable, or have to decide to out ourselves to potential bigotry and violence. It all kind of sucks.
                     1. Arts Akimbo* November 27, 2019 at 4:29 pm

                        This. Growing up in the Southeastern USA, I was taught not to speak freely about religion in front of Christians for fear of violence. I have tried hard not to pass this on to my child, and yet he has absorbed it from the culture around him. Being different from the majority is really hard, especially in something so emotionally fraught as religion.

                        A coworker bringing up religion or saying “I’ll pray on it” or “I’ll pray for you” or the dreaded “Praise Jesus” was an anxiety trigger. The time my boss asked me what I thought of Billy Graham was the cue for a veritable Broadway show of handwaving evasion.

                        There’s a streak of commenters who are saying “Nah bro, it’s all ok, it’s just how they talk!” But discount our experiences all you like, this is how it feels to be on the other side of that “harmless” linguistic prayer talk.
               2. not a christian* November 27, 2019 at 9:23 am

                  +1
               3. ellex42* November 27, 2019 at 9:44 am

                  I can only speak to my own experience, but I’ve found that in the US, Christians of any flavor tend to assume that everyone else is some flavor of Christianity by default.

                  Hilariously, the ad showing up just below this comment is for the new season of Father Brown.
               4. Manya* November 27, 2019 at 10:00 am

                  Hmm. Isn’t C of E the national religion of England? I find that my UK colleagues are far less inclusive than my US colleagues–they regularly wish me a Happy Christmas, and ask me what I’m doing for Easter, while my US colleagues use Happy Holidays and Easter doesn’t really come up as a topic of conversation. I prefer the latter approach, as I’m Jewish.
                  1. londonedit* November 27, 2019 at 10:47 am

                     See, this is really interesting. Nominally, C of E is the ‘national religion’, if you like, but 40% of the UK population identifies as non-religious and while 53% identify as Christian, I reckon a fair few of those people see it in a ‘well, my family was broadly C of E’ sort of way. That’s extremely common – there’s a sort of background cultural C of E tradition, but many (I’d even go as far as to say most?) people don’t regularly go to church, and as others have said, religion is one of those Not To Be Discussed In Polite Conversation topics. However, because we have a long background cultural tradition of C of E/Christianity, things like Christmas and Easter are very tightly woven into British life even if we aren’t hugely religious as a nation. People celebrate Christmas from a cultural, traditional point of view – they might even go to a church service or a carol concert, without being religious. Plenty of second- and third-generation immigrant families, who may have Muslim or Sikh or Jewish backgrounds, also celebrate Christmas from a cultural perspective, just as I and my family do as athiests/agnostics/’nominally C of E’. We still call it ‘the Easter weekend’ even though for most people it’s just a long weekend off work and a reason to catch up with family for a nice Sunday lunch. Also, the Church of England is not an evangelical church, it’s far more tea and biscuits (cf. Eddie Izzard) so we aren’t used to people trying to push their religion onto others and we find it deeply uncomfortable when they do.
                     1. londonedit* November 27, 2019 at 10:49 am

                        Which is to say, people in the UK aren’t being intentionally non-inclusive by saying ‘Happy Christmas’, it’s just that it’s a normal thing to say here.
                     2. UKDancer* November 27, 2019 at 10:58 am

                        I’d add that when UK people ask what you’re doing for Easter, they are asking because it’s a bank holiday on Friday and Monday so for a lot of people (especially in white collar jobs) its a 4 day weekend. If someone asks what you’re doing for Easter they mostly don’t mean in a religious sense they’re asking what you’re going to do with the time off from work.

                        As Londonedit says we’re very secular in a lot of ways and nobody talks about religion because it’s personal.
                     3. Manya* November 27, 2019 at 10:59 am

                        I understand your point of view, but it’s a place of privilege to be like “that’s just what we do here, it doesn’t really mean anything”. And if you’re a global company, you need to be more mindful of that fact. Every year, my company issued a corporate Christmas card for us to use for clients. I pushed back on that, since many of my clients are not Christian and I would never send them an explicitly Christmassy card. They agreed to change the message each year, but it took three years of my complaining before they changed the message to Happy Holidays. It made me feel crappy that inclusiveness wasn’t a priority, despite the lip service, and frankly I thought less of them. Is it really that difficult?
                     4. londonedit* November 27, 2019 at 11:09 am

                        Whoa, I’ve just found a statistic that says only 11% of people in Britain go to church on a regular basis. So there we are.

                        Yes, I agree that if you’re a multinational company and you’re getting pushback on your ‘Happy Christmas’ card, you should have a think about it. But this topic seems to come up every year here, and every time the UK people (and people from Germany and other broadly secular countries) find it very hard to explain the fact that Christmas really isn’t seen as a particularly religious thing here. Of course we’re aware of its religious history and religious aspects, but plenty of people (the majority, maybe, given how many people don’t identify with any religion and how many people don’t go to church even if they do identify with a religion) celebrate – and yes, even sing carols and go to Midnight Mass or Christingle – from a tradition-based perspective rather than a religious one. And that doesn’t offend the vast majority of people who *do* celebrate from a religious perspective, or who don’t celebrate at all.
                     5. Annie* November 27, 2019 at 11:59 am

                        I’m British and Jewish and we’ve always celebrated Christmas as a secular British holiday. Not all British Jews do of course but it’s not uncommon. I’ve never come across an American Jew who celebrates Christmas.
                  2. Magenta* November 27, 2019 at 11:00 am

                     Yeah but in the UK those are also public holidays, so asking what you are doing for Easter is more likely to be asking what you plan to do with the upcoming 4 day weekend than about your religious plans.

                     We may have a state religion but actual religious practice is a minority activity. I kind of wonder if the fact that prayer is mandatory in schools is a factor in this, we are used to it being a perfunctory thing and then become suspicious of people who seem enthusiastic.
                     1. UKDancer* November 27, 2019 at 11:26 am

                        Yes I think so. I didn’t realise for ages that there was a purpose behind prayer at school. I just assumed it was something you did as a formality before lunch.

                        Likewise when I had to go to church with grandma I didn’t get for ages that people believed in what the Sunday school teacher taught us. I just thought it was another story.
                  3. Random Brit* November 27, 2019 at 11:03 am

                     Membership of the Church of England was until recently largely nominal, with most supposed members rarely if ever attending church: even a significant proportion of clergy were more or less agnostic, a circumstance satirised in an episode of the 1980s comedy Yes, Prime Minister, where the favoured candidate for an empty bishopric is described as a modernist, a euphemism for atheist.

                     Things have changed a bit since, as the non-religious become more comfortable identifying as such, rather than just blindly writing down “C of E” on any official form asking their religion: coupled with the global rise in evangelical Christianity, this means that remaining C of E members, while notably fewer in number, are more likely to be devout than in recent decades: though I’d guess they’re still significantly outnumbered by the “christenings, funerals and weddings” crowd.

                     But Easter is still a secular event for most, marked by a four-day weekend, two weeks of school closure, and children making themselves sick on chocolate eggs. I suspect a good many English people would struggle to explain its religious significance at all.
                  4. Lyra Silvertongue* November 27, 2019 at 11:09 am

                     So I think part of that is because the US has a larger and more diverse religious demographic than the UK and it always has done. I most definitely agree it’s better to try and be secular in your greetings with people. But I think another part comes down to how those holidays are culturally structured in the two countries; there is no large secular winter holiday like Thanksgiving in the UK and so Christmas is very much the dominant holiday in this time period. Easter is also normally time that people have off in the UK due to school term holidays and workers having more holiday time in general. I might ask someone what they’re doing for Easter but I’d generally be asking them if they were going to travel or go on holiday or something over the Easter break. I am an atheist and come from a non-religious family, we don’t and have never celebrated Easter in a religious sense but it is still significant mostly because it is a holiday weekend and was our longest holiday from school bar the summer.

                     I agree that we could all do with being less Christianity-centric in our dealings in the UK, but I have a gut feeling that there is less religious importance to these two holidays than in the US.
                     1. Super* November 27, 2019 at 3:42 pm

                        Is that true?
                        Christians are 59% of UK and 65% of the US.

                        Muslims are 5% UK, less than 1% US (in fact, all non-Christian religious together are only 6%).

                        They seem comparable, with the UK slightly being more religiously diverse.
                  5. Teyra* November 27, 2019 at 11:24 am

                     It’s a bit complicated, especially as we still have some archaic laws with Christian/religious bias. But the vast, vast majority of people here view Christmas as a predominately secular celebration that some people attach religious significance to. I read about a study on the difference between Western European religion and American (https://www.theatlantic.com/international/archive/2018/05/american-atheists-religious-european-christians/560936/), which I think partially explains that. So if I talk about Christmas it’s about presents and turkey and Santa, if I talk about Easter it’s about bunnies and chocolate eggs. A Christmas celebration here is not a religious event.

                     Which of course doesn’t mean it’s not valid to be made uncomfortable by it, or that people (especially at work!) shouldn’t take that into account. I totally get how uncomfortable that can be for a Jewish (or other non-Christian) person, the only reason why I don’t find it uncomfortable myself is that I genuinely don’t feel any sort of religious connotations to either celebration, even though there obviously are some, for some people. I’d ask my friends ‘what are you doing over Christmas’ simply to mean what they’re doing over the Christmas holiday, the same with the Easter weekend, without even thinking about religion. My friends from other religions will say the same thing to me and each other without issue.

                     Obviously there’s still a level of…thoughtless Christian privilege? Christians get their holidays off, other religions don’t. Ignoring a celebration’s religious context doesn’t mean the context disappears for other people, and it’s important to keep religion out of the workplace. Don’t even get me started on Operation Christmas Child. So I completely agree with where you’re coming from there, and I think any international organisation needs to realise their cultural norms are different to other countries, and act accordingly. I’m not trying to excuse your colleagues necessarily, just help explain the context they’re operating under.
                  6. Batgirl* November 27, 2019 at 1:17 pm

                     I could be misreading but I get the impression here that people are…threatened (?) by American Christians. Like there is some kind of a hefty power there to persecute and that those Christians have to be sensitive about that power imbalance as a result.
                     I’d love to talk about my own religion more as Christians do, but if someone is talking about their CofE fete, or British Catholic church then they’re talking about a place with a few volunteers, chronic non attendance, no regular clergyman and with zero power to affect anyone. I’m just glad they’re not bored.
                     1. Super* November 27, 2019 at 3:45 pm

                        I mean… https://www.pewforum.org/2017/04/11/nearly-all-muslims-jews-hindus-live-in-countries-where-their-group-was-harassed-in-2015/
                     2. Batgirl* November 27, 2019 at 9:15 pm

                        I’m unfortunately very familiar with British hate groups through my work and I don’t know of any with a Christian identity, more like a fascist non religion hatred of any ‘other-y’ set of ideals. They are equally likely to go for Polish Catholics. The ones I’ve met have been jabbering territorial morons without any belief in anything.
                        Could be wrong, but my understanding was that the Christian Identity types operated solely in the states while their British counterparts went on their hate path in a strictly xenophobic and racist angle. It sounds very odd to UK ears to hear people actually talk about being ‘churched’ in their new town because actively practiced religion just isn’t that prevalent here. Sadly, hate still can be.
         3. Enter_the_Dragonfly* November 27, 2019 at 9:52 am

            Hi Magenta. I’ve lived in both the American Midwest and in the UK’s South East and you’ve got it, it is a cultural difference. In the Midwest talking about the everyday aspects of you+religion is normal and completely innocuous as long as you’re not proselytizing. It’s very, very different in Berkshire/London/ everywhere else I’ve been in the UK, especially England!
         4. Victorian Cowgirl* November 27, 2019 at 11:09 am

            +1 you can kind of tell by the comments which regions of the US people are from!
         5. Princess Consuela Banana Hammock* November 27, 2019 at 11:51 am

            I’m going to join the “some of this is regional” and “some of this is cultural” chorus, with the caveat and understanding that of course that doesn’t justify unnecessarily dropping religion in the workplace. Some sectors and regions of the U.S. treat religion in the workplace with the same norms you have in the UK. But there are large swathes of the country where Christian dominance is considered culturally normal and preferred in ways that would be considered incredibly inappropriate in other regions. And there are huge parts of the country that treat anyone non-Christian—and especially those who identify as non-believers or atheists—as morally bereft and socially disfavored.

            Which is all to say that it sounds like OP is in an area where people view their very public religious comments as not particularly personal or religious because they assume everyone around them is a Christian. If that’s OP’s regional culture, it will unfortunately go off very poorly to try to implement “no religious tmi” norms.
      2. Annie Porter* November 27, 2019 at 9:53 am

         I personally think talking about religion is weird, just like I’m sure religious people would find it strange if I peppered sentences with things like, “Well, since I don’t believe in any gods, I’ll be extra careful crossing this road since I know this world is it for me!”
         1. Artemesia* November 27, 2019 at 10:58 am

            LOL. Well put. In the US it is offensive to Christians to say what you just said and viewed as a sarcastic put down of the one true religion. But it is quite fine to voice Christian belief in the same casual way. They can talk about their belief in God but woe to anyone who shares their non-belief in God. It is a strongly held double standard.
            1. yala* November 27, 2019 at 12:57 pm

               “They can talk about their belief in God but woe to anyone who shares their non-belief in God. It is a strongly held double standard.”

               I mean, I’d think a Christian praying out loud every time they crossed the street was kind of weird and off-putting too.

               I’m not saying that there aren’t Christians who treat atheists badly, because hoo boy, there really are. But in a case like this it feels a bit more like someone loudly making the point that they don’t watch TV when someone else talks about their favorite TV show.

               Like, someone telling you “Oh man, you have to watch Game of Thrones!” is…kind of annoying. No, you don’t have to, no, please don’t tell me more about the show unless I ask, no, I’m not interested in it at all. But someone just saying, “I can’t wait to watch the new Game of Thrones this weekend” is just…saying their plans?
               1. Annie Porter* November 27, 2019 at 2:42 pm

                  I see what you’re saying, but I more meant religious folks tend to pepper their god/faith into general conversations (and I don’t just mean exclaiming “Thank god!” for a snow day, or something). I meant more of everyday conversations when we’ll be talking about a topic (and this is just a random recent example) of someone I know who got over pneumonia fairly quickly and they said “Well I can’t attribute it to anything but the lord”. I awkwardly said uh, okay! That kind of thing.
            2. SMH RN* November 27, 2019 at 3:07 pm

               As a Christian I find that sarcasm hilarious. Everyone is entitled to their view (religious or non religious). It’s when you start making blanket generalizations about all muslims all atheists all christans that dialogue stops and walls are put up. Some people are like that. Not everyone is.
               Also it would never occur to me to slip I’ll pray on that into a work setting. It’s not appropriate in my culture. But cultures vary.
         2. GDUB* November 27, 2019 at 11:06 am

            You should say that every time you cross the street!
         3. same* November 27, 2019 at 12:02 pm

            You are my hero today. That is all.
         4. yala* November 27, 2019 at 12:28 pm

            I mean, that only seems like a good analogue if the other person is praying out loud every time they cross the road.
   10. SheLooksFamiliar* November 27, 2019 at 8:51 am

       I’m not a person of faith, and I’m not anti-faith. I don’t think comments like the OP refers to are appropriate in the workplace, but I’m not horribly offended by them. Still, I think the best reply in this case is to say nothing. Maybe nod in an ‘I heard what you said’ manner, but offer no verbal response.

