Ask a Manager

{ 417 comments… read them below }

1. Hiya* August 25, 2020 at 12:10 am

   #5 please do this! Of course only if the praise is warranted. I had a similar situation where due to the nature of my job my visibility of what I did was difficult to convey to my boss. I had someone I worked with offer to do this. My boss was so happy to get this feedback. Not awkward at all.
   1. Escapee from Corporate Management* August 25, 2020 at 12:12 am

      I agree. This is a common practice, to the point that most managers will understand immediately why you are doing this.
      1. allathian* August 25, 2020 at 12:38 am

         Yes, this. I must say that my boss is really great about forwarding feedback from our internal clients to us, too. She also keeps a record of any feedback she gets and brings it up in our performance evaluations. I love it. Especially as the feedback is almost without exception positive. On the rare occasion that someone gives constructive feedback, we do our best to ensure whatever happened doesn’t happen again. But as I said, this feedback is overwhelmingly positive.
         1. Hey Karma, Over Here* August 25, 2020 at 8:51 am

            My boss does this, too. It’s really cool because it’s spelled out not just “Karma works well with others” but “Karma received praise for stepping up on the XYZ project in ABC department.”
            This stuff is really important.
   2. Essential Worker* August 25, 2020 at 3:27 am

      I do this all the time, especially with colleagues from other departments or other offices. It’s hard for someone whose responsibilities involve interacting with people outside their own department to show their worth to their boss.
   3. Mel_05* August 25, 2020 at 7:09 am

      Yes! While my boss does check in on the work I’m doing from time to time and can see that it looks good (he used to do this work himself) I really work collaboratively with other people 95% of the time, so it’s their praise that let’s my boss know things are going well.

      I previously work in situations where people didn’t do that much, but at my currently job people are super generous with their praise and I’m convinced that it has helped me be seen as someone they don’t want to lose.
   4. Seeking Second Childhood* August 25, 2020 at 7:22 am

      Please make a special point of doing this when you see
      – someone is being overlooked, taken for granted, or undervalued
      -someone is being bullied or slurred
      – someone who has struggled with a task (or person) in the past has finally “gotten it”
      – someone is not the stereotype for their role/task (all the ‘isms’ especially but also things like EAs taking on project management tasks)
      1. Seeking Second Childhood* August 25, 2020 at 8:14 am

         Or a direct email of praise to manager, cc:ing the employee.
         Now that I’m better caffeinated I see from other replies that the question was HOW to praise someone to their manager(s), not WHETHER to do it.
   5. WantonSeedStitch* August 25, 2020 at 9:02 am

      This! As a manager, these kinds of e-mails are the highlight of my day. I absolutely love hearing that my reports have been doing great work to help out colleagues and clients. It’s also helpful for me when review time comes around and I’m trying to list all the great stuff they’ve done throughout the year to meet their goals.
   6. Jean* August 25, 2020 at 9:23 am

      Yes! At a previous job I worked with a salesperson who would always go out of his way to effusively thank me for doing my job well, which was nice and all, but finally one day I said “Maybe let my boss know you think I’m doing a great job, that would be awesome and I would really appreciate it.” His tone immediately changed and all our interactions from then on were weird and awkward, and he never thanked me for anything again. WTF? I just don’t understand some people’s motivations. (Sorry, this topic triggered that yucky memory.) The point is, giving someone’s manager positive feedback on their behalf is always a great thing to do.
   7. Ginger Baker* August 25, 2020 at 10:17 am

      I do this ALL the time and have had a number of folks do this for me (a number of times also they will email my manager directly and either BCC me or forward to me after). Nothing makes me happier than when I am able to write an email to Fiona’s boss saying “Fiona is amazing to work with, she was vital in getting XYZ done. She did A, B, and C, always kept me updated, and really took ownership. I can always trust that projects I work on with her will go smoothly, she is a HUGE asset to the firm.” BEST BEST FEELING, and I know for a fact those things get pulled out come review time.
   8. Saberise* August 25, 2020 at 11:42 am

      The letter came across to me like she really doesn’t want to do it. I know when I really don’t want to do something I come up with all sorts of reasons why it is less than ideal rather than just saying I don’t want to do it. Since it’s the co-worker pushing her to do it may be that while she appreciates the help it is not so above and beyond that it feels natural to send the email which makes it difficult to do.
      1. The New Wanderer* August 25, 2020 at 11:54 am

         It may be that it’s just not something that comes naturally to the OP. I was in this situation a few years ago – one of my colleagues asked me to write to his manager with a review of my experience working with him. I had never actually done that unprompted (sometimes managers here will solicit peer feedback), although I totally understand how useful and meaningful it can be to get/give spontaneous feedback like that.

         It took me a bit to figure out exactly how to phrase things so I felt comfortable with what I was saying. I did really enjoy working with him and thought his work quality and ethic were really high, no issues there. It was more making sure it sounded authentic and not like some random vague endorsement.
   9. CM* August 25, 2020 at 3:21 pm

      I’m LW#5. I wrote an email to the person, CCing the boss. To be clear, in my situation I was happy to write the letter and had no reservations. I just overthink how to phrase things and felt weird emailing to say, “Dear Boss, Juan is great,” even though I would have felt comfortable saying so in a hallway conversation. Juan has been at the company much longer than me (but is a peer, not senior to me) and writing a letter of praise felt like something I would do for someone more junior.

      Juan first replied to me, “Thanks, that made my day!” but later told me his boss somewhat misinterpreted what I wrote. I said our tasks have been getting more complicated lately and I greatly appreciate Juan’s help because he has a unique skillset that helps navigate these complications. But the boss had a discussion with him, and later wrote back to me, asking whether there’s a problem and we need to do more to make the tasks less complicated. (I wrote back saying no, there are good reasons they are getting more complicated, and reiterating that Juan is essential to completing them successfully.)
   10. mourning mammoths* August 26, 2020 at 11:29 am

       I once wrote glowing praise about a successful project to some colleagues in another unit, about how their work is raising the bar for how we all should be working with similar projects, etc, and I CCed their reporting line. Soon after, the CEO forwarded my email to the whole company to give his own similar praise and congratulations to this group. We don’t really have a solid feedback culture, so it was a nice surprise that a little bit of praise can go way further than expected.
   11. Lisa H* August 28, 2020 at 11:46 pm

       I generally work with customer service reps and send a short simple email to their manager, the regional director and the sales manager. I tell them what a great job this person has done and how great this person is to work with. Short and sweet.
       Most of the time I tell the person what I did or copy them on the email, depending on the situation.
       Recently a person I praised told me that her supervisor brought this up to her in her one on one and was very happy that I had good things to say about her. Managers always like to hear when people are doing a good job. I think this needs to happen more often.
2. Escapee from Corporate Management* August 25, 2020 at 12:13 am

   OP4, best to follow Alison’s tried-and-true advice: until you have a signed offer letter, you don’t have a job. Keep searching until this one (or another) is confirmed.
   1. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 8:13 am

      This. I had an interview once and they really liked me, but ended up hiring someone else. They contacted me shortly after and said they wanted me for a similar position, they were just waiting on the government contract. And guess what? They didn’t get the contract and I didn’t get the job. Even if the company is genuinely interested in hiring you, things happen and nothing is guaranteed.
      1. Elizabeth West* August 25, 2020 at 10:37 am

         Yep, this exact thing just happened to me. I applied for a direct hire position in the city through a staffing agency, and they hired someone else. But then the recruiter put me in for a four-week temp job in the immediate area. She said that person really liked me (of course they did; I’m way overqualified) but unfortunately, they couldn’t get approval to hire a contract worker. It’s not always about the candidate.
   2. kfhjk* August 25, 2020 at 10:01 am

      Actually,

      I would even go one step beyond this – unless you have reported to your first day of work and you butt is warming a seat, keep searching. During the last recession, I had several friends sign acceptance letters who were later told on or before the first day that due to budgetary reasons, their position has been cancelled. I myself had a job offer pulled the day before I was about to start (which I later found out was because the President pressured HR to give the position to the son of someone who was going to ensure the President’s son got into Yale…). Luckily I was still in the last rounds of a few other positions so I spent only a month unemployed and then moved onto something much better.
      1. That Girl from Quinn's House* August 25, 2020 at 10:31 am

         I would go even a step further than this. Until you have had your first day of work AND you have received your first paycheck, you don’t have a job.

         I had a boss have me fill out a stack of hire paperwork. Come payday, I did not get paid. It was because she did not finish my paperwork and I had spent a month working at a job for which I was not yet hired.
         1. PeanutButter* August 25, 2020 at 12:03 pm

            Yep. I entered the workforce in 2007…the trauma from the following years runs deep. I have the mentality that a steady, well paying job can vanish in an instant and my Zoomer coworkers think I’m paranoid.
            1. Tidewater 4-1009* August 25, 2020 at 3:16 pm

               You’re not. I had a good job for 8.5 years. My boss loved me. Our professionals loved me. I got Exceeds Expectations on all my reviews. The employer seemed stable and has been around for 100 years.

               My boss was away a lot – I sort of realized he had one foot out the door but since my department was happy with my work I didn’t think that affected my job stability. My boss was talking about putting me in charge of something that would have relieved my boredom and led me to learning and growth.

               My position was eliminated in December by people above my boss. There was nothing he or our managers could do. A few months later, my boss left.
               I’m sure you can imagine the effect on department morale – the year before, they eliminated a different position over my boss’ objections.

               Yes, a steady, well-paying job can vanish in an instant. Or in my case, with a month’s notice.