       See, I learned the hard way that no matter what I said, I often invited a response. I’ve had colleagues witness to me, or spend a moment giving glory to their deity, or ask me to pray with them – just because I said something like, ‘I’m glad you have faith to support you.’ I don’t want to insult anyone’s faith, but neither do I want to bear witness to it at work.
       1. KayDeeAye* November 27, 2019 at 8:58 am

          And you shouldn’t have to! I am a religious person, but I have of course still had to hear people make similar statements that I don’t agree with (either religious – not all religious people agree, of course – or non-religious), and I would feel really, really awkward just smiling and nodding. I prefer Alison’s suggestion of “Good luck!” or “I wish you the best!” or something similar.
       2. Aquawoman* November 27, 2019 at 9:09 am

          This is what bothers me about that statement — it seems likely to be mini-proselytizing or trying to open up some proselytizing. If other forms of coping would sound odd in the context — I just write it in my journal, I just cry, I just have a glass of wine and forget all about it –then the prayer one is, too. It depends on the context; if I mentioned my meditation practice every time a problem was discussed, people would think that was odd, and it’s no less odd just because someone attached the third rail of religion to it.
          1. Annie* November 27, 2019 at 12:01 pm

             I was born a snake handler and I’ll die a snake handler.
             1. SheLooksFamiliar* November 27, 2019 at 1:40 pm

                Heh, some of my father’s family were snake handlers. Maybe they still are, if they haven’t died from snakebite. That group was INTENSE and very fundamentalist. 5 -year-old me was called a whore and a sinner, at top volume, because that’s what all women are.
       3. Filosofickle* November 27, 2019 at 12:59 pm

          Yes, I don’t want to bear witness to it even if it’s not offensive.

          A guy I work with recently started saying small things like “thank God” or “God bless” a lot. (I live in the godless left coast, so it’s particularly weird around these parts.) He recently said about me “God bless Filosofickle” when I did something to save the day. He knows I’m an atheist so it’s extra jarring. Just say thank you!
          1. Filosofickle* November 27, 2019 at 1:08 pm

             A better example would be when he’s said “thank god for filosofickle”. Dude, do not thank God for me and what I do. The credit goes to me.
       4. chickaletta* November 27, 2019 at 6:59 pm

          As a person of faith, I agree that saying something like “I’m glad you have faith” could potentially open the door to a discussion. It can, and probably will, be interpreted by the other person as “I’m glad you have faith – tell me how I can too.”
   11. I Wrote This in the Bathroom* November 27, 2019 at 8:58 am

       Yea, I just nod and smile. Unless the person tries to convert me (happened once during a chat with a coworker), then I bring out the “That’s great that you have that faith”, with the addition of “but I don’t want to”.
   12. Quill* November 27, 2019 at 9:15 am

       Possibly modify it to “I’m glad that helps you,” which is what I use all the time on people going on about how Meditation Will Cure What Ails Your Brain. (Meditation: not just sitting down and clearing your mind, also an invitation for more anxiety if you attempt to use it during, you know, anxiety attacks.)
       1. Crooked Bird* November 27, 2019 at 10:13 am

          Oof. Trying to meditate during an anxiety attack sounds like trying *really hard* to go to sleep.

          Also counterproductive: praying to fall asleep.
          1. Quill* November 27, 2019 at 11:06 am

             I used to play 3d tetris for it with music on loud.
          2. Aquawoman* November 27, 2019 at 1:08 pm

             I’m sure it wouldn’t work for everyone, but I used mindfulness during panic attacks (like, felt like I could not breathe). Far from being counterproductive, it eventually cured me of having panic attacks. I had been meditating for many years, though.
             1. Quill* November 27, 2019 at 4:26 pm

                Yeah, you gotta put the work in *BEFORE* the panic attacks, the issue is usually people telling me “why don’t you meditate *now* even though you’ve never actually gotten good enough at meditating for it to make a difference?”
   13. Thit'se Man, Becky Lynch* November 27, 2019 at 10:33 am

       It gives me that kneejerk reaction as well.

       But I also loath hearing “good for you!” as well. It rarely doesn’t feel condescending.

       I lean towards “I hope things get better soon” and “I’m sure you’ll power through this, let me know if I can be of any help.” Just dodge the faith talk and wrap up the lingering conversation with kindness.
   14. Shadowbelle* November 27, 2019 at 10:47 am

       I’m not wild about “that’s great that you have that faith” because I don’t think it’s great at all. I do not care about people’s faith, I care about their actions. In my years of doing animal rescue, I saw no evidence that people of faith were any better than people without faith. In fact, some of the worst offenders were people of faith, whereas none of the best people were. (My personal experience only; not intended as a comprehensive statement on the world in general.)

       Personally, I’d probably just say, “Okie doke.” Because “I’ll leave it to God” is a non-sequitor to which there is no useful response.
       1. Victorian Cowgirl* November 27, 2019 at 11:12 am

          +1
          Also in animal rescue for many years. Same observation. If we all left it to God, millions of animals would still be in terrible situations.
          1. yala* November 27, 2019 at 12:39 pm

             fwiw, “give it to God” generally doesn’t mean “let’s not do anything.” It’s something folks say when they’ve done what they can and there’s not much to do, but they’re still worrying/upset about it. Like, say, when someone is ill with an uncertain prognosis (I’ve heard it a lot in that case, or especially when it was terminal. The idea being more that you’re hoping for the best outcome, but preparing yourself for something less good).

             Though when it’s said TOO someone, then it’s just frustrating and rude at best.
             1. Jennifer* November 27, 2019 at 2:37 pm

                Exactly, people usually make a comment like that when they are out of options
       2. Jennifer* November 27, 2019 at 12:20 pm

          That’s a pretty offensive comment.I realize it’s just your personal opinion, but can you imagine making a similar generalization about people of the same race or gender? People of faith come in all varieties, just like non-religious people.
          1. yala* November 27, 2019 at 12:30 pm

             +1

             yikes
          2. idk my name* November 27, 2019 at 12:54 pm

             I couldn’t believe that when I read it, lol. I don’t care if people disagree with those of religion, but geez, to just say “yeah most religious people are terrible animal abusers. the atheists are the only good ones,” is horrible.
          3. chickaletta* November 27, 2019 at 7:08 pm

             Totally. As a borderline believer/agnostic who spends most of her time around non-believers, I have come to think that non-believers are just as judgemental (sometimes more) than believers are. They’re just as “religious” about their beliefs as people who believe in a god. It’s been very interesting to observe.
          4. pancakes* November 28, 2019 at 9:19 am

             Race and gender aren’t at all analogous to religious identity because they’re not a choice.
   15. I Wrote This in the Bathroom* November 27, 2019 at 11:56 am

       To me, “it’s great that you have that faith” sounds like expressing interest in the faith and wanting to know more about it. Which can create a super awkward situation if you aren’t really interested and don’t want to know more.
       1. Arts Akimbo* November 27, 2019 at 4:46 pm

          Yes, I feel like it opens the window for more religion talk.

          Plus I cannot help but hear “It’s great that you have that faith” in the same cadence and tone as “It’s *good* that you did that!” as in Anthony sending people to the corn field. (LOLcry)
   16. yala* November 27, 2019 at 1:14 pm

       I’ll be honest, I don’t even understand WHY coworker’s comments need a response. At all.

       If they said: “I’ve done everything I can” or “I hope it works out” or something like that, there wouldn’t really be a response needed aside from, like, I dunno…a sympathetic “Mmm” or just agreeing that you hope it works out as well.
   17. Meepmeep* November 27, 2019 at 9:09 pm

       Yeah. There’s no need for condescension. Yeah, the coworker is very religious, which means that it will permeate every aspect of their life, but they’re not being religious AT you. Just smile and nod and say “I hope (whatever situation) works out well” and be done with it.

       Now if they were trying to convert you, that would be a different thing altogether. But they’re not.
5. Rich* November 27, 2019 at 12:34 am

   OP2, I’ve worked in computer security for 20+ years. Phishing is an amazingly large problem, and it’s fairly common to have situations where a successful phishing attack has led to losses in the 10s or 100s of thousands of dollars. 6-digit losses are a big deal.

   There are a number of technical approaches to preventing phishing, but ultimately, employee behavior is the weak link because the people mounting the attacks are clever and flexible — it’s difficult for IT’s countermeasures to keep up.

   Training, testing, and more training based on the testing are aggressive but often warranted ways to both help change employee behavior around email security and help the security leadership understand how big a risk they’re dealing with. They often have to report up to executives and boards of directors on the degree of exposure, potential losses, and how effective their remediation plans are. The info flowing up to company leadership is no joke, it can affect SEC filings, and security readiness can affect a company’s position with customers, with investors, and affect their cost of doing business in a number of ways.

   As someone in the trade, I think a phishing test involving a supposed celebrity death is in poor taste — but I also think it’s really clever. It’s really easy for security awareness activity to start to become as mundane as a 4th grade fire drill. Yet particularly for something like phishing testing — where employee activity is among the best defenses — using the sharp, often tasteless tactics of real attackers is arguably compelling.

   I’m not suggesting that the ends _do_ justify the means, but depending on what else is going on in security at your company, and the history of phishing incidents, maybe they do.

   You’re very reasonable to raise the issue and suggest they’ve gone too far — and maybe they have. But please be open to the possibility that something serious has happened that caused them to dial-up the intensity, and that it’s actually a defensible decision.
   1. A.N. O'Nyme* November 27, 2019 at 2:54 am

      Agreed. My first reaction was the same as OP’s, I do think it’s in poor taste, but you can’t exactly expect good taste from real phishing emails either.I agree with Allison that you can flag this, but be prepared for an answer like this.
      I also want to address the concern that being a media company this might’ve been reported as fact: if that happened, someone essentially failed the test twice (failing to see through the phishing attempt and failing to fact-check). Of course I don’t know if the media companies do fact-checking tests, but it’s something to keep in mind as a (possibly unintentional) secondary effect of that email.
      1. Al who is that Al* November 27, 2019 at 6:35 am

         My wife’s company’s IT Department offer a prize every quarter for the person who picks up the most phishing emails – she won a USB power bank. Being a very large automotive company they have millions of such emails per month, security is vital.
   2. Super* November 27, 2019 at 7:25 am

      Very well said!
   3. OP #2* November 27, 2019 at 7:36 am

      OP #2 here. I definitely know what a huge problem phishing is, but this testing isn’t being done at my company in the context of a training program. At least in my office, there’s been no training, just the tests.
      1. LH Holdings* November 27, 2019 at 8:09 am

         This could be a sort of “pre-test.” IT could be trying to make their training more focused or relevant by using actual data from your company such as how many clicked on the link, what departments, etc.
      2. Joielle* November 27, 2019 at 8:18 am

         I agree that’s not ideal, but doing something is better than nothing. If you get burned on a couple of fake phishing emails, it makes you cautious about weird emails in general, which is exactly the point. Is it the most efficient way to train people? No. Does it get the job done? Probably. And I’m sure sending fake emails is WAY cheaper than shelling out for a training program.

         The content of this particular email was not great, but I don’t think the fake-emails-without-separate-training scheme is that problematic.
      3. T2* November 27, 2019 at 9:45 am

         Something to think about. I might run a test just like this to build up the case for management that we need opsec training. Or I might do it to identify who needs a “come to Jesus” meeting about their email use.

         Either way, it is part of the job, and you want me to be doing it. I am protecting you, even if you don’t realize it.
         1. OP #2* November 27, 2019 at 9:57 am

            It wouldn’t seem weird to me at all to do this once as a pre-test, now that I know from Alison’s response that this is a real thing. (I’m not new to the workforce. I’ve just never been at a company that does this.) But we’ve gotten these repeatedly for months with no training, direction or follow-up. That doesn’t seem like a pre-test situation.
            1. T2* November 27, 2019 at 10:26 am

               Training and follow up may not be visible to you. The testing might be informal. It might be to get a statistical sense of the Operational Security of your company. It may be to catch an idiot. It may be an attack by an unethical IT person. The very simple fact that you know your company does testing means that you have a heightened sense of awareness than most.

               I am sorry you were offended. but I do not take in to account anyone’s sensibilities and preferences in my testing or work, even my own. That is the hard truth. Why? Because the Bad guys won’t hesitate to do it.
            2. Observer* November 27, 2019 at 2:27 pm

               How do you know there is no follow up? You say that you have not clicked on any of these – but what happens to people who DO click on them?
      4. Observer* November 27, 2019 at 11:58 am

         Do you know if there is any followup to the people who click on this stuff?
   4. Observer* November 27, 2019 at 11:57 am

      and it’s fairly common to have situations where a successful phishing attack has led to losses in the 10s or 100s of thousands of dollars

      I imagine you’ve been following the news – it’s becoming more and more common that the losses are 7 figure and / or large enough to put an organization out of business.
      1. Turtle Candle* November 27, 2019 at 3:03 pm

         It was made extremely clear at my company, which is a medium-small-sized company that is doing quite well for itself, would be out of business if a major data breach ever happened. The millions in damages would sink us. Our jobs are literally on the line. (And I can’t imagine that it’s not worse for IT; who wants “worked 5 years in IT for [company that had a big public data breach that put it out of business]” on their resume?)

         This is, of course, a reason why LW’s business should do proper training in addition to testing, though.
   5. hamburke* November 27, 2019 at 4:28 pm

      So I actually know what company this was – they were talking about it on my local radio station. the problem here was that they gave too much info in the title and body that A LOT of radio stations reported it as news without clicking the link – they didn’t need to. Celebrity dies of overdose in home; found by person; family distraught; click for more info. Phishing campaign tests can be really helpful to a company and great training but I don’t think this was well designed. It was a clever hook but no click bait…
      1. Observer* November 27, 2019 at 5:27 pm

         Any radio station that reported this as fact based on a SINGLE email without any sort of fact checking DESERVES to go out of business.

         Good pen testing doesn’t only look at computers. It clearly exposed a MAJOR, TRUCK SIZED gap.

         Assuming you are correct in your guess.
6. Naomi* November 27, 2019 at 12:47 am

   #5: This could really depend on the industry and the nature of the job–some places will need to ensure coverage over the holidays, but other places (like my current job) close down entirely for that week anyway. Given the timeframe, you can probably ask what they generally do for Christmas week, and judge your request accordingly.
   1. WellRed* November 27, 2019 at 7:42 am

      We’re closed from Tuesday noon on that week. I would ask what they do or consider starting after that week. There’s no hard and fast rule that everything is Two Week’s Notice (though I understand it’s the norm).
      1. WellRed* November 27, 2019 at 7:42 am

         Nesting fail!
   2. The Starsong Princess* November 27, 2019 at 10:05 am

      At my company, most of us take the week between Christmas and New Years off so we’d be just as happy not to worry about keeping a new hire occupied during that time. However, the time off would be unpaid as no PTO would have been accrued. As well, our bonus system and some other perks require that you work the whole period so if you start Jan. 2, you are not eligible. We’ve had people come in one or two days in late December just to make them eligible. So just ask, as Alison advises and be prepared to be flexible based on what you hear.
   3. theletter* November 27, 2019 at 12:10 pm

      I don’t think I ever worked at a company that had any actual work going on between Christmas and New Years. If I were a hiring manager I might also want to make sure I’m not conflicting with any set holiday plans, or that I’m setting myself up for a rough holiday because I’m fielding calls from my new hire.

      Keep in mind that ‘on board ASAP’ can mean different things to different people. In a large corporation with a lot of bureaucracy it might just mean “Ready to go Jan. 2nd.”
      1. Working Mom* November 27, 2019 at 12:35 pm

         I would lead with what Alison suggested, but start thinking about which days you really want to have off and which days you’d be willing to work. I bet if you suggested that you could work Mon & Tues, and ask to have the rest of the week off unpaid (which really only amounts to 2 days, assuming you get Christmas Day off), that might be a good compromise. You give two days, they give two days.
7. nnn* November 27, 2019 at 12:48 am

   What does IG stand for in #3? (I only know it as Instagram, which I’m pretty sure is not what’s meant here)
   1. Ask a Manager* Post authorNovember 27, 2019 at 3:04 am

      Inspector General.
8. Sylvan* November 27, 2019 at 12:55 am

   OP1: What is your cultural/religious situation here? Are you in a workplace where you might face problems for being seen as a nonbeliever, or a place where you have a little more freedom?
9. MistOrMister* November 27, 2019 at 1:28 am

   OP5, when I got a job offer a while back, I wanted a week off between leaving the old one and starting the new one but they said I couldn’t do that because they needed coverage immediately. I ended up negotiating for a week off at some point TBD but within my 90 day probation period, of leave without pay that I wouldn’t be penalized for. (Usually if we have more than a certain number of LWOP days we’re terminated.) It actually ended up working out better than if I’d taken the time off between jobs. Maybe that would be an option if you can’t get the holiday time off. Although, its certainly a,different situation what with family plans and all that. Hopefully it all works out!
10. Lena Clare* November 27, 2019 at 1:52 am

    No.5 I don’t know if the conventions are different in the US or maybe for different levels of jobs, but here in the UK at my level of job it’s ok to wait till you’re offered the job then when discussing the start date to say: “I’ve actually booked the week commencing 23rd December off.”
    It would be normal for them to give you the time off, or for them to push the street date back.

    People book leave in advance! And especially around the holiday time, it seems unreasonable to me to expect people to be available – unless it’s an emergency service job, where people rota on for the holidays.
    1. Lena Clare* November 27, 2019 at 1:53 am

       Start* date! Darn predictive text…
    2. Amey* November 27, 2019 at 2:05 am

       I agree – I don’t think all UK employers would be happy with this but my impression from this site is that they’re generally more likely to agree to it than US employers. So if OP is in the UK, it’s definitely worth asking!

       I do quite a bit of hiring and we’ll usually accommodate leave that the person has already booked before they were offered the job, including leave within the first few weeks. We had one new employee who had booked quite a bit of inconvenient leave (some of which coincided with our very busy period) in the first few months but they were a really excellent candidate and were being offered a permanent position so we were taking a long term view with them and decided to approve it. We hired for a 1 year maternity cover at the same time and would have been less likely to approve some of this leave for that post as we were really hiring them to cover a particular period. But where there wasn’t an obvious business need, we wouldn’t usually turn it down.
    3. UKCoffeeLover* November 27, 2019 at 2:21 am

       Agreed. This would be absolutely normal in the UK.
    4. Liza* November 27, 2019 at 2:32 am

       Agreed. Here in the UK, it seems to be a pretty standard part of the hiring process, along with references and other background checks. I had a week booked when I started my last job, so they pushed the start date back and I started work after. It might not be paid if you’re still in your probation period, but they don’t seem to object to working around it, even at entry level. It’s just normal. If in doubt, you can always ask.
    5. Ask a Manager* Post authorNovember 27, 2019 at 2:35 am

       Right, that’s normal here as well, but the OP wants to have the week off be paid, which is much less likely to happen at a brand new job.
       1. Lena Clare* November 27, 2019 at 3:50 am

          Ah, I did mean paid leave – is it usual for annual leave not to be available for a certain amount of time after starting (say the first 3 months or so)?
          I wouldn’t take leave off in a new job for at least the first 3 months, possibly longer, but I’d expect my new employers to honour my paid leave that was anyway booked.
          1. londonedit* November 27, 2019 at 4:33 am

             Same here. There are employers who wouldn’t be happy about it, but we don’t tend to have the system of needing to accrue leave before you can take it – you’re given your bucket of annual leave when you start a new job, and it’s yours to organise as you see fit (with your manager’s approval, of course).

             I can see there being an issue with starting a job so close to the end of the calendar year, because holiday allowance when you start a new job is pro-rated. So if you start in December, you’ll probably only be given two days’ leave to use before the end of the year, or whatever it works out at. But for a pre-planned trip, I think many employers would make an exception, or at least allow you to borrow from the next year’s holiday allowance to cover the days off.
             1. Colette* November 27, 2019 at 8:15 am

                If you start a new job December 20, do you get a full amount of leave or is it prorated?
                1. Mary* November 27, 2019 at 8:59 am

                   usually pro-rated (although in practice, I’ve never had a leave year that goes from December to December– I’ve had April-April or September-September.)
                   1. londonedit* November 27, 2019 at 9:21 am

                      We have a leave calendar that goes 1 January to 31 December. We can roll over up to five days from the previous year, but those have to be used before 31 March.
                   2. Colette* November 27, 2019 at 9:38 am

                      That’s the norm here – which means that if the leave year matches the calendar year, the OP won’t get enough days to cover a week off in December, even if the company would allow her to take it.
                      1. londonedit* November 27, 2019 at 9:58 am

                         Yes, which is why I said that in that sort of case – in every UK company I’ve worked for – they’d either just make an exception or they’d allow the employee to borrow a couple of days from next year’s holiday allowance. To be honest, I can’t imagine a UK employer would agree a start date of 20 December with a new employee anyway, as most offices either close between Christmas and New Year or operate a skeleton staff, so there wouldn’t be much point in someone starting so close to Christmas.
             2. CL Cox* November 27, 2019 at 9:04 am

                There are still a lot of companies where you have to accrue vacation time, while sick and personal days are available immediately and at the start of each calendar or fiscal year.
          2. Red Reader the Adulting Fairy* November 27, 2019 at 6:06 am

             Maybe I’m misunderstanding you, but — it wouldn’t even cross my mind that Teapots R Us would somehow be obligated to pay me for my time off, if I hadn’t accrued any PTO from them, just because Dancing Camelids had told me before I left that THEY would pay me for the time off.
             1. londonedit* November 27, 2019 at 7:02 am

                Well…that’s how it works here, unless your new employer is particularly mean.

                Let’s say I’m offered a new job with a start date at the end of May. Once I’ve accepted the offer, I say to my new boss ‘By the way, I have a holiday booked already, it’s the 1st-12th July’. No problem, says the boss, I’ll make a note of it but just make sure you book the time off as soon as you start work here. When I arrive to start work at the end of May, I log in to the online employee portal, and there’s my holiday allowance for the rest of the year – 15 days, pro-rata, because I’ve started five months into the calendar/holiday year. So I book my 9 days’ leave to cover my July holiday, my manager approves it as discussed, and off I go on holiday.

                That’s not to say that companies won’t have rules about people not booking *new* holidays in their first few weeks/months on the job, because some absolutely do (and it’s generally accepted that you don’t start work and immediately book a brand new trip away for the following month). But the vast majority of employers absolutely will honour previously booked trips, and you don’t have to ‘earn’ your holiday allowance before you’re allowed to take it.
                1. tellow* November 27, 2019 at 7:10 am

                   Its also very common in the US for employers to honor previously booked vacations. The only difference is that we accrue vacation days instead of receiving them all upfront, but its common for employers to allow your vacation balance to go into the negative in that situation.
                   1. Ana Gram* November 27, 2019 at 7:45 am

                      My workplace fronts 40 hours of leave. Once you hit the mark that you would have accrued that, you begin accruing at the regular rate. It’s totally dependent on the employer. For us, it would probably be fine to take that week paid (actually just 3 days since Christmas Eve and Christmas Day are already paid holidays).
                2. The Cosmic Avenger* November 27, 2019 at 7:52 am

                   In the US, most places “pay” you your leave in pro-rated installments, and their willingness to “advance” you leave varies, but even with those that do it would be unusual for a company to advance a week or more. So if you get 12 days a year, and are paid twice a month, you’d earn 4 hours of leave every pay period, and that’s what you can “spend”.
                3. Media Monkey* November 27, 2019 at 7:58 am

                   yep, i started a new job on 2nd july on a 6 month probationary period. i told them that i had booked the last week in july off and it was paid.
                4. MisDirected* November 27, 2019 at 8:09 am

                   This is exactly what I just did (in the UK). I booked leave for the end of October with old job. I agreed this with new job and started that in early October, worked three weeks and then had a (paid) week off. No one batted an eyelid, and they preferred that to the other option of me starting in November after the holiday.
                5. fhqwhgads* November 27, 2019 at 10:04 am

                   But that example is middle of the year, and the OP’s question is about starting in December and taking the last week of December off, in a context where it’s probable the leave is either accrued (and thus wouldn’t have accrued much yet) or is Jan-Dec. So if the company normally gives the 25th (or lets be generous and say 24+25th), in order for the person to take the whole week paid, they’d need to have 36 days leave for the whole year to end up with enough prorated for December. In the US, virtually no one gets that much vacation, unless you work somewhere with “unlimited” PTO. Some places do let you “go into negative” accrued PTO, so she might be able to use some of her 2020 PTO now and have less then, but it’s a crapshoot whether they’ll do that. It’s not impossible they might be able to negotiate getting that week paid since it was planned in advance, but Alison’s setting totally reasonable expectations with OP not to assume the employer would definitely give it paid. It’s much more likely it’d either be unpaid or they’d push the start date back.
                   1. Akcipitrokulo* November 27, 2019 at 10:47 am

                      36 days total isn’t that outrageous btw… yeah, not when you first start usually, but my new job was 33 days/year. Legal minimum is 28 days/year. That includes bank holidays if the company does them (company choice).

                      So if you have the minimum, you either have 28 days for anytime, which means if you start early dec you’ll probay have 2 days in this year… but it’s not a big deal to borrow 3 days from next year in most places.

                      If they do bank holidays, you’ll get 25 & 26 automatically, and have 1.5 for the rest of the week, so borrow 1.5 from next year – again not a big deal.
                      1. fhqwhgads* November 27, 2019 at 3:32 pm

                         I was talking about in the US though. In the US there is no “legal minimum”. And the number I was talking about would not include holidays (here I’m distinguishing between “holidays” like Christmas, New Year’s, etc and “vacation”). That’s why I postulated maybe they’d get the 24th and the 25th as paid. It is not common for anyone to have the 26th as a paid holiday here. It’s also not common for people in the US to have more than 30 days vacation. So what I was saying was this person might get 2 paid holidays that week, and might have 1 paid vacation day available to them out of their normal total for the year. My math was 36/12 = 3, so in order to have 3 additional paid days available to them in December, their total vacation allotment would need to be 36 annually, and in the US that is very very uncommon. Meaning options for taking the whole week are: take 2-3 days unpaid, negotiate to borrow some days from next year (not all companies allow this), negotiate to be paid anyway as part of signing (might or might not work), or only take part of the week off.
             2. Bagpuss* November 27, 2019 at 8:19 am

                I think here in the UK it is highly unlikely that someone would not be allowed the time. They might find that the employer suggested pushing the start date back instead of having them come in for a week then be off for a week, bit if the palnned time off was a bit further into the future you’d normally just approve the holiday.
                As others have said, normally you have your whole holiday entitlement from the start of the holiday year. (then when you leave, if you have taken more time than you have built up, the extra is deducted from your final pay, if you have taken less then you have built up, either the employer can require you to take the remaining days during your notice period, or you get paid out for those days.
                During the first year of employment an wemployer is allowed to require that the employee only takes time once they have built it up, but after that you can’t legally do that, so statutory leave. If the employer gives more than the statutory entitlement then they can make their own ruules about the extra, but I don’t think it is common to treat it differently, as it would be an admin headache.

                OP – I think you do need to consider whether you would be OK with deferring your start date if that is what they propose, and if not, whether you are willing to give up those days (or part of them)
             3. Akcipitrokulo* November 27, 2019 at 10:41 am

                It’s how it works because you fon’t accrue leave as such. You get your leave for the year (minimum 28 days, usually more if not entry level).

                If you started a month before the end of holiday year (some run jan-dec, some apr-mar) then most places will let you borrow from next year.
       2. Akcipitrokulo* November 27, 2019 at 5:28 am

          Yeah, paid leave that soon wouldn’t be way out of the ordinary; the question would be if they could do without you or not for that time, but taking it unpaid wouldn’t be the first thing that occurred. The assumption would be part of paid holiday allowance.
       3. Jemima Bond* November 27, 2019 at 6:15 am

          Another thing to consider is that in the US they have way less paid leave so an employer naturally expects periods of paid leave to happen less often. Whereas here, starting a job in December and saying you had planned to be off for Xmas week wouldn’t cause the slightest eyebrow raise. I’d be more surprised if someone was all “I’ve cancelled attending my child’s school nativity play because I have to be in the office until 6pm Xmas Eve because I’m new”. Also; taking Christmas week off here only means three days of leave not four because Boxing Day isn’t a thing in the US.
          What I’m driving at is, there’s a big difference between “can I take 40% of my paid leave for the year soon” and “can I take 12% – 3 days when half the office will also be out”.
       4. tellow* November 27, 2019 at 6:19 am

          I actually don’t think it’s that unlikely, at least if she is salaried. I’ve had preplanned vacation when I started my last 2 jobs and both times I offered to take the time unpaid and both times the employer preferred to pay me during that time and have my PTO balance go negative. I know quite a few other people who have done this as well and I guess I assumed this was normal.

          It can be really difficult for a salaried employee to take unpaid leave because the amount the company pays for their benefits depends on the employee being paid the same amount every pay period, so a negative PTO balance is easier to deal with.
       5. Wakeens Teapots LTD* November 27, 2019 at 7:26 am

          A week off that soon would be disruptive to training and put a hardship on the direct manager. We’d offer to delay job start by two weeks instead. (This just happened last month.)
          1. WellRed* November 27, 2019 at 7:46 am

             In this case, though, how much training is getting done that week, which I think makes a big difference in this case. I actually think a delayed start makes the most sense.
       6. DANGER: Gumption Ahead* November 27, 2019 at 10:51 am

          Although it can happen. I accepted a job in September but had a weeklong camping trip booked for October that had been planned long before I had even heard of the new job. I asked my manager about taking leave without pay for that time, but he told be just to go into leave debt. I was surprised, but appreciated being able to be paid.
       7. banzo_bean* November 27, 2019 at 11:33 am

          Curious how this answer would change if they employer offers unlimited PTO as part of their compensation package. I’ve worked in offices were I can take unlimited leave so long as it’s approved- but I have never taken a substantial amount of leave (more than half a day or a couple of hours for appointments) within the first few months of employment so I don’t know how it would work here.
          1. Marketing Queen* November 27, 2019 at 12:18 pm

             I started a new job on Jan 2 last year, and had a 3-week vacation in mid-February that had been planned a year in advance (and there was no changing it). On Jan 1, they had implemented unlimited PTO. I let them know when they made the offer, and they both approved it and paid me during that time (which I was not expecting). I am salaried; hourly employees in our company don’t have unlimited PTO, so it would be a more difficult situation because of accruals, training, etc.
          2. EnnaB* November 27, 2019 at 3:32 pm

             I was in that situation. My company has unlimited vacation and I had a week long trip booked one week after the day they wanted me to start. I figured they would want to delay my start date so they wouldn’t be paying me to be on vacation during my second week of work. However, they told me they preferred me to start at the date they wanted anyway. So I had one week of work, one week of vacation and then came back having been paid for both weeks!
    6. AcademiaNut* November 27, 2019 at 2:57 am

       I actually think it’s pretty common in the US for an employer to accommodate pre-planned vacations, particularly as you get more senior. However, it’s generally going to mean unpaid time off, as it’s lot less common for jobs to start off with a full vacation allotment that you can start using immediately (the OP is hoping for paid time off). And it’s a lot less likely to be approved if you need time off at a particularly critical period for the business – if you’re a new retail employee, you’re not going to get Black Friday off, if you’re a teacher, taking vacation in the first week of term is unlikely. So if the OP’s future employer is hiring with the idea of having coverage over Christmas, they’ve got a strong incentive to say no, even if it means the OP turns down the job.
       1. Lena Clare* November 27, 2019 at 3:53 am

          I would kind of expect that though – if you’re coming from a retail job into another retail job, its likely you wouldn’t have been able to book Black Friday off in your previous role anyway, right? And teachers aren’t permitted to take leave that isn’t sick leave in term time except for in exceptional circumstances (and I’d say almost probably not for something like a holiday).
    7. Ruth (UK)* November 27, 2019 at 2:58 am

       Yes, agree with the UK commenters. It’s very normal here for new employers to automatically grant leave for new staff if the previous job had granted those dates for them before knowing they were leaving, even if it’s a date they might not have otherwise granted.