               In my next job, no matter how well it’s going, I’m going to look at the job boards a few times a year and keep my skills and resume up to date.
3. Dan* August 25, 2020 at 12:29 am

   #1

   Scammers are getting better and better at getting people to click on stuff they’re not supposed to. Although, my company is prefixing subject lines with an annotation indicating that the email originated outside of the company. If OP’s org isn’t doing that, they should. This way, email subjects that begin with “[EXT] Exit Interview” should be less shocking.

   That said… I was working on a project awhile back where we discovered a significant technical error. I was informed that I had to be the bearer of bad news to Big Boss and that I should send him and email. I announced to the team lead that the subject line of the email was going to be, “Re: I love you” and that way I can claim I informed boss of bad news, and if he didn’t read my email, well what can I say?
   1. it's-a-me* August 25, 2020 at 2:51 am

      *sigh* my company tried the ‘This email is from an external source’ thing, and I’m pretty sure IT fielded about 200 panicked emails in the course of 24 hours because of it, because it lasted precisely 1 day.
      1. Cinnamon* August 25, 2020 at 3:55 am

         My company is doing [EXTERNAL] and then some characters afterwards. It seems to be working in that I don’t click on the majority of emails if I’m not at a desktop computer because I can’t see the subject line and decipher if it’s spam or not. *Sigh*
      2. Keymaster of Gozer* August 25, 2020 at 5:06 am

         We tried it, and got a similar result. Along with a load of complaints about ‘how dare you IT lot interfere with my emails?’. 2000 calls to IT Helpdesk before we convinced the head of IT that we needed to roll this one back. Fun morning.
         1. Jean* August 25, 2020 at 9:26 am

            I feel for IT people right now, with all the phishing and scams happening on one side and the pushback they’re getting from coworkers on the other side. I know it has to be demoralizing. My company has had major problems with malicious emails and I know IT is doing their best to fix it, but sometimes there’s just no easy solution.
      3. Mimmy* August 25, 2020 at 10:52 am

         Just curious why the “external” thing caused so much panic? My employer (state government agency) just instituted this. For us, it consists of a “banner” plus the [EXTERNAL] tag. Although emails from other state departments get the external tag, I don’t see this as a bad thing.
         1. a clockwork lemon* August 25, 2020 at 12:08 pm

            My company does this and it was originally a big red banner right at the top of every email from any external sender–and they didn’t tell us we were doing it. So, suddenly, all of us have a scary banner alert on emails from literally everyone, including our payroll and benefits administrators and regular vendors. It was actually pretty alarming to see on legitimate, pretty important emails (since those types of emails are often spoofed by actual phishing attempts).

            They changed the banner and the wording to be less obtrusive, but it was definitely a Big Deal when they rolled it out.
   2. Admiral Thrawn Is Still Blue* August 25, 2020 at 7:10 am

      Something similar happened to me. IT sent a fake email from HR about virus related pay changes. I went into panic mode, as I’m already too low paid, and kept clicking the non existent link. I called the real HR and they calmed me down but honestly, this line is too cruel right now.

      I’m not tech sophisticated but I am really good at not falling for these tests. But this one hit too deep.
      1. Hey Karma, Over Here* August 25, 2020 at 8:46 am

         My IT dept did a similar thing. It resulted in HR having to send pre-emails to staff stating something like “you will be receiving an email from HR regarding benefits changes. It will be titled XXX. You need to read it and click the link.”
      2. Wintermute* August 25, 2020 at 8:58 am

         The problem is we’re seeing a HUGE uptick in activity from advanced threat actors doing just this. The consequences are just too high not to train people for realistic threats. You can’t throw softballs in practice and then expect employees to handle the real world where one of the biggest tactics spearphishers use is business email compromise and targeted emails designed to make you panic and do what they want.

         This is an existential threat for businesses, especially with new GDPR extortion tactics being used which have the potential to bankrupt businesses rather easily.
         1. boo bot* August 25, 2020 at 9:17 am

            Yeah – the panicked reaction is exactly what the scammers are going for: it makes people skip over the natural skepticism they would usually have.

            That said, maybe you can’t just throw softballs, but you also don’t train people to play sports by whipping balls at them without warning. Phishing tests are probably helpful, but they should be preceded and followed by training (or at least general information) about how spearphishing works and the kinds of tactics that are evolving.

            I’m not saying companies need to deliver detailed info about all possible schemes (which isn’t possible or efficient): it’s enough to say things like, “if an email makes you panic or otherwise feel a sudden sense of urgency, take a deep breath and question whether it might be fake.”
            1. Wintermute* August 25, 2020 at 9:20 am

               I’ve never worked any place that didn’t do that training every year PLUS regular (at least quarterly) reminder e-mails and news items on the intranet news page about the “report phishing” button as well as whenever it was timely (a big hack in the news, a new cyberthreat trend, etc).

               But at some point you have to have them step up to the plate, you can’t just sit in the locker room going over tape all day. Pen testing is needed, and phishing simulation is part of that.
               1. boo bot* August 25, 2020 at 10:25 am

                  That kind of training sounds awesome. I definitely agree that simulations are necessary, including the more alarming ones along the lines the OP’s coworker received.

                  I appreciate your comment, because I think I needed the context you just provided. From the original post and some other comments, it sounded like a lot of companies were throwing the phishing tests at people without any training at all, and then calling it a day; to me that seems likely to make people paranoid without the knowledge to direct their paranoia productively, and to prevent people from sharing information about what they’ve learned, because they’re embarrassed about how they learned it.

                  If it’s part of a full security training program, I’m all for it :)
               2. doreen* August 25, 2020 at 10:40 am

                  I get training every year on cybersecurity – but what has never been mentioned is anything like ““if an email makes you panic or otherwise feel a sudden sense of urgency, take a deep breath and question whether it might be fake.”
                  1. boo bot* August 25, 2020 at 12:52 pm

                     I’m not a cybersecurity expert, but it’s in my personal arsenal! Hope it is helpful to others :)

                     A while ago, I got mail from what looked like a state tax agency on official-looking letterhead, threatening to freeze my bank accounts or something if I didn’t respond immediately. The panic instinct kicked in, and I did the deep breath thing, then noticed that the letter was postmarked from California, a state I have never lived in, which was weird enough for me to google around and discover that it was a scam.

                     I think the fact that it was snail mail saved me, because there was nothing for me to click on in the moment of panic! But it did make me realize that if an unexpected communication sets off that kind of emotional response in me, it’s probably designed to do exactly that.
                  2. Wintermute* August 25, 2020 at 12:55 pm

                     Really? well all training varies but that’s something ours CONSTANTLY hammers home. They straight up tell you, if you get alarming news call your boss, call HR, call IT, don’t use the phone number in the email signature, call from the internal directory or a business card.

                     They also directly call out that they’ll say things like a high-level VP is trapped in an international airport and needs a corporate credit card number ASAP, or that you’ve been accused of harassment and need to click a link to fill out a response to the complaint.

                     They also go over what business is never done by email, and that includes hiring, promotions, firing, HR complaints, etc. You will never hear about these first through an email.

                     It’s very good training and more companies should emulate it. But even at my last job they talked about “emotion to override logic” being a common social engineering tactic, and to be wary of someone creating time or emotional pressure.
            2. Smithy* August 25, 2020 at 9:59 am

               My organization has been doing this kind of phishing simulating for about two years? Including the regular mandatory training – and the reality is that every one I’ve received that’s either gotten me or almost gotten me has hit my panic buttons to some degree.

               Yes I was job hunting on my work computer during company time – that must be what this email is about – aggggg!!!!!

               I haven’t gotten tripped up in a while, and honestly – it’s because I’ve gotten used to seeing these. And while I have worked at places that made heavy handed surveillance comments about watching staff using their computers to check private email – my current workplace doesn’t.

               Being mindful that these tests are looking to push people on those points that trigger a panicked response – I think a better move from companies would be to announce how, why and when information is shared over email.
            3. JA Jen* August 25, 2020 at 12:40 pm

               I got an email about an audit the other day – seemed strange as I did know the person it was coming from, but the person I was to reply to was a foreign sounding name outside of the company oh and it had a typo on the date (Monday, August 19 – but that is a Wednesday type thing). So I just sent an email to “Jeremy” and asked if it was legit. The panic stopped because I checked with the right person. But a payroll change is WAY different and easier to ask HR about than thinking they set an exit interview and forgot to tell you that you were fired.
            4. Rusty Shackelford* August 25, 2020 at 3:50 pm

               That said, maybe you can’t just throw softballs, but you also don’t train people to play sports by whipping balls at them without warning.

               If you can dodge a wrench, you can dodge a ball!
         2. Wintergreen* August 25, 2020 at 2:02 pm

            The more panic inducing an email tries to be, the more skeptical I become. The more benign looking the more likely I would be to click on a link.
            A changes to pay email would have me running/phoning my manager.
            An email about “FYI 2020 Holiday Schedule” might get me to click the link.
            Am I in the minority then?

            (Although I do work in a very small company so there are two email addresses that the pay email would need to come from for me to panic.)
            1. Jg291* August 25, 2020 at 7:27 pm

               I failed my company’s phishing test when I opened an e-card on Valentine’s Day. Everything more malignant I caught. So I too am susceptible when it’s minor!
      3. all the time* August 25, 2020 at 4:12 pm

         Please keep in mind that IT doesn’t always sit around thinking of this stuff – most use services that send the emails to the employees. The one we use lets us choose general types of emails and I haven’t seen anything that would make the employee think they were being let go – but it could happen. All of our employees know these emails exist and come in and have been trained – and still they click and have to get further training. The service we use is also topical to what is going on in the world so emails are targeted. All this to say let your employees know what is going on – but these emails are necessary in my business – we cannot afford ransomware or other crap – especially now.
   3. InfoSec SemiPro* August 25, 2020 at 8:06 am

      Security needs to make clicking links safe, not freak people out over normal behavior on the internet.