       When I left my previous job (only a couple weeks ago) a colleague there insisted to me that “it’s illegal!” for them not to let me have leave I already had granted in the job I’m leaving so “they have to!” – when I expressed minor worry about requesting all my leave dates as I book a lot in advance. Of course he was wrong and it’s not illegal and they don’t have to (I told him this in a nice way) but the fact that he thinks that is the case does demonstrate how normalised it is here for it to be to expectation that you’ll be granted that leave.
       1. Ruth (UK)* November 27, 2019 at 3:54 am

          Ps. However with as much short notice as OP’s situation for it coming up after starting, it may be solved by pushing back start date or taking some or all unpaid
          1. Magenta* November 27, 2019 at 7:12 am

             When I have recruited people I’ve done it both ways. There have been people who have gone on holiday a month or so in and people who we pushed the start day back for to accommodate pre-booked trips.
             Treating new employees well is just good business practice and a great way to generate good will.
             1. Akcipitrokulo* November 27, 2019 at 10:51 am

                Very much this. If I started a new job, and the first real interaction was “well, you need to take that day unpaid…” then it would have an effext on the relationship.

                It’s a standard question I’ve been asked every time I’ve had a job offer “do you have any holidays booked?”, and from other side know HR asked it. It’s purely to plan first few weeks.

                But if job soecifically wants you to start that close to the end of the year and not push start date to Jan… they want the coverage.
    8. Flash Bristow* November 27, 2019 at 6:00 am

       Well one thing that I wonder might be a factor: in my experience, the normal period of notice in the UK tends to be 4 weeks. I was rather surprised when I first saw it’s often 2 in the USA. So I guess in the States the expectation is that you move on quite quickly, and so these things might pop up? Whereas here, once you accept a job offer the new employer isn’t expecting you to be available for a good month – so the issue of immediately planned leave won’t come up so urgently.

       Not that this helps solve the issue! But it might clue into why people in the UK and USA have slightly different perspectives on the situation.
    9. writerson* November 27, 2019 at 12:03 pm

       Yes, it could be part of the bigger conversation about start date. A few years ago, I was offered a job in early December. I asked to start on the first business day of January so I could attend an out-of-town family belated-Christmas shindig the week between holidays. The hiring manager REALLY wanted me in the week before Christmas to attend some all-staff training (who schedules training the week before Christmas???). I said fine, but I was taking that week between holidays off. I ended up starting on Dec 14ish, then taking off Christmas Eve-New Year’s Day unpaid. My flexibility to start the job earlier actually earned me some good karma with the team – and it meant I was eligible for health insurance sooner and didn’t have that annoying gap between insurance plans.
11. Medico* November 27, 2019 at 1:57 am

    OP. #3 Alison’s advice is very wise. It’s nice that you still care about your previous workplace but it’s not your circus and not your monkeys anymore. By all means support and encourage the people still in that circus to do something about it, but it’s best that it comes from them, not you.
    1. Annie* November 27, 2019 at 2:05 am

       “Report to the authorities” is waaaaaay excessive for what ultimately boils down to “someone not pulling their weight and skipping meetings.” That’s a complaint, not a whistleblower issue. Honestly it would be super odd for something like that to come from an anonymous party who does not work there.

       The LW’s focus seems to be on the affair and the age difference, but all those details are extraneous and really totally irrelevant. The reason the man is skipping meetings doesn’t matter. I get the sense the LW feels that having a consensual affair is whistleblower territory and (unless their old workplace specifically bans it) it’s really not. Sending in anonymous complaints to “the authorities” saying “I don’t work there but two of your employees are banging” is just going to look strange.
       1. Super* November 27, 2019 at 7:31 am

          If it were a subordinate that director was dating, that would be abuse of power, but the datee is from another group. So indeed, it’s way less loaded.
    2. OP#3* November 27, 2019 at 2:01 pm

       Thanks! I agree with Alison’s advice as well. I feel for the people in my old office who are dealing with the ramifications of this affair, but in reality I can (and will be) a supportive/listening ear for them without acting on their behalf.
12. NYCBanker* November 27, 2019 at 2:24 am

    At a former employer they sent out a phishing email to all the senior men (potentially senior women too but tbh there’s only one or two of those) saying they had been accused of innaproriete workplace conduct and to click on the link for more details of the claim. A lot of people thought that went to far but IT security is really important
    1. Super* November 27, 2019 at 7:32 am

       Oh wow. It’s brilliant, but not a good choice if ones wants to stay employed.
    2. Alfonzo Mango* November 27, 2019 at 8:06 am

       That is way over the line!
       1. Observer* November 27, 2019 at 12:01 pm

          Why? Do you have any idea how common that particular scam is?

          It happened to my boss. He forwarded me the email with “What do I do now? I’ve never been to any such site.”

          I told him not to worry – no one was going to “report” him or send anything to his family / boss / press. Just a scam.
          1. Observer* November 27, 2019 at 12:03 pm

             To clarify, the fact that it happened to my boss is not why I know it’s common. That was just an illustration – and it was an easy one for me because I knew all about it already.

             I’d even seen sample text that looked amazingly (not) like the text in my boss’ email.
    3. Linguist* November 27, 2019 at 8:47 am

       That is… mean. I have no words. Actually, I do. Once upon a time, people were accused of being witches. It was terrifying. And IT security? Don’t make me laugh. One way to make absolutely sure anyone’s going to click on that link really fast is to scare the shit out of them like that.
       1. Quill* November 27, 2019 at 9:19 am

          Witches? Do tell.
       2. Derjungerludendorff* November 27, 2019 at 9:57 am

          I think it’s a bit much, but scaring the shit out of people with vague threats is how a lot of phishing emails work. If people are scared and frantic, they don’t pay attention until it’s too late. So in that sense it was a very accurate test.

          Also, witches? Most places I know would just get confused or laugh at that. I kind of want to know how that went.
          1. Oh No She Di'int* November 27, 2019 at 2:12 pm

             Indeed. A common scam that hits immigrant communities is being told vaguely that a relative back home in China/Vietnam/Mexico is in legal trouble or that something is wrong with your immigration status so you’ve got to send money quick. My understanding is that this is primarily a phone scam, but I would not be at all surprised to find out this has migrated online.
       3. Observer* November 27, 2019 at 2:52 pm

          That’s actually the point. A LOT of scams work EXACTLY like this – some actually specifically target the inappropriate conduct or porn the target has supposedly engaged in. Others use the IRS / relevant tax authority, Jury duty, and assorted other legal problems to scare people silly. The porn one seems to be the most common because it feels easy.

          Links on some information to follow.
          1. Observer* November 27, 2019 at 3:10 pm

             Jury Duty:
             https://www.dos.ny.gov/consumerprotection/scams/juryduty.html
             https://www.kshb.com/news/national/the-jury-duty-scam-you-should-know-about

             Tax related:
             https://www.irs.gov/newsroom/tax-scams-consumer-alerts
             https://www.irs.gov/newsroom/scam-alert-irs-urges-taxpayers-to-watch-out-for-erroneous-refunds-beware-of-fake-calls-to-return-money-to-a-collection-agency
             https://www.investopedia.com/taxes/know-latest-irs-scams/
             https://www.consumer.ftc.gov/blog/2016/11/irs-warns-new-tax-bill-scam

             Social Security
             https://www.consumer.ftc.gov/blog/2018/12/what-social-security-scam-sounds?page=3

             Multiple Legal scams
             https://www.usmarshals.gov/news/chron/2019/scam-alerts.htm
          2. Turtle Candle* November 27, 2019 at 4:39 pm

             Yep. Real phishing scams that our IT department catch before they reach individuals (which is true of the vast majority of them–it’s just that some always slip through because scammers and cyberattackers are always updating their tactics to work around the blocks) include “there is a warrant for your arrest,” “you have been found to have child pornography on your computer,” “you will be deported,” and “you are about to lose your house.” Or “your relative died.” I don’t mean a few. I mean thousands. With credible spoofing that makes them look like a real authority.

             That fear is part of what makes them work, and any training/testing has to be cognizant of that, because you have to learn and practice how to stop and think even when you are afraid that your entire life is on the brink of ruin.
    4. Thit'se Man, Becky Lynch* November 27, 2019 at 10:41 am

       It’s exactly what phishers do. They use that scare tactic of “I’ve got your personal pics and browsing history to show what you’ve been up to!!! Click here. And btw send me bitcoin and I’ll delete then them!”
       1. Filosofickle* November 27, 2019 at 1:10 pm

          I get that one almost every day!
       2. Janet, Sower of Chaos* November 27, 2019 at 1:19 pm

          Yeah it’s the email of equivalent of those scammers who call you and say “Illegal activity has been reported on your social security number account and the police are on their way to arrest you right now.”
    5. sofar* November 27, 2019 at 12:17 pm

       My old company hired a security firm that did the same thing. They also had one of their agents socially engineer his way into our (locked) office, where he stole a security card off someone’s desk while they were away. He then set up his laptop at an empty cubical and spent the day chatting employees up in the break room. Nobody flagged him to our office manager.

       And then we had our Big Security Training Meeting. When the guy went up to the front to conduct the training, imagine our surprise.
       1. Jennifer Thneed* November 27, 2019 at 1:14 pm

          That guy is brilliant.
    6. Batgirl* November 27, 2019 at 12:43 pm

       I can see how that’s a valid test but it really needs to follow a training-warning of “this is the type of email they use and so will we”.
       1. Super* November 27, 2019 at 4:18 pm

          It really doesn’t. That’s an idea you have that isn’t actually the rule.
          1. Batgirl* November 27, 2019 at 4:28 pm

             Yes it’s an idea and not a rule! Well spotted.
13. Uldi* November 27, 2019 at 5:23 am

    #2: You can absolutely raise it as an issue and they’ll look at you, then they’ll say, “Noted.” Then for the next 6 months or so you’ll get tests using a similar theme. Why? Because you just admitted that you might be prone to falling for this one, or know people who are.

    I’ll also point out that if your worry that someone will release a report due to a single email is as strong as I’m reading it, there might be some completely different problems going on. You might want to find out how robust the fact-checking at your company is.
    1. Nicki Name* November 27, 2019 at 11:03 am

       That second paragraph is what I was coming here to say– a fake celebrity death email actually sounds like a perfect test for a media company!
    2. Observer* November 27, 2019 at 12:04 pm

       Yes to all of this. Especially your second paragraph.
    3. amativus* November 27, 2019 at 5:18 pm

       100% agree with this. I’m totally perplexed by a bunch of the comments in here referring to “good taste”…do y’all not understand how phishing works? Do you not understand the IT department’s responsibility here? This is exactly what they should be doing, and it is your responsibility to learn from the experience.

       And the idea that a media company would just report on a celebrity suicide they heard about from a single, unsolicited email, without even so much as Googling it to verify? In the year of our lord 2019? I hope such a person *would* be in big trouble, for their irresponsible journalism.

       In fact, both situations stem from the same problem. This is what it means to be a digital citizen in the 21st century: you need to be vigilant about where your information comes from, and be savvy at judging whether a source is trustworthy. This is true whether you’re a journalist or simply a person with an email account. The skills your IT department is forcing you to develop are extremely applicable to the rest of the world!

       I agree with other commenters that OP’s IT department should give more formal training in how to spot phishing emails (“hover over the hyperlink – is it taking you to a website you trust?” “does the sender’s domain actually match the sender’s name?” “is there a misspelling somewhere in the email?” “does it make sense for you to receive such a message at your corporate email?”). Some employees are less digitally savvy than others, and IT shouldn’t take knowledge of these principles for granted. OP should speak with IT about instituting formal training, but once that training is complete, it’s completely appropriate for the IT department to send these tests out – the sneakier, the better.
       1. pancakes* November 28, 2019 at 9:36 am

          +1
14. Akcipitrokulo* November 27, 2019 at 5:37 am

    That phishing email might seem in bad taste… and I would be upset at hearing of the death of a couple of well known people… but on balance, I think it’s worth it.

    Someone got “got” by this at a previous job. They then used their email to send out (unknown to them) an email from their email address to all of address book with a link saying “here’s doc to review – please give feedback by close of play Friday.”

    Because it was from their legitimate email address, and was being sent to people who wouldn’t think it out of ordinary for them to send something for review, a lot of people clicked it. Including me :(

    (Link had a “login” screen to enter your system username and password – I realised at that point and alerted IT.)

    Main points are that yeah, training like that is needed – and if you ever click on something you shouldn’t TELL SOMEONE IMMEDIATELY. Damage containment is hugely increased by quick action.
    1. Super* November 27, 2019 at 9:02 am

       You should tell someone immediately, I assume? :)
       1. Persephone Mulberry* November 27, 2019 at 10:07 am

          “If you ever click on something you shouldn’t [have], [you should] tell someone immediately.”
          1. Akcipitrokulo* November 27, 2019 at 10:54 am

             oops… *blush* … yeah…
          2. Super* November 27, 2019 at 4:19 pm

             Ohhhh right.
       2. Akcipitrokulo* November 27, 2019 at 10:53 am

          Sorry for caps ;) but yeah
    2. Jennifer* November 27, 2019 at 9:13 am

       Yeah, I got how it’s upsetting, but I agree that it’s a good thing. It’s the kind of thing people click on without thinking because they HAVE TO KNOW.
    3. Rebecca* November 27, 2019 at 9:16 am

       This has been happening a lot at my company, too. We all got the “see attached document” from what appeared to be a legit email address and a real person in our company (there are hundreds of people, for reference). Apparently she fell for something about re-entering your Outlook credentials. The worst part was when the CEO sent an email to everyone stating that either “Jane Smith” (yes, he called her out by name, IT just said “a user in the X office”) was tricked into giving up her credentials, or it was so easy to guess that the hacker just picked her, and the tone of the email was “none of you better not do this again, ever!!” To make things worse, a short time before, we were all issued instructions from IT about passwords and user names, instead of different ones for email, to get into our computers in the first place, and then even more creds accessing several other things from there, they made it one user name/password for all of it. She probably thought she put it in incorrectly for email and was just in a hurry.

       So now, we have the opposite problem – people not clicking when they really should, deleting and marking as spam or junk actual legit things, and IT needing information, no one responds, then they send a second request and literally say “oh hey, that email from earlier? It was really from us, we really need the info, so please call us on a known phone# if you have questions”. And yes, they do the phishing tests, but apparently we’re doing a bit too well on that, since we now shy away from even legit things.
       1. Akcipitrokulo* November 27, 2019 at 10:57 am

          That’s counter productive. We did a lot of “this is easy to fall for, so be aware, and tell us if you mess up – don’t worry, just tell us.”
15. Cheryl* November 27, 2019 at 5:44 am

    “I take comfort in nature” – I’d love to see or hear someone’s reaction to that line. Especially in response to religious talk.
    1. DawnShadow* November 27, 2019 at 6:09 am

       My reading of what Allison said is that a response that would fit for “I take comfort in nature” would also work for “I let Jesus take the wheel” or whatever other religious saying. Pretend they said the nature comment. Not to say “I take comfort in nature” in response. I thought this was sensible – just take religion out of it in your mind, and answer in whatever supportive way you usually would. This kind of thing wouldn’t come up if they weren’t hurting in some way anyway, why compound it.
       1. Ask a Manager* Post authorNovember 27, 2019 at 10:02 am

          Yes!! That’s not a response for the OP! The idea is to think of the comments about God as similar to ones about nature.
    2. Super* November 27, 2019 at 9:10 am

       I get pretty uncomfortable with religious talk, so I’m giggling to myself at the idea of how baffled a person like this would be by a statement about ‘finding comfort in nature’.

       Clearly they think it’s normal to talk about God at work (!), with people of unknown faith (!), so I’m pegging them as ‘Christian is default’ kind of person. I’m a religious minority, so I’ve found that ‘Christian is default’ people can be very open to other faiths (ooh, tell me more about what you believe or practice), anywhere along the line that ends in hostile and assuming your different faith is inherently evil and aimed at them (sigh).
       1. Quill* November 27, 2019 at 9:22 am

          To quote my very catholic grandmother on easter sunday in hawaii “You know what? God made this natural beauty, therefore this is a church.”

          (We were NOT finding a 2 hour easter mass to go to instead of the road to Hana and there was discussion of it until we got her there.)
          1. Derjungerludendorff* November 27, 2019 at 10:01 am

             From a certain perspective, God’s home is the entire planet. So if anyone needs a good excuse to skip a boring religious mass…
             1. Quill* November 27, 2019 at 11:08 am

                Technically there was already a schism about this, but my gran’s side of the family is known for producing a nun who went into an order that basically ignores everything any pope says that isn’t about good works & public service.
                1. Vicky Austin* November 27, 2019 at 8:38 pm

                   Nuns who dissent with the Pope are awesome.
16. Red Reader the Adulting Fairy* November 27, 2019 at 6:01 am

    We got a division-wide email yesterday about a surprise bonus for everyone – legit, not phishing! – on our first December paychecks, which is unusual for my org. The rest of the day was sent in deleting the reply-all responses, fully half of which were along the “God is good” or “what a blessing from Jesus” line or similarly Christian references.
    1. Linguist* November 27, 2019 at 7:48 am

       I’m quite impressed with how smoothly you commented on both #1 and #2. Hats off to you and your talent for synthesis! :)
    2. Super* November 27, 2019 at 9:11 am

       I’m not sure I could work in an organization like that. Is it a faith based org, or one of those regions where Christianity is assumed to be default, or just people with boundary issues?
       1. Quill* November 27, 2019 at 9:23 am

          Based on the reply all, I’d assume boundary issues…
       2. Derjungerludendorff* November 27, 2019 at 10:03 am

          Possibly the first, and almost definitely the other two.
       3. Red Reader the Adulting Fairy* November 27, 2019 at 10:36 am

          It’s mostly 2 and 3. Some of our hospitals started as religious institutions, but the overarching organization isn’t religious. But we are in the Midwest and a large proportion of my division is middle-aged women, and a large proportion of the middle-aged midwestern women that I work with are both Christian and not great with boundaries, with a side helping of also not being very tech savvy.
    3. Perpal* November 27, 2019 at 11:17 am

       Whenever it comes to god and money, I can’t help but think “Render to Caesar the things that are Caesar’s; and to God the things that are God’s.” … then again, if we’re being extremely literal with that parable, US money has both god AND presidents on it…
    4. Victorian Cowgirl* November 27, 2019 at 11:19 am

       I think I’d have a hard time not sending one out thanking all the dark gods or the All-Father or Goddess or Hestia.
       1. Red Reader the Adulting Fairy* November 27, 2019 at 12:31 pm

          Resisting that urge was aided by the admonishment from Outlook reminding me that doing so would involve sending an email to 700 people. :) (WHY is that not a pop-up box that requires you to actively click “Yes, I want to send this email to 700 people,” instead of just a quiet subtle FYI.)
    5. yala* November 27, 2019 at 12:34 pm

       O.0

       okay now that…that is weird.
    6. Batgirl* November 27, 2019 at 12:47 pm

       See I think that’s quite different to someone off-handedly saying something in conversation about themselves.
       It’s using reply-all as a preaching platform to say ‘my faith did this for you’ which is ick.
17. Indicted Ham Sandwich* November 27, 2019 at 6:29 am

    Removed. Do not proselytize here. – Alison
    1. ThatGirl* November 27, 2019 at 10:03 am

       There’s a misconception that Catholics only pray to saints and/or Mary instead of God directly. Which – I admit that using intermediaries is a strange concept to many Protestants and Anabapists, but it’s not that you /can’t/ pray to God directly.
    2. Radio Girl* November 27, 2019 at 10:26 am

       Thank you, Alison!
18. London Lass* November 27, 2019 at 7:19 am

    #5, I am in the UK but recently started a new job where I wasn’t able to start fully for a few months after the interview (which would be a normal notice period for many jobs here). They were keen for me to get a good handover from my predecessor before he left, so we landed on a plan where I started the role, worked two weeks alongside my predecessor, then took 6 weeks of unpaid leave before taking on the full role. Perhaps if your new employer balks at a week of paid leave so early, but really want you getting started asap for some reason, they would let you take it unpaid.
19. WineNot* November 27, 2019 at 7:32 am

    #1 – I also do not believe in God, and have had so many people, whether it is a customer I deal with at work or someone I just met for the first time, say things like this and I am always so confused as to how to react. I am usually good at letting them just roll off my shoulders, but one line that I will never forget came from someone who my past organization worked very closely with. We were chatting about the event that was happening the next day and with the most intense eye contact ever and 1000% seriously, he said, “God bless you and your beautiful soul” as a goodbye. I awkwardly mumbled something like “you too!” and left. I’ll never forget that one.
    1. Sara without an H* November 27, 2019 at 8:53 am

       “God bless you and your beautiful soul” — yeah, that one’s a little over the top. It’s hardly an insult, though, and I think your response was just fine.

       I know that conventional phrases get a bad rap nowadays, and that we’re all supposed to be “authentic” — whatever that means. But I still find conventional responses helpful. “That’s nice” “I hope it all works out for you” “I wish you well” provide some mild affirmation for the other person without inappropriate judgement of their personal situation.
       1. Quill* November 27, 2019 at 9:27 am

          I’m not the only one who read “god bless you and your beautiful soul” in Jesse McCartney’s voice, I hope?
          1. WineNot* November 27, 2019 at 10:13 am

             You certainly are not the only one! Love me some Jesse McCartney, even when “God bless you and your” comes before it.
    2. Super* November 27, 2019 at 9:24 am

       That sounds like deliberately wrapping an inappropriately intimate comment in religion to get away with it. No wonder you were weirded out.
       1. Vicky Austin* November 28, 2019 at 10:12 pm

          That’s what I thought, too. I’m a devout Christian (raised Catholic, currently attending a nondenominational church) and I’d be just as weirded out if someone, especially a man, said that to me the first time he met me in any situation other than church.
    3. Tomacco* November 27, 2019 at 10:45 am

       “Oh she does, thanks!”
       1. Victorian Cowgirl* November 27, 2019 at 11:21 am

          YES
       2. Batgirl* November 27, 2019 at 12:49 pm

          Haha!
20. Mel_05* November 27, 2019 at 7:33 am

    LW1, just nodding is fine, it’s probably not going to be taken as anything other than your personal support for the individual.

    One of my old coworkers was agnostic and we both worked at a place that had some pretty religious undertones going on and most people were part of one of 3 religions.

    I don’t think anyone was under the impression that she was anything other than agnostic, even though she never said so and was always completely polite, even supportive, about other people’s religion.
21. Kat A.* November 27, 2019 at 7:44 am

    For #5, I’ve been in a similar situation but it was for Thanksgiving. I’m here to tell you please, please put family first. Those first few weeks will be very busy with the new job, and it can be awkward for your relatives being in your home with you gone most of the day. But also, that Thanksgiving ended up being a family member’s last, and the great company I worked for got a new manager months later who made daily life hell.

    Every Thanksgiving I think back and regret putting my job before loved ones. Be there for family. Because when you need someone, they’ll be there for you, not your company.
    1. yala* November 27, 2019 at 9:31 am

       +1 Something similar happened to me for Easter. It wasn’t early in, but I couldn’t get out of working the Saturday before–which is our family’s big celebration (like, 30-50 people). Barely a month later, my step-grandfather, who was the sweetest person, and the only grandfather my siblings and I had (my only living one passed when I was three, well before they were born), died unexpectedly. I really regret not having had that last holiday with him.

       Tragedy aside, if family is a Big Thing for you (it isn’t for everyone, and that’s understandable), then it really should come first, especially for holidays. In your case, if they’re making the trip in, I’d at least try to see what you can do to get the time reduced so they’re not awkwardly hanging around.
22. Seeking Second Childhood* November 27, 2019 at 7:49 am

    OP3, two things.
    First, a great majority of the readers here are US, UK, & EU, where extramarital affairs are not illegal. If you’re writing from a country that has legal consequences to extramarital affairs, there’s a whole level of life-ruining possibilities that we’re not able to address.
    Second…you say the couple is in two offices. Are they in different reporting chains? If she doesn’t report to him in any way, it is the consensual relationship others are assuming. Most companies have a policy against dating your direct reports. But because you don’t work there anymore, if you choose to call the anonymous line you mention, what YOU can say is that there is industry gossip about a manager dating somebody who reports up the chain to him. (And I’d hesitate because it’s too common for companies to address this badly, with retaliation against the junior female employee.)
    1. Ana Gram* November 27, 2019 at 8:03 am

       So, about the legality aspect. Having sex with a person who’s not your spouse is illegal in Virginia (and likely quite a lot of other states). I’ve never heard of it being prosecuted but it is, in fact, illegal. That said, I still wouldn’t call a former employer about such a thing.
       1. Super* November 27, 2019 at 9:27 am

          They mentioned an IG, Inspector General, which in the US government is who investigates ethics violations. For civilian government, the only way the IG would care if a manager was dating a subordinate. In the military, adultery is both rife and actionable for discipline. I have no idea if the reporting mechanism is called the IG in military though.
          1. RecoveringSWO* November 27, 2019 at 12:17 pm

             It’s the IG in the military as well. Adultery is only really prosecuted in the military as an additional charge when revealed in an investigation (whether it’s fraternization, fraud, or whatever). I got a few calls from scorned spouses who were very upset to hear that we wouldn’t charge their spouse with adultery if they did nothing else wrong…
             1. Janet, Sower of Chaos* November 27, 2019 at 1:22 pm

                I remember an episode of NCIS where someone officer has very clearly murdered someone, but Gibbs doesn’t have all the evidence yet so he arrests him for adultery.
       2. Vicky Austin* November 27, 2019 at 8:44 pm

          It seems to me that a law against adultery would be difficult to enforce, because the act usually happens in private.
    2. OP#3* November 27, 2019 at 2:06 pm

       Thank you all. Good point on the blame landing on the junior female employee. It’s not really a question of the legality of the affair, more with the workplace morale and job execution of the two people involved in the affair that is frustrating/concerning. But I agree with Alison that I should stay out of it.
23. UKCoffeeLover* November 27, 2019 at 8:08 am

    I agree. I think this phrase could come across badly. Personally, I’d just carry on nodding and smiling.
24. TrixieHP* November 27, 2019 at 8:08 am

    Regarding #1: I’ve in the last year moved (back home!) south, to Georgia. While I love it here there are definitely some issues that don’t fit me or my general life philosophy. One thing that it seems every other person says is, ‘have a blessed day’. It drives me NUTS. Don’t recall it being a phrase when I lived here previously and while it’s not offensive, it is VERY awkward for me, an agnostic-sort of gal. Typically I’d say, ‘you too!’ or something equally bland but the ‘blessed’ part of it is not at all me, nor genuine coming from my mouth. It’s just an annoyance I have to get over, but baaaahhhhh…..it rubs me the wrong way.

    I will say I love me some y’all tho, it’s so very lovely and inclusive of everyone. :)
    1. mcr-red* November 27, 2019 at 8:37 am

       It’s funny that you said that – I had a friend from Georgia who was wiccan who said that. I always associated it with her because I’d never heard anyone say that before. And I’m not wiccan, but hey she’s wishing me a nice day, thank you friend! So one day I was out with another friend and a cashier said it to me, and I was like, “You too!” And my friend said, “Ugh, I don’t want to be told have a blessed day, I’m not Christian,” and I was like “Oh, I thought it was wiccan!”

       So apparently it must be a regional greeting.
       1. Super* November 27, 2019 at 9:30 am

          That’s funny! It’s always been said by Christians experience, the kinds of Christians who assume Christianity is the default. Your Wiccan friend shows a lot of flexibility in being able to filter that out and choose that she can bless people her way with that phrase.
          1. Crooked Bird* November 27, 2019 at 10:19 am

             “Blessed be” is a big Wiccan phrase, though, so I think it’s partly a case of shared vocabulary. Though it does seem like the “blessed day” thing might be deliberate adaptation.
             1. mcr-red* November 27, 2019 at 10:35 am

                I think it may have been, I also heard the “blessed be” phrase.

                I had honestly never heard it before her, and have rarely heard it since, but either way it just came across as an alternate way of saying “have a nice day.”
       2. ellex42* November 27, 2019 at 10:09 am

          It’s not regional. I live in western Pennsylvania, and I hear it on a semi-regular basis. In this area it’s pretty much a dead giveaway that someone will proselytize at you given half a chance.
          1. seconded* November 27, 2019 at 12:10 pm

             +1 for southern NJ
       3. Victorian Cowgirl* November 27, 2019 at 11:24 am

          Wiccans usually pronounce it as BLESS-ed whereas Christians say the more common Blessed. Different meanings.
       4. Jennifer Thneed* November 27, 2019 at 1:29 pm

          Not regional. Churchy. Source: I live in coastal California and always have.
    2. I Wrote This in the Bathroom* November 27, 2019 at 9:18 am

       Y’all needs to be mainstream.