      Links are not going away. People have to click links to do their jobs most of the time. This is an industry problem and terrifying the people we’re serving is not a great solution.

      I’m so sorry OP#1. Yank your IT back, that was cruel and not helpful.
      1. Works in IT* August 25, 2020 at 8:26 am

         This…. does not make sense.

         The point of internal phishing emails is to get people used to the idea that phishing emails exist, that yes, they include shocking statements, and to get them used to getting scared by things like this so that the terror isn’t thought destroying if they do get a real phishing email, because they’ve already been trained to not panic. Marking all external emails is one very good way to make it clear that hey, this is a phishing email.

         The notion of “making links safe to click” is… odd. There’s always going to be someone who comes up with a way to get a link around web blocking software. Training users is much more effective.

         Was presenting this as an exit interview extreme? Yes…. but what if she had clicked on a real phishing email and exposed the business’s entire network to ransomware?
         1. Super Anon For This One* August 25, 2020 at 8:58 am

            This. We had a “major customer threatening to pull business” incident from one (1) of our employees clicking a bad link.

            That finally convinced the business that we (IT) could not make it so that “links were safe to click” – you are always always behind the 8 ball on security, there’s no way not to be – and that we needed to train our employees.

            We train annually and phish test quarterly, and those that fail are made to take remedial training. The only problem with the OP’s scenario is that the subject was inappropriate for the business. Not that the testing is occurring.
            1. Works in IT* August 25, 2020 at 9:52 am

               One might also argue that the subject was appropriate for the business, if it resulted in the employee clicking on it. It’s truly unfortunate, but… at the same time, the fact that this phishing email caused the employee to panic and click on the link thinking they were going to be fired…. is revealing information that indicates that hey, in this time of uncertainty, IT should probably take a moment to reassure people that hey, real emails from HR are not flagged as external emails, be aware that hackers can and will send fake exit interview emails, and that in this time of crisis people might panic more easily over something like that so if you get an email like this stop and take a few deep breaths before you do anything else… etc etc educational information.
         2. L.H. Puttgrass* August 25, 2020 at 9:06 am

            Exactly. Phishing attacks are high on the list of reasons that organizations issue uncomfortable press releases about all the data they just lost. While it may be possible to lock things down hard enough to make “clicking links safe,” I guarantee that those measures would be far more annoying to users than training them is.
         3. KayDeeAye* August 25, 2020 at 9:33 am

            I am not in IT, but I know for a fact that people definitely need to be trained to ALWAYS think before clicking on a link, and I know because *I* needed to be trained, and so do virtually all of my coworkers. Nasty people are out there and they are very good at coming up with very compelling and highly realistic messages, which is why even after everybody is trained, you have to keep drilling them because otherwise, they’ll get sloppy.

            I think it was inappropriate to use an “exit interview” as bait, though – that’s just kind of mean. I get what they were after, but it’s possible to teach people the lesson to think before clicking without scaring them to death.

            My company’s IT folks came up with a test that involved the roll-out of Microsoft 365 – which was pretty clever and sneaky because we actually are all gradually converting to Microsoft 365. So that was a good one. It’s possible to be plausible and compelling without making someone think they’ve lost their job.
            1. LunaLena* August 25, 2020 at 1:01 pm

               I agree with most of your post, except your point that some topics should be off-limits. Scammers aren’t nice. It’s kinda part of the job description. They don’t care if they make you have a panic attack so bad that you have a heart attack and end up with thousands in hospital bills. They don’t care if they made you cry. They don’t care if you have mental health issues and the email set them off. They don’t care if they made you think your child has been kidnapped by terrorists. All they care about is making you click that link. They’re not going to say “oh, it isn’t fair if I make them think they lost their job, so I shouldn’t use that as the email subject. I’ll do something else.”

               I get it, it’s cruel and mean to make someone think they lost their job. But real scammers actually do this, or worse. I read about one where scammers saw that someone was visiting a foreign country on Facebook, then contacted their grandmother telling her her grandchild was in jail in foreign country, so she had to send money for bail immediately. And if scammers aren’t going to be considerate of your feelings, then, if IT wants to simulate the real danger of what these people do, they can’t either. It reminds me a little of how, where I live, when bears are caught raiding people’s garages or garbage cans multiple times, the wildlife authorities traumatize the bear by surrounding it with angry barking dogs before releasing it back into the wild. It’s cruel and I absolutely hate to see how scared the bears are, but the bottom line is, it saves bear lives. Very few bears that were released this way come back to cause problems, which means less bears being put down for endangering people (I have Opinions about this too but I will keep them to myself).
            2. EventPlannerGal* August 25, 2020 at 1:16 pm

               ITA with your first paragraph – I have recently had a bad experience where a family member was nearly taken in by this kind of social engineering and nearly ended up losing a lot of money. These people are ruthless and will do anything to send you into that panic reaction.

               I also feel like all the people here saying that this sort of email would have them make huge financial decisions like cancelling house sales, divesting stocks, cancelling holidays etc are sort of proving why this type of scam is so effective. Making any kind of major financial decision in a panic on the back of a single strange email is *exactly the problem*. IMO this was not a great way for this company to go about it and it should be backed up by a wider programme of cybersecurity training, but it’s sort of worrying to me that so many people are unconcernedly saying that that would be their reaction.
               1. KayDeeAye* August 25, 2020 at 2:49 pm

                  I agree that that is VERY odd. I mean, I can see panicking briefly, but surely you’d do some investigation before making major life changes? You’d at least talk to your immediate supervisor, right? Right?

                  I guess there are workplaces where your first intimation that you’ve lost your job might be a Outlook invitation to an exit interview, but…surely they aren’t common? In fact, surely they are very, very rare? Surely it’s more common that the invitation would be the result of an error (unless it was a spammer or phishing test, of course)?

                  While I am convinced of the validity and usefulness of phishing tests – I’ve learned a lot from the ones my company has conducted – I am still a little leery of anything this upsetting. Yes, of course spammers have no such compunctions. I’ve received the “Loved one in legal trouble foreign country” email myself – it wasn’t very convincing, but I’m sure there some scammers are more convincing than others – and we had a phishing test that referenced COVID cases here in the building. But I do think it’s possible to teach “Think before you click on a link” without wholly terrifying people. I could be wrong, of course. I would be interested in seeing some data. Do people only learn when they’re pushed to the brink, or is it possible to learn without going to these extremes?
                  1. LunaLena* August 25, 2020 at 4:42 pm

                     I dunno, some people are just really really easy to trick into doing something in a panic. My mom is one of them. I remember once, years ago, my mom got a phone call and then told me to grab my stuff because we had to leave the house RIGHT NOW. She was so freaked out I grabbed my bag and stuffed my cat in her carrier without question, and followed her out. When we were out on the doorstep, while she was frantically locking the door, she told me that the call was the sheriff’s office, warning us that a meteor was about to hit the area, and we were to evacuate to the nearest school/emergency shelter. I stopped then and said “Mom, the nearest school is the one right down the street (it was literally within view of our front door). If a meteor hit us, we wouldn’t be any safer there than we would be here. I think someone pranked you.” She kept saying “but what if” and “who would do that” so I had to point out that there were zero other people evacuating in order to convince her to go back inside and call the sheriff’s office for confirmation before she accepted that it was just a hoax.

                     “I guess there are workplaces where your first intimation that you’ve lost your job might be a Outlook invitation to an exit interview, but…surely they aren’t common?” Yeah, my guess is they would be rare, but you’re banking on everyone having the knowledge and experience to know that this isn’t common or normal. Remember, scammers aren’t trying to trick *everyone*. They know not everyone will fall for it (this is actually why scam emails are often full of typos – it’s not that the scammers are stupid, it’s a way of filtering out people who are observant enough to not fall for a scam, so the scammers won’t waste time on them), they’re just throwing everything at the wall to see what will stick. If they can get through to someone who is too inexperienced to know any better, or that one person like my mom who is prone to panicking, or the insecure person who is scared they’re about to be fired already, or the person who works at a place so dysfunctional that the first intimation of being fired might conceivably be an Outlook appointment… then that’s all they need.

                     I doubt going to an extreme is the only way to teach, but there are lots of people who really don’t learn until they get a short sharp shock themselves. I mean, look at how many people still refuse to take COVID seriously until they or someone they know gets sick. And as long as the scammers are using these tactics, I don’t think it’s necessarily out of bounds to err on the side of “forewarned is forearmed.”
         4. TechWorker* August 25, 2020 at 10:36 am

            We had security training for which the correct answer to ‘when is a link in an email safe?’ was ‘never’.

            Yes, I get that I shouldn’t click on dodgy stuff, the senders mail could be compromised, etc. But I get sent links to documents to review, training to go to, smart sheets to fill in all day every day and your training is ‘never click’? Seriously? People do need to be able to do their jobs.
            1. Works in IT* August 25, 2020 at 11:02 am

               Yeah, that’s bad training. The correct answer is when you were expecting it and it makes sense for you. Definitely not while terrified because of something that was said within the email that contains the link.
      2. Anonymous At a University* August 25, 2020 at 8:56 am

         What happened to OP1’s friend was terrible, but the solution is not, “Therefore allow all links and never warn users about any of them.” My university has marked non-university e-mails “External,” and we’re legally required not to click links that students send us from personal e-mail accounts, or that are sent by people who are claiming to be friends or family of students. (I’m just as glad to have a reason to refuse to click links that students try to send me to 747373 document-sharing services that half the time turned out to be password-protected or read-only anyway, instead of submitting assignments through the plagiarism-checking assignment submission system the way they’re required to). We also get the occasional phishing training e-mail. The problem was this particular e-mail being cruel and OTT, not the whole system.
      3. Observer* August 25, 2020 at 9:38 am

         Security needs to make clicking links safe, not freak people out over normal behavior on the internet.