       My one ex (born and raised in the Deep South) described his past marriage as “blessed”, and he was as atheist as they come. Maybe it really is a regional expression?
       1. Super* November 27, 2019 at 9:32 am

          He called his divorces blessed, to his current spouse? Like bless their hearts? Cuz that means something else, though you likely know that. How would he phrase it?
          1. I Wrote This in the Bathroom* November 27, 2019 at 10:30 am

             I was one of the many girlfriends he had after the marriage ended. No, he was serious about the marriage having been really good (even though it did end). “We had a blessed marriage,” he’d say, and then explain why it was so good.
             1. Super* November 27, 2019 at 4:49 pm

                How interesting.
    3. Daffy Duck* November 27, 2019 at 10:28 am

       We get robocalls on our landline (we always screen those calls) that end “Have a blessed day” – like 4-8 of them a day. That phrase is a HUGE turn off for me!
    4. Pennalynn Lott* November 27, 2019 at 4:39 pm

       I’m in Texas. I’ve finally trained myself to automatically respond to “Have a blessed day!” with “Yes! Hail Satan, go forth in His darkness!” but with a totally genuine, loving, happy smile on my face. They respond to the facial expression and delivery loooong before they catch onto the actual words.
25. 8DaysAWeek* November 27, 2019 at 8:11 am

    OP5: Another thing to think about if you are extended an offer is related to the benefits package. If the company offers a pension or something similar, find out if there are repercussions to starting in the new year vs starting in 2019. At my company if you start before the new year, you are already vested 1 year in the pension even though you may have only worked a couple days in 2019. If you start in 2020, you will have to wait the whole year to get that first year of vesting under your belt.
26. Environmental Compliance* November 27, 2019 at 8:21 am

    A celebrity death is in poor taste IMO…. there’s other topics that could have been easily chosen.

    Job before this one had regular phishing/hacking/etc. trainings. We all had to watch the video & take the miniquiz. It wasn’t half bad either because they included those phone scams that were getting a lot of people, and steps to help family members avoid them.

    Then IT sent out a phishing email (IIRC it was something similar to some IRS scam thing), and got upset because no one clicked on it. I was pretty entertained.
    1. ArtK* November 27, 2019 at 12:24 pm

       Scammers who use phishing are not constrained by taste. These tests have to be as real as possible so that people learn. A celebrity death is exactly the kind of thing that a scammer would use to get people to mindlessly click on a link.
    2. Shamy* November 27, 2019 at 12:35 pm

       I agree with you. I am surprised a number of other commenters don’t see an issue with it. I could be projecting a little since I have been tangentially connected to people in extremely high profile families (think famous hotels) and my father worked in a tiny business alongside the brother of a celebrity. You really never know who is connected to whom in this small world of ours.

       My job does phishing tests as well. It is kind of ironic in your case that IT was disappointed no one clicked on the link.
       1. Observer* November 27, 2019 at 3:21 pm

          Well, if you look at what people are saying, they explain WHY they don’t see an issue with it. No one thinks it’s great, they think it is NECESSARY. Because for these tests to be effective and useful, they need to mirror the real world. And it needs to mirror the whole variety of stuff that goes on.
       2. Uldi* November 27, 2019 at 4:09 pm

          In my opinion, I’m shocked and concerned so many seem to think phishers have some line they won’t cross. These are people that would empty the accounts of elderly people and not lose a second of sleep over it. If a test doesn’t reflect reality, it’s a worthless test.
          1. Observer* November 27, 2019 at 5:31 pm

             Let’s be clear – these are the kinds of people who don’t care if people lose their lives because of their actions. Otherwise they wouldn’t target hospitals and nursing homes. Yet, they do.
             1. Observer* November 27, 2019 at 5:34 pm

                https://krebsonsecurity.com/2019/11/110-nursing-homes-cut-off-from-health-records-in-ransomware-attack/

                Here is a perfect example of what it means when a nursing home (chain) loses access to their systems.

                Does anyone think that scum like that would hesitate for a single second to write something that literally causes someone to land in the ER? Certainly causing some hours of anguish are not going to register on their radar.

                All of that is reflected in how they operate. Tests need to reflect that. It’s bad, it really is. But it’s better than getting hooked.
27. tinybutfierce* November 27, 2019 at 8:30 am

    LW3: If multiple people you know have mentioned this to you, and they’re all afraid of being That Person who goes tyo HR, maybe you could encourage them to go in a group? That way no one is getting singled out, and it definitely sends a hell of a message to management that this isn’t a small problem.
    1. Narise* November 27, 2019 at 9:14 am

       I think this is a great option. If multiple complaints are filed, even anonymously, it would be difficult for one person to be singled out for blame.
    2. OP#3* November 27, 2019 at 2:07 pm

       This is a great idea I hadn’t considered! I will suggest this. Thanks!
28. OP 5* November 27, 2019 at 8:41 am

    OP 5 here! Thanks to Alison and all the commenters for the advice. I have a second interview scheduled next week, so if I get an offer, I think I will be able to negotiate a start date for after Christmas. Initially I was really worried because the hiring manager had mentioned that once they got someone on board, he’d want to focus on training and bringing that person up to speed for “December and January.” I thought that might mean they want someone to start in December. However, this job has been vacant since June so I really doubt they will mind if I ask to push the start date by a week or two.

    I also realized that I have some vacation time banked at my current job that will get paid out if I leave, so I would be able to afford to take the time unpaid. That being said, I’d be really hesitant to offer to take time unpaid–that’s not something people do in my current job and I would be uneasy that that would establish a precedent.
    1. c56* November 27, 2019 at 8:55 am

       I’d bet by the time they make an offer they’ll be talking about a January start date anyway. however, it’s not setting a precedent to take time off very early on unpaid. In my experience most places will have a fairly black and white vacation time policy; they are either set to pay you for that time or not (of course, that is often negotiable as well).
       1. OP 5* November 27, 2019 at 9:09 am

          See, I would have bet on a January start date too except that they have been moving crazy fast (at least compared to my past experience). After my phone interview, they contacted me within a day to set up an in-person interview. Same thing with my in-person interview, they contacted me the next day to set up a second in-person interview for the next week. The hiring manager indicated that they are trying to make an offer before their annual meeting which is the week of Dec 9.

          All that being said, if I get an offer, I am definitely going to request a January start date. I’m not missing out on spending Christmas week with my sister!
          1. WellRed* November 27, 2019 at 10:03 am

             SO glad to hear this! Fingers crossed, but I suspect this will work out.
          2. Akcipitrokulo* November 27, 2019 at 12:18 pm

             Ah… if they don’t need cover specifically for the holidays you should be fine for a Jan start.
    2. Sara without an H* November 27, 2019 at 8:56 am

       Best of luck, OP5! Given that they’re getting so close to the holiday season, I’d be surprised if you couldn’t negotiate a post-Christmas start date.
    3. blink14* November 27, 2019 at 8:59 am

       Just responded below! See if you can find out what the company holidays are, and if Christmas Day and potentially Christmas Eve are paid holidays, you’re only looking at 3 vacation days if you took the whole week, or 1-2 if you took off the Monday, or the Thursday and Friday.
       1. OP 5* November 27, 2019 at 9:06 am

          Yes that was part of my thought process–I know they are closed Christmas Day, not sure about Christmas Eve. So I know I wouldn’t be asking for 5 vacation days!
    4. vlookup* November 27, 2019 at 11:33 am

       Don’t take the time unpaid if you don’t want to, but I actually wouldn’t be too worried about setting a precedent. If you’re salaried, I think it’s generally pretty unusual to take days off unpaid (except for e.g. FMLA), and dicey for your employer to do in increments of less than a full week.
    5. banzo_bean* November 27, 2019 at 11:37 am

       I can understand not wanting to take the time of unpaid to set a precedent. I’d advocate for the later start date as well. That would be a pretty tight timeline for giving notice/starting a new job/welcoming family in town as well.
29. c56* November 27, 2019 at 8:43 am

    am I crazy in thinking any reasonable/non-retail workplace would have no problem giving a new employee the week of Christmas off if they bring it up when they make the offer? I agree it’s likely to be unpaid but I can’t imagine they would balk at a qualified applicant asking for this.
    1. Jennifer* November 27, 2019 at 9:09 am

       It seems they wouldn’t want them to start that week anyway since so many people are likely to be off.
    2. Quill* November 27, 2019 at 9:30 am

       They might be hiring specifically because they need someone to hold the fort down while everyone else is gone. But expecting them to be fully trained for that on this timeline seems bizzare.
    3. Batgirl* November 27, 2019 at 12:53 pm

       I think it really depends on industry and culture.
30. Aspiring Chicken Lady* November 27, 2019 at 8:43 am

    OP5: I wonder if it wouldn’t be just fine to take some unpaid days around the holidays in large part because if other folks are out, the people who would be training you might not be around either.

    I’d trim any time off that didn’t require pre-arranged travel tickets, and do what you can to start in 2019 instead of 2020 for the benefit year reasons — and because, you know, you should probably start working.
    1. banzo_bean* November 27, 2019 at 11:39 am

       I disagree, if OP doesn’t need to start working straight after her notice period as up at her last job I don’t think it’s bad to say “I am booked x week, let’s look at the week after for a start date.” It’s really not uncommon for folks to have travel plans booked the week of Christmas or to neogiate on a start date that works for their timeline.
31. K8 M* November 27, 2019 at 8:55 am

    I am in a similar situation as LW1. I am an affirmed atheist working with a devout catholic who has Jesus portraits pinned up at his desk and encourages everyone to pray on problems, and spouts the serenity prayer every time someone mentions being annoyed about some policy or decision. It’s incredibly frustrating for me. My coworker does not know I’m an atheist, and I feel very uncomfortable with both mentioning that fact and continuing to smile and nod and let him think I agree with his babble. I’ve not found anything that works though. I’ve recently just resorted to grunts and ignoring.
    1. Sara without an H* November 27, 2019 at 9:01 am

       K8 M, I understand your discomfort, but I don’t think smiling and nodding really signify agreement. It’s just a routine social gesture indicating “I acknowledge you, fellow human.” It might help if you could recast this behavior in your mind as a weird hobby, something like Dr. Who fandom, or an inordinate devotion to the Chicago Cubs.

       The serenity prayer isn’t really Catholic, and I’m a little surprised your colleague is so attached to it.
       1. K8 M* November 27, 2019 at 9:04 am

          He also has family members in recovery.
          1. Come On Eileen* November 27, 2019 at 9:32 am

             I’m a Christian and I’m also in recovery — I never really heard the serenity prayer in church, but it’s deeply embedded in recovery and AA philosophy. So that might be where your co-worker experiences it.
          2. Sara without an H* November 27, 2019 at 11:24 am

             Oh, that explains it. Thanks!
       2. Teyra* November 27, 2019 at 9:20 am

          It really does signify agreement, though. And I honestly don’t think it’s helpful recasting the behaviour as a hobby, because that’s not what it is. And even if it was, I’d have no qualms about telling someone to back off if they kept telling me to watch Dr Who or treating me as if I was a huge fan of it.

          If anything, I think it would be helpful to just tell the guy that you’re not religious and don’t pray when he encourages you to pray next. Right now the guy’s going by his own prejudices that everyone is Christian, and everyone is humouring him. So he’s never going to learn that he’s wrong. By speaking up and showing him that a) atheists exist and b) we’re just like everyone else, he might re-evaluate his own prejudices and develop a more open mind.

          Obviously there’s risks involved with that – you might be his next ‘project’, or he might make your life miserable, or he might ignore just ignore what you’ve said or double-down – but it’s probably the only way aside from involving HR to get him to tone it down around you. (I don’t think you can/should involve HR about his own praying, or the Jesus picture, but encouraging everyone else to pray? Ew. No.)
          1. Derjungerludendorff* November 27, 2019 at 10:14 am

             It certainly signifies that you don’t object to it.
             You could always go with the feigned confusion route if you choose to address this.

             Or go really passive-agressive and start praying to the Aztec goddess of chocolate and proclaim a daily worship ritual where everyone drinks hot chocolate.
             Well, probably don’t actually do that.
             1. Crooked Bird* November 27, 2019 at 10:21 am

                Yum…
    2. Super* November 27, 2019 at 9:45 am

       I’d internally plan my work Satanist altar and my Chthulu prayer quips… and in reality let it go.

       If it got really egregious – like that (in my experience) Baptist habit of telling people sweetly that they’re going to hell – then you should go to HR. But it sounds like he’s on the ‘inappropriate and annoying but not harmful’ end.
    3. WellRed* November 27, 2019 at 10:00 am

       I think you could push back on being told to pray on problems. Ideally, kindly telling him in the moment you don’t pray. If he insists, it’s worth bringing up to HR. The rest is also concerning, but may be easier to ignore?
    4. T2* November 27, 2019 at 11:40 am

       I am very religious. I spend my free time teaching Bible study classes. And public preaching is a huge part of that. I am also someone who does not celebrate most holidays. These two facts pretty much identify my faith. A lot of people are benefited by it, a lot of people have different beliefs. I am not authorized to force others to affirm or support my faith.

       However, at work, I am about business. During my lunch break I can be found studying my Bible pretty extensively on my own free time. However, I don’t talk about it at work unless someone specifically asks me a question. I just feel that work is a place for business. If someone asks a question, i will answer quickly if possible, or suggest talking about it after work. If people want to find out about my faith, there is more than enough information around and many means of getting that info, so I don’t need to preach at work. Even in my private life, if you don’t want to hear it, then that is fine, you are not who we are looking for, and I move on.

       At work many people will decorate their space with Christmas decorations or play holiday music, which personally, I would never ever do. However, I do not comment, or participate in such things even though, privately, i find these practices tiresome. But you get used to it.

       It seems to me that atheists are in the same boat and would benefit from reacting in a similar manner that I do.. Occasionally, someone will attempt to try to force me to participate in some activity. I respectfully decline to participate. No judgement, no forcing my opinions on anyone else and no need to validate their beliefs.
       1. soon 2be former fed* November 27, 2019 at 12:19 pm

          Most people leave JWs alone when they know a coworker is a JW.
    5. Observer* November 27, 2019 at 12:13 pm

       I hear you. But, do separate out the serenity prayer – it’s not really religious although it undoubtedly started there. Basically it’s just a way of dealing with the reality that we need to be able to accept stupidity of all sorts while not getting to the point of not trying to fix things that ARE fixable.
    6. soon 2be former fed* November 27, 2019 at 12:17 pm

       I had a coworker who was an atheist, and I’m not. We had intelligent discussions about it and actually quite enjoyed working with each other. It may have helped that I’m not a bible thumper and he wasn’t militantly atheistic either. Don’t be afraid to reveal who you are, not everyone is a religious bigot, and some of us respect the rights of others to believe, or not, as they choose.
    7. Batgirl* November 27, 2019 at 1:04 pm

       YMMV but if your colleague has already broken the unwritten rule on making their beliefs an office centrepiece, that kind of opens the door for you to say whatever you want about your own in a way you might not feel comfortable doing otherwise.
       If you don’t want to name your beliefs why not go with the ‘personal beliefs’ angle? Something like “Well my beliefs are very personal and private so I won’t be discussing them in here! (You can add ‘glad it works for you though’ as a softener) or “Oh I never discuss religion or politics at work” or even *blank stare* “Well, anyway….”
       Sometimes nodding and smiling is the best way to keep people in their box though.
    8. yala* November 27, 2019 at 1:32 pm

       “encourages everyone to pray on problems, and spouts the serenity prayer every time someone mentions being annoyed about some policy or decision.”

       Ok, THAT is just not appropriate. Might not be a bad idea to have a word with HR. Not to cause trouble, but just so maybe they can take them aside and be like, “Hey, look, religion is fine, proselytize at work is not.

       I’m Catholic, and I find folks who response to my talking about problems or frustrations with telling me to pray on them (…my mom, mostly. Pentecostal) to be just…rude, at best. It’s really dismissive of someone’s feelings or issues.
32. blink14* November 27, 2019 at 8:57 am

    OP #5 – It’s dependent on the job of course, but chances are that at least Christmas Day is a company holiday, and potentially Christmas Eve as well. Given that both are during the week this year, potentially you are looking at only having to take 3-4 actual business days off.

    I would suggest scouring their website for PTO and holiday information. Also come up with some contingency plans – would you be ok with taking off 12/23 – 12/25 and returning to work Thu/Friday. Or vice versa, going into to work that Monday, and then having the rest of the week off?
33. Jan Levinson* November 27, 2019 at 9:01 am

    #2 – Definitely weird/inappropriate content on their part. However, as Alison mentions, phishing email tests are fairly normal. My company sends them out about once a month (and, you’d be astounded at the number of people that fall for them!) Ours usually say something like, “your password to (x) has been comprimised – please click here to reset it ASAP.” Recently, we had an email like that where something like 85% of people clicked on the link, and another 47% actually entered their login info! Crazy.
34. Beth* November 27, 2019 at 9:02 am

    According to the anti-phishing service we used earlier this year, when you’re running phishing tests, you are specifically NOT supposed to tell the staff. Admittedly, this particular service turned out to be laughably terrible and I pulled the plug on them as soon as I’d had a good look at their product.
    1. Quill* November 27, 2019 at 9:31 am

       You don’t tell the staff what or when it’s coming, you tell them they need to sit through the fishing seminar and that they may periodically receive tests.
35. Jennifer* November 27, 2019 at 9:07 am

    #3 It’s great that you are still friends with people from your former but you seem WAY too invested in the day to day goings on there. This is just gossip. If it’s true, plenty of people there know and are capable of reporting. If someone was being abused, harassed, bullied, discriminated against, etc., then I’d understand but this really isn’t a big deal.
36. Jennifer* November 27, 2019 at 9:42 am

    LW1 Sigh. Someone merely mentioning that they pray occasionally is not proselytizing. As Alison said, it’s not very different from saying they take comfort in nature or prefer to talk over a problem with a spouse. I take comfort in all three. Take me away!
    1. Crooked Bird* November 27, 2019 at 10:28 am

       Hey, fellow religious person here–you are projecting from other, worse situations to this one. People do sometimes get unreasonable about this, but LW1 did not–nobody called it proselytizing at all unless I missed a comment somewhere. She said she’s not offended, she only wishes she could talk about her view of the world as casually as they do (but it’s harder to have an occasion to mention that you *don’t* pray, which is simply natural and no-one’s fault.)

       I get frustrated too sometimes, especially when things others have done & I never have are taken out on me by category, but let’s be clear about who’s actually doing or not doing that. And let’s be forgiving even when they are.
       1. Jennifer* November 27, 2019 at 10:41 am

          There are a few comments here comparing it to proselytizing, but either way, I take your point. Thanks for the reminder.
    2. epi* November 27, 2019 at 11:05 am

       It doesn’t have to be proselytizing to make people uncomfortable, and many people have said that it does. People do not need to satisfy you personally with their reasons, in order to have an expectation that others won’t knowingly make them uncomfortable at work.
       1. Jennifer* November 27, 2019 at 11:10 am

          It doesn’t seem this coworker is “knowingly” making anyone uncomfortable.
       2. Czhorat* November 27, 2019 at 11:22 am

          If someone saying “I’m praying on it” makes you uncomfortable, then the problem is more with you than with them.
          1. Victorian Cowgirl* November 27, 2019 at 11:28 am

             Why’s that? Many people are uncomfortable talking about religion at work, it isn’t someone’s “problem”, it’s a common desire to keep religion out of the workplace.
             1. Jennifer* November 27, 2019 at 11:32 am

                It’s not really a discussion. They are just mentioning in passing that they pray occasionally. The same as someone else may say they go out in nature or talk to their spouse to de-stress, as Alison mentioned.
             2. Erykah Badu* November 27, 2019 at 11:41 am

                It’s already been discussed in other comments, but IMO it’s because that particular statement isn’t directed at a person; it’s an expression of their own beliefs. Obviously religion is a sensitive topic, but how is this different than any other personal detail shared by a coworker?

                I appreciate folks wanting to keep religion out of the workplace but people are human. If they’re just expressing who they are/what they believe, why can’t it just be ignored/acknowledged and move on? Admittedly, I come from workplaces where this thing wouldn’t be weird and folks just generally feel comfortable expressing various parts of their personal lives.
                1. Phoenix* November 27, 2019 at 11:51 am

                   One test is if someone whose beliefs and practices are at odds with the majority would feel just as comfortable casually mentioning their beliefs and practices in an equivalent manner. Would a wiccan or a religious Jew feel just as comfortable in your environment? In many (as in OP’s case), the answer is no.

                   Another thing to consider is whether one group’s cultural dominance has been used historically to harm minority groups. Christianity is not a value-neutral topic to a lot of minority groups who have been significantly pressured to convert, conform, or be silent. Re-enacting that same pressure in the workplace is unkind.
                   1. Jennifer* November 27, 2019 at 11:57 am

                      There’s no mention of the coworker’s religion.
                      1. Phoenix* November 27, 2019 at 1:11 pm

                         This has been discussed elsewhere in the thread – the context makes it clear that the coworker is Christian.

                         If you must read the letter and my comment as devoid of context, treat my specific mention of various religions that occupy different power roles in general US culture as merely examples.
                      2. Czhorat* November 27, 2019 at 1:43 pm

                         “I’ll pray on it and let god decide” is a very much Christian way of approaching it. I don’t know of another religion in which one would talk or even think that way.
                   2. Czhorat* November 27, 2019 at 1:42 pm

                      That is the best counterargument, and a very much fair one.

                      Personally, I’d feel the same were the co-worker to say they would read the tea-leaves, consult the stars, meditate, whatever.

                      I do get how it could be a microagression in some contexts; I still prefer that people be allowed to express their beliefs, but this is a solid reason to the contrary.
                      1. Phoenix* November 27, 2019 at 1:53 pm

                         I’m in no way advocating that people not be allowed to express their beliefs; I’m suggesting that, as part of being a good person, people should be aware of how they experience cultural privilege as it relates to their religion, and be aware of the impact their expressions might have on religious minorities. There’s a stricter sense of duty in the workplace, since religion is a protected category and workplaces have a legal duty to avoid discrimination against protected classes, which means that I consider such awareness and sensitivity to be part of correct professional behavior, as well as part of being a good person in any context.
                2. Jennifer* November 27, 2019 at 11:57 am

                   Love your name.
37. RussianInTexas* November 27, 2019 at 9:43 am

    LW#2.
    Hahahahahaha my old boss fell for 3 test e-mails in a row, got a stern talking to afterwards. The dead celebrity is the weird part, normally they are “eBay” or “Paypal”.
    My boyfriend works for the cyber-security department in his company and he designs these e-mails.
38. Annie Porter* November 27, 2019 at 9:49 am

    OP#1, thanks for asking this tricky question. As a (pretty staunch) nonbeliever I never know what to say when people start spewing religious stuff at me. As usual, Alison’s response is courteous and thoughtful without having to acquiesce that you agree with the person.
39. RussianInTexas* November 27, 2019 at 10:01 am

    I am an atheist. As long as religious stuff is not directed AT me, I don’t care. Someone tells me Merry Christmas? Thanks. “I will pray to have a solution!’ Ok, whatever works for you. “I will pray for you” – thanks, but that’s unnecessary.
    I don’t ever have to talk about my non-belief at work, it’s an absence of a thing so there no reason to talk about a thing I don’t have.
40. ellex42* November 27, 2019 at 10:01 am

    -Coworkers telling me about their sex life? Check.

    -Coworkers telling me about their medical issues? Check.

    -Coworkers telling me about their religion/attempting to proselytize at me? Check.

    -Coworkers telling me far too many unasked for details about their gender transition (and it’s attendant medical information), about their romantic travails, about problems with their children/spouse/other relatives, about their money problems/car problems/house problems, et cetera, ad nauseam? Check.

    Being that person who somehow becomes everyone’s confidant, despite my making concerted efforts to shut that down, is a misery.
41. Lucy Preston* November 27, 2019 at 10:07 am

    OP#1. As someone who tries to live by their faith, I can say from a personal standpoint that if I say something that is faith related, it’s based on my relationship with God and not an attempt to convert you. In short, Alison’s suggestion of “I hope it works out for you.” is the best answer.

    Unfortunately there are those who try to convert everyone. Even as a Christian I have found street corner preacher type tactics more hurtful than helpful.

    And for those who think faith doesn’t belong in the workplace, I believe that unwanted preaching doesn’t necessarily belong there. However, we can’t just turn off who we are because we enter an office building. Most places wouldn’t think of asking a woman to remove her hijab or an orthodox Jew to remove his yarmulke. So whether your beliefs are rooted in culture or faith, although there are certain workplace norms to follow, we don’t necessarily put on our superhero tights and cape and become a completely different person from 9-5.
    1. Seacalliope* November 27, 2019 at 11:11 am

       Unwanted preaching NEVER belongs in the workplace. There is no reason to put “necessarily” in to hedge.
    2. Czhorat* November 27, 2019 at 11:12 am

       I’m a non-believer, but even I find the atheist movement exhausting. There’s no reason, IMHO, to reply in any particular way to a mention of faith, of having prayed on something, of offering thanks to ones god. Treat it the way you’d treat any other cultural characteristic that you don’t share.

       It’s only a big deal or a source of conflict if someone makes it one; “I’ll pray on it” isn’t an attempt to proselytize, it’s not denying anyone rights based on religious practice, it’s not creating a hostile work environment of any kind. It’s just how they express their faith and how they use it in their life.

       Live and let live.
       1. soon 2be former fed* November 27, 2019 at 11:49 am

          Live and let live is a forgotten practice.
          1. pancakes* November 28, 2019 at 10:06 am

             In some parts of the country it isn’t. I’m in NYC, originally from Connecticut, and I could count the number of times I’ve heard someone bring up their religion at work on one hand.
       2. Jennifer* November 27, 2019 at 12:05 pm

          Amen :)
    3. Erykah Badu* November 27, 2019 at 11:14 am

       +1. I’m actually surprised by some of these comments here that seem to indicate that any religious talk in the workplace is inappropriate.

       I’m a Christian and have worked mainly on the East Coast (no experience in the South / Bible Belt). Perhaps I’m used to working in smaller companies where talking about our personal lives is more normal but it was nothing for a coworker to talk about how they were observing Yom Kippur or going to a church event that weekend. I know there are plenty of people who use those moments to try to convert their coworkers but some folks just want to be who they are at work.

       I think this is about knowing your coworkers at a certain level and also finding a nice way to divert the conversation.
       1. Czhorat* November 27, 2019 at 11:20 am

          Yeah, I’m a firm believer in your coworkers’ existence as people.

          They have families.
          They have hobbies.
          They have political leanings.
          They have religious faith.

          Many people in my industry (not just in my company) could tell you something about me in all of the above categories. Why? Because I’m an actual human being, as are they. We work better together when we acknowledge and understand that.
       2. Amethystmoon* November 27, 2019 at 2:34 pm

          The problem with this though is that there is still a lot of unofficial discrimination in the US against Atheists, Agnostics, Pagans, and such. In many places in the US, non-believers may be denied promotions or even not be hired if they are known to be such. Yes, technically employers aren’t supposed to do that, and would give a different reason for denying said promotion or job if asked officially, but just because something is illegal doesn’t mean it never happens. So while my Christian co-workers may feel perfectly comfortable talking about their religious activities, I have to remain silent. Life isn’t always fair.
          1. Arts Akimbo* November 28, 2019 at 12:55 am

             ^This
    4. Victorian Cowgirl* November 27, 2019 at 11:34 am

       There are many, many groups of people who DO have to turn off who they are in the workplace in a direct response to the threat caused by major religious beliefs against Homosexuality, worshipping under other non-Abrahamic religions and many other beliefs and practices.

       So yes, it’s ok for Christians to be asked to pare down the religious talk in the workplace and help to keep the interactions neutral and safe.

       Millions do it to stay safe from Christians every day.
       1. soon 2be former fed* November 27, 2019 at 11:48 am

          In all fairness, there are Christians in non-US nations who are persecuted because of their faith, and it is dangerous to reveal that they are Christians. I’m talking real, life-threatening persecution, not the phony “you disagreed with me and won’t let me freely hate” persecution that US fundagelicals like to claim.
       2. Jennifer* November 27, 2019 at 12:09 pm

          And again…there’s no mention of the co-worker’s religion, or country for that matter.
    5. Blue Horizon* November 27, 2019 at 11:16 pm

       I think there are a range of appropriate reactions between “Oh, religion, I’ll stay out of it” and “that’s not appropriate in the workplace.” For example, people in areas where Christianity is a large factor will often use it as framing for normal work conversations. In that context, an appropriate response to the OP might be: “good for you, but remember that God’s not going to come down and write that report for you.”
42. nofunfortrish* November 27, 2019 at 10:09 am

    My company mandated an anti-phishing security training. The e-mail they sent out about it (unintentionally) looked like a phishing attempt, and employees immediately flagged it. Then we all got an annoyed sounding e-mail from corporate saying the e-mail that looked like a phish was legitimate. The company they contracted for the training sounds totally fake, it’s called something like “Totally Real Security Training Company,” no joke.
    1. Akcipitrokulo* November 27, 2019 at 12:24 pm

       IT security people I’ve worked with would LOVE that :)
43. TooTiredToThink* November 27, 2019 at 10:12 am

    Well this is a first for me – I’ve never seen the acronym IG before. I tried googling it, but am having issues (At first I thought it meant Instagram, but that didn’t seem to fit the narrative). The only thing I can find that makes sense is Inspector General but I’ve never heard of a business having that. Help?
    1. ThatGirl* November 27, 2019 at 10:17 am

       Yes, they mean Inspector General – government agent who investigates ethics violations
44. Meredith* November 27, 2019 at 10:14 am

    I wonder if the celebrity in #2 was Joaquin Phoenix. A friend of mine heard on the radio that he had died last week. If that’s the case and LW2 is based in NY/Long Island, perhaps someone fell for the email…
    1. Not My Real Name* November 27, 2019 at 4:41 pm

       It was probably Betty White! She’s “dyed” many times!
45. Not Me* November 27, 2019 at 10:23 am

    “Especially since we are a media company, so a fake story like this could end up being reported as actual news?”

    While I would generally agree it’s in poor taste, it sounds like the goal was to be provocative to get people’s attention since it’s something that would clearly get your attention.
46. T2* November 27, 2019 at 10:39 am

    Training and follow up may not be visible to you. The testing might be informal. It might be to get a statistical sense of the Operational Security of your company. It may be to catch an idiot. It may be an attack by an unethical IT person. The very simple fact that you know your company does testing means that you have a heightened sense of awareness than most.

    I am sorry you were offended. but I do not take in to account anyone’s sensibilities and preferences in my testing or work, even my own. That is the hard truth. Why? Because the Bad guys won’t hesitate to do it.
47. Observer* November 27, 2019 at 10:45 am

    #2 – Your company should definitely conduct training. But companies regularly test with these kinds of emails, and they do NOT tell people in advance. The idea being that they want to see what your response looks like on random workday, not just in the week or two after training.

    As a media company, I can see IT actually specifically targeting emails that could lead to “a fake story like this could end up being reported as actual news” Because this happens! And it’s a very real risk to any media organization that depends on its reputation. When doing “pen testing” (penetration testing) good security folks don’t just look at the risk of getting hit with malware, although that’s HUGE. It’s also looking to see what other vulnerabilities are out there.