         This is not possible. Full stop. We spend a lot on our filters, but stuff gets through. Just because something is “normal” doesn’t mean that it’s ok. Clicking on links is normal but it’s a terrible practice because it’s too risky and there is no way to make it safe.
         1. Phony Genius* August 25, 2020 at 9:45 am

            The closest thing to doing this that is possible is to disable all links and attachments from incoming e-mails. But that would include all legitimate ones, too.
            1. Quill* August 25, 2020 at 9:51 am

               And be business breaking for a lot of people.
            2. all the time* August 25, 2020 at 4:22 pm

               We use a service that basically does this – it already scanned the email, but then rewrites the url to again go through their system first – evaluating the link – if it appears to be a good link the user doesn’t notice and goes on. However, sometimes it will stop and ask the user if they think the link is safe? The user can answer yes or no – if yes and it was safe it praises the user and moves them on – if not it does not allow the user to proceed and tells them what the problem was. This is good, but it has not caught 2 bad URLs that we did receive – thus us still doing constant education to our users about link clicking.
         2. TechWorker* August 25, 2020 at 10:37 am

            What is your suggestion? (Genuinely?) how are people meant to share things if not via email?
            1. Observer* August 25, 2020 at 9:09 pm

               I’m not suggesting that people stop sharing things via email. I’m suggesting that we train people to recognize false emails and not accept blindly clicking on every link that comes their way as “normal”.
      4. A.N. O'Nyme* August 25, 2020 at 10:18 am

         Even if they could make clicking links safe, scammers would just resort to other methods like dropping a USB in the parking lot and counting on a helpful employee thinking it belongs to a coworker and quickly plugging it in to see who it belongs. Woops, now you’ve got ransomware on that computer (or whatever that USB contains).
         In any security system, humans are the weakest link. Just look at Frank Abagnale or some of the stunts Richard Feynmann pulled.
      5. I'm A Little Teapot* August 25, 2020 at 10:22 am

         Username does not check out.
   4. juliebulie* August 25, 2020 at 9:45 am

      We’ve had the “External email” warning for about a year now, and it’s a mixed blessing. Because of the way the company does business, a lot of legit emails for all employees come through with the “External” warning and then there’s an avalanche of questions on our Yammer asking whether this one or that one is legit. Some of those legit emails are really important (from Adobe, Microsoft, benefits administrators, etc.) and people ignore them, assuming that they’re fake. I mean we get too much email as it is, and even a lot of the internal email is frivolous, so

      I’m not saying the External Email warning is a bad idea. I just think there’s a LOT of room for improvement.
   5. Mama Bear* August 25, 2020 at 11:26 am

      I think they need to know how upsetting it was because that was just unnecessary. Many companies have started doing the “EXTERNAL” label, which does help. I think providing feedback is a good idea.
4. Formerly Ella Vader* August 25, 2020 at 12:32 am

   #3 – What if the candidate posts a digitally-altered photo because she has scars or blemishes? Don’t say anything about it. Looking the candidates up on LinkedIn is beyond the scope of your remit.
   1. allathian* August 25, 2020 at 12:44 am

      In my location, the advice is for job seekers to include a link to their LinkedIn profile. Something I learned yesterday is that here it’s actually illegal for employers to do a search of job applicants on social media, or at the very least, it’s illegal for them to take what they learn into consideration in hiring. It goes without saying that it’s also illegal for employers to request passwords to platforms like Facebook.
      1. Ask a Manager* Post authorAugust 25, 2020 at 1:24 am

         To make sure it’s clear to readers, in the U.S. it’s not illegal to google applicants, look at their social media, or take what’s there into consideration in hiring. (I’m assuming you’re not in the U.S., but it’s not necessarily clear to readers from the comment!)
         1. MK* August 25, 2020 at 2:08 am

            I seriously doubt there is any jurisdiction where looking up publicly available information is illegal.
            1. AvonLady Barksdale* August 25, 2020 at 8:20 am

               Not to mention… it’s LinkedIn. I fully expect potential employers to look me up on LinkedIn and I would be surprised if they didn’t.

               I also expect to be Googled and I expect to be searched for on Facebook. I keep the latter private but I’m not offended or bothered by the search itself.
               1. Mama Bear* August 25, 2020 at 11:29 am

                  Same. I always look up people on LinkedIn once they send in a resume.
            2. Jennifer Thneed* August 25, 2020 at 1:20 pm

               But it may be illegal to take that info into consideration in hiring. In the same way, there are interview questions that are perfectly legal in the US, but it’s illegal to take those answers into consideration, and that is why good companies don’t ask those questions — just to stay well away from dangerous territory.
         2. allathian* August 25, 2020 at 8:30 am

            Thanks for the heads up, Alison. I’m in Northern Europe, where the laws are much more geared towards protecting people’s privacy, even online, than in the US. But you’re right, I should have clarified.
      2. surprisedcanuk* August 25, 2020 at 2:06 am

         Are you sure that true. How could that be enforced? How would someone know if they looked at their social media. Maybe the requesting passwords part. Can you provide a link or citation?
      3. MK* August 25, 2020 at 2:20 am

         Unless you are a lawyer, I think you must be misunderstanding the law, or more likely a court judgment. I see variations of all the time: a case becomes known where someone did X under specific circumstances, and along with many other factors, they got into trouble, but this is spread as “X is illegal”. I can believe that an employer got into trouble because they investigated candidates and discriminated illegally, even that lawyers advise not to do that to be on the safe side, but it’s unlik8to be illegal in itself.
      4. Slothy Coffee* August 25, 2020 at 2:25 am

         I don’t want to derail, but I’m interested in this because it seems odd to me: are there employers who ask for people’s social media passwords?
         I’d like to think it’s so far over the line that no employer would consider it, but after years of reading this site I’ve learnt that employers are prepared to do all manner of strange things.
         1. Mel_05* August 25, 2020 at 7:13 am

            This was definitely a thing at some company a few years back. Other companies were insisting that private profiles be revealed to them, which also seemed absurd to me.

            I haven’t heard about it happening lately though.
            1. Quill* August 25, 2020 at 9:53 am

               Because everyone got up in arms about the profiles and the potential problems of, for example, companies learning that your maternal aunt is a breast cancer survivor, pregnancy announcements, general “hey remember when we were in college, got smashed on bad tequila, and did swear-karyoke?”
      5. Allonge* August 25, 2020 at 4:24 am

         That sounds weird. We do have a rule that says we cannot take into consideration things that are not in the application, but that is to avoid situations like “I play golf with them and so I am fairly sure this person speaks language X, but must have forgotten to list it in the form”. Checking if the person exists on LinkedIn is not illegal here.
      6. Anna Banana* August 25, 2020 at 5:05 am

         Where is the “here” you speak of? It’s hard to put your info in context without knowing the country you’re in.
         1. allathian* August 25, 2020 at 8:41 am

            I’m in Finland. It was a surprise to me, too, and I literally read about it yesterday. It was on our public broadcaster’s website and the person who said it was a recruiter/HR consultant. You are allowed and expected to open links provided by the applicant, but not to google their name. If you do, and find something iffy, you aren’t supposed to use it against the employee. It’s similar to how you’re not allowed to ask about a candidate’s plans for starting a family. Or rather, you can ask, but you can’t use the answer as a reason not to hire, and it’s very, very difficult to prove that you didn’t do it if an unsuccessful candidate claims that as the reason. So most prudent employers don’t ask.

            But we’re anal about privacy here, it’s technically illegal for a parent to open a letter that is addressed their child who is living in the same household without the child’s permission, provided the kid is mature enough to withhold that permission (they must at the very least be able to read). This is somewhat in conflict with a parent’s primary duty to nurture and protect their child, so I expect it’s pretty much a dead letter of the law. I don’t think any parent’s ever been prosecuted, never mind convicted, of reading their minor child’s mail.
            1. MK* August 25, 2020 at 9:39 am

               It’s possible that Finland has some unusually strict law about this, but it’s much more likely the recruiter is wrong about this. Most HR professionals tend to have a “practical” understanding of labor laws.
               1. That Girl from Quinn's House* August 25, 2020 at 10:36 am

                  I expect the source where this information is coming from is incorrect. I was a proficient reader when I was five, I still needed my mom handling my mail and affairs even if I could read them.
                  1. TechWorker* August 25, 2020 at 10:44 am

                     Allathian didn’t say ‘5 year olds must respond to letters’ (I imagine most 5 year olds receive next to zero mail), they said ‘it’s technically illegal to open a child’s mail without their permission’. I couldn’t find a source quickly for that on google but it… really doesn’t seem implausible? There are certainly plenty of kids who from the age of say 12/13 would want the right to open mail addressed to them, and it becomes illegal in all countries at some point.

                     (I don’t know much about the law in Finland but can 100% believe its very different to the law in the US, so maybe don’t jump to assume your norm applies :p)
                     1. tamarack and fireweed* August 25, 2020 at 10:32 pm

                        I can’t speak for Finland, but Germany takes the postal secret (privacy of mail) extremely seriously, and the principle is that no one is allowed to open and read mail addressed to someone else without permission, not even within a family. The question of minor children is frequently discussed on children’s rights, parenting and legal advice columns. There are exceptions in case the parent/guardian has reason to be concerned the child may be harmed through the mail (ie, for legal guardians the duty of care overrides the privacy if necessary).