    So, while the email was in poor taste, the essential idea here makes a lot of sense and is actually in accordance with security best practices (assuming they had measures in place to make sure that the story didn’t actually get published.)
48. Lyra Silvertongue* November 27, 2019 at 10:47 am

    OP #2, speaking as someone who does a lot of fact-checking work, if you do genuinely worry your media company would run a fake story on the strength of a single phishing email, your fact-checking process is inadequate and you seriously need to address that. Not even the clickbait content mill type news sites that I worked for would let us report on a story without at least two corroborating sources. Nobody working in media should be falling for that kind of thing!

    Personally I don’t see it as a big deal to use an example of a celebrity dying. That’s exactly the kind of stuff that people click on and exactly the kind of thing that real phishing emails use as a hook. As a media company it’s also exactly the kind of thing you’re being sent regularly and therefore need to be able to distinguish from genuine emails.
    1. OP #2* November 27, 2019 at 5:05 pm

       I can only speak for my own division, which has a lot of fact-checking and corroboration, but the company is really huge and I have no idea what other division’s processes are like. If I were making the decision, though, I wouldn’t think it was worth the risk of, say, someone with a verified Twitter account seeing the push notification on the email and tweeting it.
       1. Lyra Silvertongue* November 28, 2019 at 8:59 am

          Honestly I think it’s more than worth the risk, you’re not going to find cyber security testers who are going to willingly give you obvious softballs. Again, if there’s a risk that someone would immediately fall for this, that’s not something that is on your cybersecurity people, that’s on the media employees. If people are just Tweeting out anything that comes from anyone, without so much as Googling it first, that’s a problem, phishing aside. What if they get a real phishing email with the same kind of schtick?
49. Tammy* November 27, 2019 at 10:51 am

    OP #2, while I agree that the “[celebrity] has died” email is in bad taste, it’s definitely a good thing that your company is doing this kind of test. It’s amazing how un-aware people are about IT security. At CurrentCompany we do regular security audits and “penetration tests” (hiring a ‘good hacker’ to try to compromise your systems) because part of our business is credit card-adjacent. One year, the pen tester managed to gain admin-level access to the network by leaving random thumb drives full of malware laying around the parking lot. People would pick them up and plug them in to try to find out who they belonged to (“Someone must have dropped this – let me see if I can figure out who so I can return it”), and that was all it took.

    We’ve spent a LOT of effort training our teams, and the last penetration test I was involved with ended early because the tester couldn’t break in. But it takes constant education, vigilance, and building of habits to stay ahead of the hackers anymore. We had a whole big training thing about spotting spam/phishing emails, and we were told the testing was coming. IT Security has even given Starbucks gift cards and the like to people who responded correctly in security tests. (When my daughter was younger and lived with me, our IT Security guy used to like it when she’d visit the office – he’d send her wandering around campus without a visitor badge and see if she could talk people into letting her in anyway instead of taking her to reception to get a badge.)

    It sounds like that communication and education piece is what your company is missing.
50. nnn* November 27, 2019 at 11:03 am

    For #1: A subtle communication strategy in cases where you don’t want to actively agree but also don’t want the friction that might come with outright expressing disagreement is to simply say “Mmm.”

    Delivery: Suppose you’re nodding agreement and say “Mmm Hmmm”, also to express agreement. Now take away the nodding, and take away the first syllable of the “Mmm Hmmm”.

    You’re left with a sound of acknowledgement that serves as “Acknowledged, continue” without being brusque or hinting at disapproval.
    1. T2* November 27, 2019 at 11:43 am

       People say Merry Christmas to me all the time. I do not celebrate. I simply respond “Thank you” and move on. Perhaps that approach is good enough for atheists?
51. Gaia* November 27, 2019 at 11:13 am

    I have been so we’ll trained to be skeptical that I’ve reported more than one completely legitimate email as possibly being a phishing email. I trust nothing.
52. Perpal* November 27, 2019 at 11:14 am

    LW2 – it’s not just a phishing check, it’s a check of your verification processes prior to publication! :P
53. Wintermute* November 27, 2019 at 11:21 am

    #2– “as you train, so you fight”, I work in IT and this was actually a really well-executed phishing check. Yes, it was sensational, that’s the point. “Spear Phishing” is a thing, where an attacker uses some publicly-available information– or even information stolen by compromising a co-worker’s email!– to make their attack more likely to succeed and increase the value of the information they may get access to. Just like you can’t train people about harassment without mentioning some uncomfortable topics, if your simulations are toothless then you’re not really testing anyone, you’re seeing if they can catch low-hanging fruit.
54. soon 2be former fed* November 27, 2019 at 11:43 am

    Re #2: I lean too far in the other direction. I’m so suspicious that I have sometimes deleted or at least questioned valid emails because they looked funny to me. I just delete them, and definitely no clicking on links, that’s an old trick!
    1. The Man, Becky Lynch* November 27, 2019 at 12:25 pm

       Yeah, I got someone who was salty that I rejected an invoice because it was via link. No, I don’t know you, I have had vendors and clients hacked before and sent out malicious stuff on their accounts. Take your link idea and stuff it!
    2. Another worker bee* November 27, 2019 at 1:04 pm

       My old company did this and a coworker who was a lot smarter than me said “Phishing is crazy so I don’t take any chances, any email that goes to my {work email} gets deleted right away!”
55. TXAdmin* November 27, 2019 at 11:46 am

    OP#2- my company sent out a phishing email in October that claimed to be from HEB (a local grocery chain) saying my large, well-known company was partnering with them to give every employee a free pumpkin. My company offers lots of employee benefits and has been known to partner up to offer employees things so when I hovered over a link and it looked suspicious I was pissed. Don’t drag my grocery store that I respect and taunt me with a free pumpkin. I get the purpose of phishing emails but it really annoyed me.
    1. OP #2* November 27, 2019 at 11:58 am

       Other people at my company who got a phishing test on the same day got one that said employees could get a special deal on three years of Disney+. People were annoyed about that too because they really liked the idea of getting a deal on Disney+, but not nearly as upset as about the fake death email.
    2. Turtle Candle* November 27, 2019 at 5:27 pm

       So, the problem is that phishing emails work by making people feel a strong emotion–desire, fear, or shock, usually. You get something free, or a bonus, or a massive discount, or exclusive tickets to that thing you love–click here and don’t miss out! Or, you’re about to be arrested, or deported, or lose your house, or get in trouble with the IRS–unless you click here right now and do what we say! Or, here is a piece of genuinely shocking political, or entertainment, or international, or business news–click here for the details! They do it that way because they want to engender a strong enough reaction that people react without thinking.

       The problem is that that means that it is basically impossible to construct a phishing test is accurate enough to the real world to be useful without potentially raising strong emotions. You just can’t. I don’t think I would have done ‘celebrity death,’ but anything that is representative of a real phishing attack is likely to upset someone, and there’s just… no getting around that. If none of your phishing test emails cause feelings of fear, shock, or raised expectations followed by disappointment, there’s not much point doing it. (And not doing it is… bad.)
56. Anon Here* November 27, 2019 at 12:03 pm

    #2 – It would be fine to point out that fake death emails are a problem because someone could be a friend or relative of the person in question. We like to think of celebrities as existing in bubbles, but they’re just people with family and acquaintences like the rest of us. I’m sure they could come up with a different kind of click bait.
    1. Uldi* November 27, 2019 at 4:38 pm

       Not using a specific topic defeats the purpose of these tests. The phishers don’t have a line they won’t cross, so the tests need to reflect that. Saying, “No, these kinds of emails are going too far,” creates a hole in your defenses just waiting for someone to exploit.
57. above_us_only_sky* November 27, 2019 at 12:34 pm

    Regarding religion in the office, this is a real hot button for me. I’m an atheist and I’m surrounded by coworkers who won’t shut up about god this and jesus that. It’s extremely annoying. And before you believers get your panties in wads, how would you like it if every third sentence out of my mouth was how grateful I was to be a nonbeliever? “Ya know, Jane, you should be thanking your son’s doctor, not some imaginary dude in the sky.” How welcome would that be to you?

    Not long ago one of our executives’ mothers died. One of my colleagues got a condolence card for all of us to sign. She handed it to me inside a folder that I set on a table to open. I was greeted with a faceful of god and jesus and faith and “it was her time” about ten times on two panels, signed over and over, ridiculously, with the catchphrase used most commonly to communicate social tone-deafness: “Thoughts and prayers!” “Thoughts and prayers!” I was truly taken aback and I know my face showed it. I stammered “Um…wow! That’s a LOT of religion!” and spent a few seconds wondering what to say. I eventually handed it back to her and said “I’m sorry. I’m going to pass,” and she stared at me with her mouth open.

    Religion at work?!? Really?!? Believers, please leave it at the door when you get to the office.
    1. Arts Akimbo* November 28, 2019 at 1:45 am

       As a fellow atheist, I do think we owe our fellow humans phrases of comfort in hard times. It can cause a real brain freeze, though, especially when trying to find words appropriate for an officewide sympathy card. This is why I love that anyone can fall back on long-established conventional phrases and no one will think anything about it. My go-to nonreligious card-writing phrases in these situations are “My deepest condolences to you and your family,” “My deepest sympathy to you and your loved ones,” “My heart goes out to you and your family in this difficult time,” or some variation thereof.
    2. Jennifer Juniper* November 28, 2019 at 12:51 pm

       I share your sentiments on religion in the workplace. However, not signing the card could be seen as rude and uncaring and disrespectful.
58. Emma* November 27, 2019 at 12:57 pm

    I work for a FAANG company and here phishing tests are considered boring. The IT security team knows that folks will fall for them, even super smart folks who know better. No amount of education seems to change that. So instead they focus on limiting the impact when folks do fall for them. So they are standard practice in industry, and not a particularly good use of anyone’s time.

    But my employer also doesn’t require us to change our passwords every few months, doesn’t require special characters in our passwords, doesn’t block anything on the internet while on the work network, etc. They’ve done the math and realized that while there’s some benefit to those practices they also cause people to do things, like writing down their passwords, that reduce security overall. Instead the focus on other things that don’t require employee compliance to work.

    Yay pragmatism.
59. Diana* November 27, 2019 at 2:06 pm

    I am perplexed by the idea that phishing tests should be in good taste. One of the most widespread phishing scams of the past ten years was a claim that Brad Pitt committed suicide after announcing his divorce from Angelina. It was successful because people click that stuff. It would be irresponsible for an IT team NOT to send realistic phishing tests.
60. Us, too* November 27, 2019 at 2:07 pm

    My “Day Job” involves security and integrity initiatives and I have coordinated tests like this. When I’m doing so, I create a rewards system that provides an incentive to create an email that gets the most conversion, subject to SOME limitations. e.g. I wouldn’t allow child pornography because that’s illegal. But everything else is pretty much acceptable. The trick is that the email has to get through our company defenses AND convert. And, truly, celebrity news (especially deaths and weight loss) are hugely converting – they get BIG clicks. (Along with sexually suggestive things). This is, truly, completely normal. And it’s expected for any company that uses email and cares about its security.
61. Dinopigeon* November 27, 2019 at 3:04 pm

    My employer designs terrible phishing tests… They always look exactly like our corporate branding (in ways that would be difficult to duplicate unless you’re a current or recent employee, who is familiar with our internal mailings), and the link they want to tempt us into clicking leads to an internal company site. So nothing about it looks suspicious. And then they lecture us for “falling for it”…

    It’s a great way to get people to ignore all corporate messages, but not excellent for its intended purpose.
    1. Jennifer Juniper* November 28, 2019 at 12:49 pm

       It’s also an excellent way to create anxiety, panic, and paranoia about e-mail. “Should I click this or not? If I do, I might get in trouble for failing the phishing test. If I don’t, I might miss important information and get in trouble for that, too.”
62. Not My Real Name* November 27, 2019 at 4:33 pm

    Re: religion in the workplace

    I am not from around here. “Here” being Mike Pence’s district when he was in Congress. When I moved to Indiana I was not prepared for the religiosity, and I suppose it’s not like the deep South, but it does creep into the workplace…. and doctor’s waiting rooms! (Bibles & religious magazines)

    I only say something if the other person goes on and on waiting for me to join in. Offers to pray for me or my family are well-intentioned, so I say “thank you.” If they keep it up (God’s will, when the door closes another one opens, etc.) I will say “I’m not a believer but I appreciate the sentiment.” Inevitably they will say, well that’s okay. We’ll pray for you doubly then. *sigh*

    The other thing I’ve dealt with is Godspam from someone who forwards it to everyone in her contacts list. She kept doing it after I asked her to stop, so one time I hit “reply all” and sent a quotation from a famous non-believer author. I hated to do it, but it did work.
    1. Filosofickle* November 27, 2019 at 6:03 pm

       I went away to college in Indiana. Coming from the Southwest, I was wholly unprepared for the religiosity (and sooo many other things). There’s a Bible Belt there that most people don’t know about.
       1. Arts Akimbo* November 28, 2019 at 1:50 am

          For real! There’s a whole swath of Indiana, Ohio, and Pennsylvania which is religious enough to freak out this kid from the Deep South Bible Belt!
63. Deb Morgan* November 27, 2019 at 5:35 pm

    OP 1: Story time! At my last job, one of my coworkers said that she was praying for something (can’t remember what), and I said, “Oh okay.” Then she asked if I believed in God, to which I replied, “Nope” because I can’t make things easy on myself. And she said, “God is real, you know!” To which I replied, “Okay” because I really wasn’t trying to argue with her, I’m just a non-believer. Then she walked away and we never discussed it again. I have no idea if that conversation changed her perception of me, but it didn’t affect our working relationship from what I could tell.
    My advice would be to smile and nod. If they make it weird, just let it be weird.
64. Meepmeep* November 27, 2019 at 9:19 pm

    As much as I was ready to sympathize with OP1 about the religion in the office issue, I find I can’t. The coworker is not being religious AT them. They’re just being religious. They’re not trying to convert anyone, they’re not being hostile to anyone, they’re just expressing their own religious beliefs.

    My parents (who are Jewish) live in the South and run a small business; a lot of their clients are like this. The clients are not hostile or antisemitic, and they‘ve never tried proselytizing at my parents. They’re just religious. Their whole worldview is permeated with religion. They can’t turn it off.

    My parents just smile and nod at all the religious comments, and then laugh at them in private. This is not a battle worth fighting.
65. Jennifer Juniper* November 28, 2019 at 12:44 pm

    #2: I can also see some companies sending phishing e-mails as a way to catch slacking employees. A diligent employee would delete any e-mail that isn’t work-related. Anyone who clicks on the e-mail has just outed themselves as a slacker and may be subject to discipline. Of course, I’m assuming most companies install keystroke monitors and devices that allow the managers to monitor their employees’ online viewing at all times.
66. Jennifer Juniper* November 28, 2019 at 12:48 pm

    #5: I would cancel plans with family or visit them outside of work hours only. You’re in a new job and have zero political capital to burn at this point. You’re there to impress the company and your bosses with your loyalty and hard work. Any plans for vacation at this point could come off as extremely selfish, perhaps even disloyal.
67. Topazzcat* November 29, 2019 at 5:33 pm

    Our company labels all emails from outside the company in red and highlighted in yellow at the top of each email. Corporate sends emails out at least once a month telling us to watch for phishing emails. You basically get 4 chances starting with a talk from your manager and retraining. It could lead termination if it happens a 4th time. I receive a lot of emails from outside the company and if I don’t know what is in an attachment, I reply and say company policy doesn’t allow me to open attachments. 100% of the people who see this call me or tell me the information without the attachment. This has really made me think hard before opening any email.