                        By the way, this is also to a lesser degree in the UN Convention on the Rights of the Child, which the US has signed but not ratified. Many many countries, however, are bound by it. So it’s the US that’s an outlier on privacy of communication here.
               2. doreen* August 25, 2020 at 11:02 am

                  Also, there’s big difference between saying you shouldn’t google someone’s name and specifically saying you shouldn’t look them up on LinkedIn. There’s probably a lot of information you might find out by googling a name that wouldn’t be on LinkedIn.
      7. Seeking Second Childhood* August 25, 2020 at 7:48 am

         I suspect someone got mixed up with what would be illegal: looking up candidates online to find out race/gender/age/etc and then weeding them in an illegal way.
   2. cody* August 25, 2020 at 6:43 am

      “Looking the candidates up on LinkedIn is beyond the scope of your remit.”

      Are you saying that hiring managers shouldn’t look up candidates on LinkedIn? Is that not the purpose of LinkedIn?
      1. Brooks Brothers Stan* August 25, 2020 at 7:32 am

         I think they might be trying to say that as a second set of eyes during the interview process that looking people up on LinkedIn is beyond their remit.
      2. Formerly Ella Vader* August 25, 2020 at 11:28 am

         The hiring manager and the HR probably have some experience in the hiring process, and some familiarity with what’s appropriate and what can get them into awkward territory in terms of bias in hiring.

         The “second set of eyes” is doing something they weren’t asked to do, and doesn’t seem to have experience in the customs of hiring.
         1. sunny-dee* August 25, 2020 at 11:42 am

            Looking at LinkedIn is a perfectly normal custom of hiring. They’re not stalking them on facebook with a fake account. They looked at a public, professional site for additional information.
   3. HR Parks Here* August 25, 2020 at 8:41 am

      This makes me cringe. I am not photogenic, constantly worried about age discrimination (gen xer female (seems more prevalent for age discrimination to start earlier with females than males)) I wonder how many interviews I have been passed up for due to my linkedin photo. It is only slightly edited. Can we just not make photos part of the process unless it’s relevant to the job. I will go back to agonizing over whether or not my photo on LinkedIn is the reason for my now going on almost 8 months failing job search while I remain dying here at present toxic employer.
      1. Khatul Madame* August 25, 2020 at 9:46 am

         No photo on LinkedIn is better than an overly doctored picture or one with too much skin, for any gender. This goes to judgment and will influence my opinion of the candidate, especially if the position is mid-to senior.
         No photo is also better than a bad picture taken by phone and just slapped on the profile (honestly, what are people thinking? Can’t they see that their face looks green or light purple on the pic?), but that one will not influence my decision, as I am not in visual arts.
         I have lately seen created images used as the LinkedIn profile picture, like a cartoon face or a company logo for a business owner. This is not a bad idea for someone who does not want to put their photo out there.
         1. HR Parks Here* August 25, 2020 at 1:00 pm

            Too much skin…just no. you would never find me on linked in looking like that. I am surprised often at job titles of people who do have Instagram photos on LinkedIn.
      2. juliebulie* August 25, 2020 at 9:48 am

         Remove your photo from your LinkedIn profile. Then photos will not be part of the process.
         1. HR Parks Here* August 25, 2020 at 12:56 pm

            Since a lot of people have photos, I worried no photo would be like no dates on a resume.
      3. Anna* August 25, 2020 at 10:22 am

         If you worry about this, perhaps you can use a picture taken from further away in which you are doing something professional? Giving a presentation for example, or looking at something related to your field? Picture of you, professional picture even, but not showing your face close enough to judge your age or looks from.
         1. HR Parks Here* August 25, 2020 at 12:55 pm

            That’s a good suggestion!
      4. Lizzo* August 25, 2020 at 2:22 pm

         IMHO after 10+ years of experience creating headshots for folks, the goal of a headshot is to:

         1) accurately represent the best version of you;
         2) portray you as likeable and trustworthy. Maybe a couple of other positive attributes, too, but those are the big two.

         To point #1, the person who is in the photo should match the person who shows up in my office for an interview. If there is a big disconnect between the photo and the real person, I would wonder what they are trying to hide.

         To point #2, a good photographer will draw these two things out of you during your session. Also, please throw away this idea that you are not photogenic. :-) Every single client who has said that to me over the years was not telling the truth–they just hadn’t worked with a good photographer yet.
         1. Anony-Mouse* August 25, 2020 at 11:56 pm

            Oh gosh, can you please take all the headshots or teach other photographers how to? I think the super awkward, unphotogenic headshots are way way worse then no photos at all. I wonder what companies are thinking when they insist on posting unflattering headshots of their entire team. And usually the team members turn out to look nothing like their awkward photos anyways!
            1. Lizzo* August 26, 2020 at 3:50 pm

               Happy to! :-D

               (Seriously though…I’m back to work doing socially distant headshots…happy to work with anyone in need.)

               More on topic: I used to be surprised by how many photographers who work with people have ZERO people skills. Those skills are just as important as knowing how to use the camera. I’ve heard plenty of horror stories to no longer be surprised by this fact.
      5. Arvolin* August 25, 2020 at 11:49 pm

         Male boomer here, and the best career move I’ve made this century is dying my hair. The effect on my interview/offer ratio was amazing.
   4. Annony* August 25, 2020 at 9:13 am

      Looking up candidates on LinkedIn is normal. That is part of why people have LinkedIn. It is essentially a job marketing tool. It is very different than looking someone up on facebook.
   5. Lucette Kensack* August 25, 2020 at 10:22 am

      Looking up candidates on LinkedIn is 100% normal.

      But I agree — unless the photo is literally cartoonish (like, she made her eyes unnaturally large a la Disney characters, or made her skin hot pink or something), don’t mention it. What is it that you would want to convey? This candidate isn’t good at using Photoshop? She doesn’t realize how obvious the editing of her photo is? Is that actually something important that the hiring manager needs to know?

      I know you can come up with reasons it could be relevant — it doesn’t show good professional judgment, etc. — but I suspect that if you take a moment to reflect on it you’ll realize that it isn’t important.
   6. Clara B.* August 25, 2020 at 12:22 pm

      Hey everyone, LW#4 here. Thanks for all your thoughts, these are all good points to consider. At the end of the day, I personally don’t feel that the picture alone is worth hesitating on the candidate but I agree with Alison that it’s ultimately up to my manager. I don’t plan to mention the photo at this time.
   7. Lizzo* August 25, 2020 at 2:10 pm

      But there’s a difference between altering a photo to minimize a scar or blemish that the viewer might fixate on, and altering it so that it is a false representation of who you actually are. It sounds like this candidate’s photo is the latter.
5. Elenna* August 25, 2020 at 12:38 am

   LW #1: WTF?? Who thought that was a good idea???? Sending lots of sympathy for your poor coworker.
   1. A.N. O'Nyme* August 25, 2020 at 2:46 am

      Considering the point of these tests is to see if you’ll click things you shouldn’t I kind of get the idea, but they could have gone with a normal calendar invite. That fake exit interview was designed to make coworker panic, but at this point in time it just feels needlessly cruel.
      On the other hand, it could have been a real phishing attempt, because scammers are hardly known for their good taste.
      1. Threeve* August 25, 2020 at 9:15 am

         The slight potential boost to email security is never going to outweigh the guaranteed hit to morale for doing something like this.
         1. A.N. O'Nyme* August 25, 2020 at 10:08 am

            I wonder about IT’s morale in all this. They fail to properly train people, they get blamed for cyber attacks succeeding. They try to see what people are weak to, they get called assholes.
            Also, keep in mind that once someone gets in, who knows what data they can make off with. If Peter from Payroll falls for this kind of stuff, that might mean the financial information of every employee is now up for grabs.
         2. ...* August 25, 2020 at 2:21 pm

            I mean, yeah it can be. Email security is pretty important especially if you work with sensitive information or high value products. Its actually important to protect your company from things like ransomware attacks. If it got out that a company comprised their client info, who would want to continue shopping there? they could go out of business. It actually is important!
            1. RSD* August 25, 2020 at 7:00 pm

               As someone who works in healthcare, yeah, email security is extremely important. I understand why the person who was the target in this case was upset, but I also genuinely don’t know how IT is supposed to train people not to fall for this stuff if they can’t use the same tactics that real phishers use– and real phishers absolutely will play on people’s emotions, in this way and even worse ones, in order to get access to secure information.
               1. tamarack and fireweed* August 25, 2020 at 10:41 pm

                  The answer surely cannot be to just behave like an asshole. At the very minimum a company should:

                  * Give it intense, senior management level thought before agreeing to take an action that is genuinely distressing to employees.
                  * Announce it, repeatedly, and explain the rationale in training, to set the expectation that such emails may happen.
                  * Select the topic carefully, for example, don’t go with a dismissal announcement in times of a pandemic. Make it at least somewhat remote (eg. a large traffic accident? a severe weather warning?) or if it needs to be personal it’s better to trigger someone’s joy followed by disappointment than bring on a panick attack followed by “just kidding!”.
                  * Foster an excellent communication practice so that employees can expect that bad news is never ever announced casually.
                  1. RSD* August 26, 2020 at 12:49 am

                     Oh, yeah, I absolutely agree that there should be training regarding that these are exactly the types of topics that phishers use so that it’s not a total blind-siding moment, but I also don’t know that we can say there WASN’T, in this case. At my company, IT does send out weekly “scam alert” emails talking about the types of phishing scams that are big and highlighting that these are exactly the kinds of things to be on the lookout for, aaaand everyone deletes those emails without ever reading them.

                     I also don’t think using joy instead of panic is a good alternative– “you won the lottery!!!” is too easy to spot as a scam, and “you’re up for a promotion!!!” has just as much potential to cause upset feelings as this version.
   2. Phishers Suck* August 25, 2020 at 6:47 am

      The problem is that calendar invites are a major threat vector right now. And something like “exit interview” is exactly the type of thing phishers would do.

      I mean, I get why folks are upset and that it’s cruel. But I also understand why the testing companies do horrible stuff like this.

      #emailsecurityishardyo
      1. Allonge* August 25, 2020 at 7:04 am

         Serious question: what is the correct response here? Not opening the invite at all, opening but not accecpting (deleting), or what? I know I am not supposed to open attachments, click on links etc but all that comes after I actually see the email.

         Presumably it’s not like Exit interview (but if you click on this link and give us your password, we reconsider firing you).
         1. RecentAAMfan* August 25, 2020 at 7:11 am

            I think best to just forward the whole suspicious email to IT
            1. snowglobe* August 25, 2020 at 7:38 am

               Our company has a dedicated internal email address to which we can forward suspected phishing emails. If it turns out to be legitimate, they will let us know.

               I’ve sent a couple of legitimate emails in. There are a few people in our organization that send out very vague emails that sound like phish: “the July 30 past due report can be found at the link below.” People, if you are sending a legitimate internal email, don’t make it sound sketchy.
               1. KarenK* August 25, 2020 at 9:15 am

                  We’ve got the same thing. The first time I got the newly designed “It’s time to change your password email,” I forwarded it because it looked like spam!
                  1. Clisby* August 25, 2020 at 2:16 pm

                     About 10 years ago I got an email from one kid’s school with the subject line: “YOU WON’T BELIEVE THIS!”

                     Sent it straight to the trash bin, and found out a week or so later I had actually missed a reasonably important email. I sent a message to the office telling them what happened and asking them please not to send out message with spammy-type subject lines.
                     1. Arvolin* August 25, 2020 at 11:52 pm

                        Several years ago, I received a work email about a social event in my company. Reasonably generic content, check. Link going to somewhere I don’t know, check. I marked it as phishing. I hope someone learned a lesson.
            2. KayDeeAye* August 25, 2020 at 9:40 am

               We have a dedicated email account that we’re supposed to send suspicious emails to. They are very quick to respond, so it really isn’t a major inconvenience to just send something to the phishing folks and ask “Is this legit?” If it’s a phishing test, they’ll respond almost immediately, but even if it’s not, they’ve always gotten back to me less than 30 minutes.
               1. KayDeeAye* August 25, 2020 at 9:43 am

                  Ooh, and I didn’t know that calendar invites were trending high in phishing circles. That’s very interesting.
                  1. Quill* August 25, 2020 at 9:55 am

                     Got one the other week but NO ONE sends me calendar invites other than the six people I actually work with so I was like…. hmmm, must be a phishing test.
                  2. So they all rolled over and one fell out* August 25, 2020 at 12:03 pm

                     The problem with / reason for the spammy and phishy calendar invites is that a lot of email/calendar platforms automatically put them on your calendar before you even accept them. This is intended as a convenience, in case you miss the invite email in your deluge of email. But now scammers are exploiting that behavior.
            3. PTACR* August 25, 2020 at 10:02 am

               This.

               When I get stuff I’m not sure of, I forward to IT or ask the sender in a separate communication (not by replying to the message).
         2. Lynn Whitehat* August 25, 2020 at 7:31 am

            Open but not accept. (Probably you would have to open it to know if it’s real.) Contact “sender” some other way and ask if it is real. Send to IT.

            A decent phishing test will have “tells” that something is wrong. Otherwise you’re not testing people, you’re just screwing with them.
         3. Mockingjay* August 25, 2020 at 7:34 am

            Don’t touch it. Don’t open it; don’t forward it (that could still spread malware). Call IT; they will take it from there.
         4. Phishers Suck* August 25, 2020 at 8:26 am

            It kinda depends on your setup and I’m really not familiar with this area. About the extent of my knowledge is knowing there are multiple industry groups trying to address the calendar problem. For a while spammers were sending meeting invites that got auto added to calendars and then would pop up spam at the time of the ‘meeting’.

            Most of the major security breaches have been the result of phishing, including over a decade ago when RSA got their master keys stolen. Email security is better, so the attack vector is evolving and calendar invites are part of that evolution.
         5. Sneaky Ninja for this one* August 25, 2020 at 8:39 am

            We have a button in Outlook that says Report Phish. And then a popup that says something like “do you really want to report this as a phish” and then it goes it IT.
            1. Quinalla* August 25, 2020 at 9:16 am

               Yes, if you have this, use it. If not, call/email IT about it and ask them if you should delete, forward to IT, or what. Before we had this button, we were to forward suspicious stuff to IT.
         6. Natalie* August 25, 2020 at 8:51 am

            This is really the kind of question you should ask your organization’s IT department, presuming it wasn’t already part of a suspicious emails training.
         7. fhgwhgads* August 25, 2020 at 2:41 pm

            It depends on your employer. Mine has a service for the fake phishing emails. It’s not our actual IT staff deciding on and sending out the fake emails. It’s whatever the service serves up. There’s an (IT-sanctioned and installed by them) plugin to our email for identifying this type of email. So you highlight the email, and then click the button for the plugin. If it were a test email, you get a pop-up saying good job that was fake. If it’s not a fake one sent as a test, it’s quarantined and IT checks on it. If it’s not a fake and you do click on any links in it, you get a pop-up saying something to the effect of “this was a test; you’re now enrolled in additional training on how to avoid phishing scams”.

            But I’d hope if an employer had that sort of thing, the staff should know it’s in place and what the process is. If not, it might be something more manual like opening a ticket with IT and literally asking “hey is this real?”
         8. tamarack and fireweed* August 25, 2020 at 10:42 pm

            I forward ours to the IT department with a note saying “Phishing email, or one of your attempts to trip us up I guess.”
      2. Malarkey01* August 25, 2020 at 8:40 am

         Just a funny note- our company also does phishing tests and did them with a calendar update. It was for “cake reception in the lobby at 3”…almost 100% of us (out of 10,000) fell for it. I want to say we were not as upset as exit interview LW when found to be false but it was up there.
      3. Not A Girl Boss* August 25, 2020 at 8:45 am

         Yes. I got a REAL fishing email with the subject “Not A Girl Boss’s PIP” that was meant to look like my boss accidentally emailed me when he meant to email someone else about my performance.

         …real scammers are mean jerks.

         But that doesn’t really mean that companies should be testing people in similarly mean ways. Since your ability to spot the tells is the same regardless of how compelling the subject line happens to be.
         1. Oh No She Di'int* August 25, 2020 at 9:22 am

            your ability to spot the tells is the same regardless of how compelling the subject line happens to be

            Is it though? I’m not arguing a side because I’m not a professional in this arena and don’t have the depth of knowledge. But it seems to me that people do have a harder time spotting the tells in an emotionally charged scenario. OP’s letter even seems to support that notion. Is it possible that the test was precisely designed to get people used to being critical about emails even when the situation seems upsetting? In which case, it has to actually be upsetting, not just a simulation of upsetting. Honestly asking because I just don’t know enough.
            1. tamarack and fireweed* August 25, 2020 at 10:44 pm

               I still think “Cake reception at 3” followed by disappointment is A LOT BETTER than “you’re being fired” followed by reassurance.
      4. SomebodyElse* August 25, 2020 at 9:45 am

         This was my thought too. It came up in my company because we had “Positive Covid at location” or something like that phishing test in April.

         I got an earful from an upset employee (which I understood), but at the same time it’s exactly what a phishing email would say to panic an employee into opening and clicking on links.
      5. I'm A Little Teapot* August 25, 2020 at 10:27 am

         Real question: I get the risk of clicking on a link that sends you to bad place. But what can happen if you accept a bad calendar invite?
6. RAB* August 25, 2020 at 12:43 am

   One thing that my workplace gets right is that our internal directory site has an option to leave people comments of thanks/praise, which not only go on their profile but their manager is CC’d on the generated email notification. So you get to address the person you’re thanking without feeling weird about talking to their manager you might not know, but you know their manager will get a copy as well for sure.
7. Observer* August 25, 2020 at 12:44 am

   #1
   Alison, If the OP takes the line you suggest, it’s quite probable that IT will blow them off – and win. Because this is exactly the kind of phishing email scammers use. They try to make employees think they’ve been fired without anyone having told them. They try to make immigrants (legal or not) think that ICE is about to break come arrest them. They make people think that their loved ones are in mortal danger (ie kidnapped and being held for ransom by people who don’t have a lot of patience.) etc.

   OP, you say ” do have some qualms about the efficacy of this sort of practice, but that’s neither here nor there”. The thing is that actually your only really strong argument is the lack of efficacy. Because if this kind of thing DOES work – this actually is the way to do it. The idea is to teach people not to click on things just because they’ve been shocked silly.

   It’s like the issue of active shooter drills. The PRIMARY argument against simulations where people have not been warned is that they actually don’t work. Of course there are some other strong arguments against this, but it’s theoretically possible to plan things to avoid the other potential problems. But you simply cannot get away from the fact that they don’t work.

   Your strongest line of defense here is simply “It’s cruel and stupid to put people through this when there is no real chance that it’s going to teach them anything.”
   1. Dr Rat* August 25, 2020 at 2:36 am

      Yeah, the one my company IT came up with that got the most people to click on it was one about their time sheet not being submitted so they weren’t going to be paid the next day. It made people panic and click without thinking – just like an actual phishing email. It freaked people out – but ultimately they DID learn something about thinking twice before clicking. While it was absolutely cruel, it was also extremely effective.
      If this person complains, or even several people complain, I doubt that it will do any good whatsoever. The IT department will probably say that if people clicked on it, they are doing their jobs.
      If you think HR is not there to be your friend, then you have to recognize that IT is really, really not there to be your friend. IT is there to keep the systems running and to keep employees from falling for phishing scams, clicking on clickbait, downloading viruses, infecting the system with ransomware, etc. Also, in every company I have ever worked for, IT has at least 10 times the clout of HR except in egregious situations. Honestly, I don’t think this is a battle you can win.
      1. MassMatt* August 25, 2020 at 8:05 am

         “ The IT department will probably say that if people clicked on it, they are doing their jobs.”

         Then it’s a terrible IT department. Their job should be protecting data and making sure systems are working, not getting coworkers to click on sketchy email links.

         Sending out emails suggesting someone is being fired or laid off is idiotic and cruel, in this environment especially. If it were my company I would fire the person or persons responsible immediately.
         1. AJH* August 25, 2020 at 9:03 am

            As can be seen from all the techbros applauding the strategy in these comments, a fair number of IT people in a range of companies seem to regard “idiotic and cruel” as an important part of the job description. I’m honestly shocked.
            1. Colette* August 25, 2020 at 9:28 am

               The biggest threat to IT security, by far, is people. People click on links that allow malicious software to run; people give out information to be helpful; people leave phones and laptops at restaurants.

               I understand why the recipient of the email was alarmed. But she’d also be alarmed if her identity was stolen or she lost her job because the company went under due to ransomware – which are both possible outcomes of trusting the wrong email.
               1. AJH* August 25, 2020 at 9:43 am

                  I’m not talking about alarmed; I’m talking about shocked silly. A state of mind in which, for example, if she’d driven home immediately after it was received she’d probably have been as unsafe behind the wheel as if she’d downed a quarter of a bottle of neat whisky. I think choosing to make a point, however important, in that particular way was both unnecessarily cruel and was likely to have a lot of unforseen effects on both the people immediately affected and more remotely.
                  1. Natalie* August 25, 2020 at 9:45 am

                     Oh FFS, take it down a notch.
                  2. Anonymous at a University* August 25, 2020 at 10:12 am

                     I mean, I agree that the e-mail was horrible, but you can make an argument against it without saying, “They would be responsible for nearly MURDERING her if she tried to drive home,” which makes the co-worker sound so fragile that her balance could be overset by anything, not just an e-mail like this.
                     1. Anonymous at a University* August 25, 2020 at 10:23 am

                        I mean, to follow up on this, could the company not ever tell this person she was fired without endangering her? Could someone not give her bad news about a family member, or a doctor bad news about her health, because that would be “giving her a quarter of a bottle of neat whisky?” The argument against this e-mail needs to be that it could affect more than one person negatively and it was ineffective, not that “It’s so horrible for this one person.”
                     2. AJH* August 25, 2020 at 10:30 am

                        Normal organisations prepare people for bad news. And, when they’ve delivered it, they do actually take care to make sure that the person is looked after. The point of this email was that it was delivered out of the blue, with no preparation whatsoever, in order to shock the recipient(s) into panicked reaction. That’s what a lot of people seem to be underplaying.
                     3. Anonymous at a University* August 25, 2020 at 10:35 am

                        Replying here since the nesting has run out: The thing is, we don’t know for sure that the IT department hadn’t set up a training program for phishing e-mails. And how many letters have we seen here where someone said, “They/I had no clue their/my job was in danger”? Again, should they never fire this person because she might not have seen it coming?

                        I realize this is getting a bit semantic, but when you start saying it isn’t just a bad idea but would make someone an accessory to a fatal car accident, then yeah, you start to sound ineffective.
                     4. AJH* August 25, 2020 at 10:59 am

                        We don’t know for sure that the IT department hadn’t set up training for phishing, but the OP didn’t say that they had, and the rule is that we go on what the OP says and don’t add extra facts. And the whole question about whether scheduling an exit interview in someone’s diary would be irresponsible if she were being fired is completely irrelevant because this employee in fact wasn’t. The question here is, how far is it legitimate to lie to an employee about an upsetting matter in an intentionally upsetting way?
                     5. Anonymous at a University* August 25, 2020 at 1:50 pm

                        Okay, but my whole point is that if you go in saying, “You can’t tell her like this because YOU COULD HAVE KILLED HER,” you are in fact not going to get the results you want. You’re going to be dismissed as OTT at best, hysterical over nothing at worst.

                        You need to make the point that it’s ineffective and would affect other people, not that this one person’s reaction (which, if it actually affected her as much as drunk driving would, is frankly disproportionate) is enough reason to ever, ever, ever send an e-mail like that again. And I think you can definitely make the argument that it’s inefficient and would affect morale without getting into weird analogies. My point in bringing up firing is that if you say any unexpected, alarming news would affect her like drunk driving would, then they’re going to be focused on the employee’s reaction as a weakness, not on the need to change what they’re doing.
                     6. EventPlannerGal* August 25, 2020 at 2:59 pm

                        @ AJH

                        “The question here is, how far is it legitimate to lie to an employee about an upsetting matter in an intentionally upsetting way?”

                        Yes, and that’s a very fair question, but you are the one obscuring that question by bringing in completely fictional and OTT scenarios (or as you might put it, adding extra facts) about how what if this employee reacts to shock so badly that she can’t drive safely. It’s really disingenuous to start off by implying that the IT department might be responsible for making this woman get into a car crash or something, and then turn around and say that oh I’m just asking how far it’s okay to go.
                     7. Observer* August 25, 2020 at 9:22 pm

                        @AJH, you say that “The point of this email was that it was delivered out of the blue, with no preparation whatsoever, in order to shock the recipient(s) into panicked reaction.” Except that we have no idea if that’s the case. Nothing the OP says leads that way. Of course we also don’t know that they did do any preparation, so I’m not going to argue that. But you can’t have it both ways.

                        Also, the purpose of the email was almost certainly not to “shock the recipient into panicked reaction”. Based on what the OP describes the purpose is to figure out who needs remedial training.
                  3. EventPlannerGal* August 25, 2020 at 10:26 am

                     This is a bit much, I think.
                  4. Rattled* August 25, 2020 at 10:29 am

                     I agree. My heart rate goes up just thinking about it happening to me.

                     I can imagine a lot of very serious things I might have done in a panic, immediately after getting an email like that. Call my real estate agent and tell them to withdraw the offer I made on the house. Cancel the plane tickets I bought for the family to go home for the holidays. You don’t know who is hanging on by a thread, mentally or financially, and will immediately make choices that have serious repercussions for them.
                     1. AJH* August 25, 2020 at 10:33 am

                        In short, this IT team want to have a licence to shout “FIRE!” in a crowded workplace, and use “But security!” as their defence when people criticise them for it.
                     2. EventPlannerGal* August 25, 2020 at 10:50 am

                        I don’t think that this is an argument that anyone should be making to their employer. “Please change your IT security procedures because I am liable to make massive life-altering impulse decisions in a blind panic over an email invite” would be quite a worrying thing to hear, IMO. I understand that this sort of test could be really upsetting but I really don’t think this is a good thing to bring up to push back on it – if anything, I think that sort of response would make companies even MORE concerned about possible security breaches coming from you.
                     3. Colette* August 25, 2020 at 10:54 am

                        @EventPlannerGal I agree – and I’m not sure everyone would react the same way as this one person did. If everyone panics when they get it, they should think about whether another subject line would get the job done without the panic – but as I’ve said elsewhere, I would have assumed it was some sort of mistake.

                        And that assumes this was a test from IT and not a real phishing attempt in the first place, which is also not clear.
                     4. le beef* August 25, 2020 at 11:05 am

                        I mean, fire drills are very much a thing. Someone might panic, thinking it is truly a fire, but they still need to be done. It’s not going to be as effective to warn everyone that the alarm is fake ahead of time.
                     5. ...* August 25, 2020 at 2:28 pm

                        Really? You wouldn’t just ask your boss what was going on before changing your entire housing situation? By this logic you shouldn’t so much as ask someone a question about a project because they might “hanging on by a thread”. The comments regarding this topic are so bizarrely over the top and histrionic. I work with super high value products so this type of thing is normal to me. This is like the guy who’s hr has been supposedly recording him for weeks and hasn’t so much as asked his manager. How effective of a worker can you be if an email causes you to spiral so out of control that you cant drive or die? (referencing comments above here not just yours)
                  5. RussianInTexas* August 25, 2020 at 10:59 am

                     That is rather overblown, really.
                     And I am not IT or IT adjusted.
                  6. ...* August 25, 2020 at 2:24 pm

                     If reading an upsetting email shocks you to the point you are completely incapacitated it is your responsibility to seek out strategies to be able to handle stressors such as upsetting emails.
               2. MassMatt* August 25, 2020 at 9:45 am

                  Everything you say is true but the fact that phishing attacks are real and destructive don’t excuse the IT department’s idiotic and cruel methodology.
                  Stop defending the indefensible.

                  We had a letter not so long ago where a company made announcements over the loudspeakers that there was an active shooter in the building as a “drill”. This is not excused by an explanation that “there are real workplace shooters, if you were upset by that announcement we’ll you’d be upset by an actual shooter, too”. Equally true, equally beside the point that it was an awful thing to do.
                  1. Colette* August 25, 2020 at 10:09 am

                     The recipient of the email was shocked, yes, but I’m not sure everyone would have reacted that way. I probably would have thought “how weird, they sent this to the wrong person”. I don’t see this as the same as announcing an active shooter is in the building.

                     (I’ve been laid off several times, and I’ve seen it done poorly and well; no one has been as clueless as to invite people to an exit interview. It’s the invitations with meetings above your manager with no stated purpose that mean layoffs.)
                  2. CmdrShepard4ever* August 25, 2020 at 10:55 am

                     Honestly I do think that planned emergency drills are good, but they should be accompanied by unplanned/unannounced emergency drills (fire/active shooter) now I am not saying they should be done all the time. But I can’t tell you how many times I have seen people not pay attention or care to the planned emergency drills. Companies can let people know we will have an unannounced/unplanned once a year.

                     If IT was only sending an email and just telling people not to fall for it I agree it would be cruel, but they are using to see who needs follow up training. When it comes to IT security it is always better to be safe than sorry. I have received a few legitimate emails that seemed like phishing, I followed up with the person that sent it via phone to confirm it was them.
                     1. GothicBee* August 25, 2020 at 11:32 am

                        Hard disagree on the idea of having unplanned active shooter drills. Just no. Planned active shooter drills are intense enough without making it seem like there is a real active shooter in the building. Not to mention what happens when someone ends up actually injured because of the panic to get out of the building.
                     2. Observer* August 25, 2020 at 9:35 pm

                        Unannounced active shooter drill have to be a hard no. Fire drills are one thing. Active shooter drills are actually dangerous. There are other issues as well, but this means that you just can’t do it. Period.

                        If people blow off the planned drills, you treat it like any other performance issue.
                  3. Observer* August 25, 2020 at 9:33 pm

                     The argument against surprise active shooter drills is not that they are upsetting. The arguments against them are lack of effectiveness (there is some good evidence that these simulations don’t do what they are intended to do) and the actual dangers that can happen in such a case.

                     In the case of a fake phishing email, the argument that there is actual danger is nonsense. Honestly, as others noted in another branch, if someone is going to take over the top action based on an email with no follow up or verification, that person is going to run into trouble regardless.

                     The only argument is that this doesn’t work, which is arguable. “Pranking” someone with something like this is inexcusable. So, if you have reason to believe it doesn’t work and you do it anyway, you are no different than the boss someone wrote in about who thought it was hysterical that people turned green when told that they were going to have required overtime with no warning. But if you DO expect it to work, it’s “that was a REALLY rough 10 minutes, and I am sorry you had a hard time, but I hope this helps keep you safe from the very much worse and longer term things that could happen.”
            2. London Calling* August 25, 2020 at 1:22 pm

               Scams tend to be cruel.
         2. all the time* August 25, 2020 at 4:29 pm

            The employees of any company are the weakest link – and you need to know the weakest of the weakest so you can continue to train them.
         3. Observer* August 25, 2020 at 9:14 pm

            Well, I’m glad you don’t work in security at my company.

            You seem to think that not hurting someone’s feelings is more important than actually keeping those same people safe, as well as keeping customers and the business safe.
   2. AJH* August 25, 2020 at 3:46 am

      The really strong argument against it is that if your intention is to send a message which will get someone to panic, by definition you can’t control *how* they panic. I know the IT team assume in this case that the person getting a surprise!You’ve Been Fired! appointment in their diary is that they will click on it, at which point the IT department will go “Ha, ha, phised you, report for remedial training asap.” But, speaking as someone who was one of a group of several senior employees who were all made redundant on the same day following a merger by means of an innocuous invitation put unexpectedly in our inboxes for a one-on-one, meet the new CEO session, the most likely reaction *I* would have to such an invite bobbing up, would be panic attack followed by immediate lawyering up.
      1. Lora* August 25, 2020 at 9:41 am

         Yes, exactly this.

         I have been laid off in a few different horrible ways. An email like this would read as an invitation to demand immediate vesting of any and all stock options as part of my severance package, release from tuition repayment obligations from recent company-financed MBA, continued payment of health care benefits through howevermany months…

         People suddenly being locked out of their computers with no notice, getting random outside-the-company (usually from consultants) emails to come meet new management in a conference room with 20 of their colleagues, department meetings and site all-hands meetings to tell people they’re all being laid off are not unusual at all. If a test email went out like this at a unionized work site, I cannot even imagine the disaster IT would be facing. If the threat really is, “l33t h4XX0rs are imitating piss poor management” then I think y’all need to accept your certain doom, frankly, because there is no way to train people that “your management *might not* be chock full of buttheads with bad ideas and the emotional intelligence of a razor clam”. We’ve all survived too many workplaces where that was indeed the case.

         May I suggest the one thing that REALLY works for data security: if you need it to be secure THAT badly, sandbox it. That’s what we do for the automation controlling physical systems that can explode, ever since StuxNet, and it works GREAT. No internet connection at all, just snip the connection on the computer motherboards, and email checks have to be done on a separate network that handles only emails, telephony etc.
         1. AJH* August 25, 2020 at 11:44 am

            I’m stealing “chock full of buttheads with bad ideas and the emotional intelligence of a razor clam”. Regrettably, I don’t expect I’ll have to keep it on ice for long.
         2. EchoGirl* August 25, 2020 at 10:49 pm

            I haven’t dealt with being laid off like this, but because of some bad experiences in my personal life in the past, I’ve struggled a lot with intrusive thoughts that people are only pretending to like/approve of me and/or that being liked/approved of is contingent on me completely 100% pleasing them (and I fully know it’s not rational, but intrusive thoughts don’t really care about reason). I’ve made progress in working through some of that, but I’m still vulnerable to backsliding — a single incident of something like that happening for real (say, suddenly losing my job with no warning) can set me back on that process. And while I can’t be sure of this, I strongly suspect that the setback wouldn’t magically reverse just because I learned the email was fake, because it’s not about the email, the email is just a catalyst.
   3. Keymaster of Gozer* August 25, 2020 at 5:13 am

      I used to compose some of those phishing test emails, and I figured to myself that we were not testing people’s panic responses, we were testing their ‘oh that looks interesting’ responses. Reasoning being that it’s incredibly hard to train people out of instinctive panic responses, which is why emergency services spend so much time on it and don’t rely on a 1 hour online training course from the IT department.

      What you want to do is insert a ‘wait…that looks dodgy’ line into people’s normal operating mode and then check to see if that’s running. So, a ‘you need to click on this embedded link to re enter your bank details so you get paid’ test is ok, whereas a ‘someone has reported you doing illegal stuff, the police are notified, HR are waiting for you’ is not.
      1. cruel summer* August 25, 2020 at 8:05 am

         Yeah, like… IT is not the trainer for how to respond in a panic situation to a threat to your life or livelihood. It’s needlessly cruel and, as someone for whom this stuff isn’t easy, it would ruin my productivity for the rest of the day, if not the week, as I have difficulty working while uncontrollably sobbing. Why would you trigger your staff on purpose as “training”? I haven’t opted into exposure training at work.
      2. Quill* August 25, 2020 at 10:04 am

         Also of note that testing people’s panic response is definitely disproportionately affecting workers with mental health issues.

         You don’t give people exposure therapy prior to having to walk through the zoo’s snake house by throwing them into the snake pit, you train them to be like “okay, judging by the photos, this snake is venomous, this one is not, this is NOT a safe snake but it’s behind glass, though not in the right spot, so i will alert the snake wrangler instead of running away…”
      3. Observer* August 25, 2020 at 9:37 pm

         I think that this is a far more cogent response – the issue of effectiveness is really the only solid argument against this stuff.
   4. LKW* August 25, 2020 at 6:50 am

      Came here to say this. While I don’t agree with the topic IT chose, the panic reaction is exactly what they were looking for – and it was successful in reinforcing that panic and email don’t go well together. It is not kind, but the purpose of these tests is to remind people that all emails should be viewed with a suspicious eye – even if they are initially alarming. If the test is too easy then it doesn’t “train” people to view alarming emails with suspicion.

      And I work in an IT heavy company and we get these too – and people fail them regularly.
      1. Metadata minion* August 25, 2020 at 8:31 am

         In your experience, does this sort of training actually work? As people have said further up the thread, panic reactions are *very* hard to rewire compared to “oh, wait, this interesting thing is maybe suspicious”.
         1. Super Anon For This One* August 25, 2020 at 9:09 am

            You didn’t ask me – but yes, the training works.

            The baseline “phish prone” percentage for my company was way out of line for our industry (but: about what I expected from our user population due to lack of training, length of service, etc.).

            We almost immediately saw a drop in phish-prone percentage (we test quarterly) after initial training, and have kept it within industry standard with continued annual and remedial training.

            BUT I do a lot to make sure that my messaging is current (I sent out special “this is what a COVID phish email will look like” messaging, I sent out holiday messaging, I use posters, etc.), and this testing/training is just a part of our security strategy. It would not stand on it’s own.
         2. L.H. Puttgrass* August 25, 2020 at 9:21 am

            Not only does this work, but it’s really the only thing that works. Phishing is not a technical attack; it relies on people’s natural tendency for trust (or panic). So the only way you can really stop that kind of attack and still have functioning IT systems is to train users out of those reflexes.
         3. SomebodyElse* August 25, 2020 at 9:50 am

            I think the training is not to stop panic. That’s going to happen and as you say very hard to stop. The point is to train to pause between panic and acting. That you can train out of people.
            1. SomebodyElse* August 25, 2020 at 10:03 am

               crud… “That’s not* going to happen”
         4. LunaLena* August 25, 2020 at 12:16 pm

            Completely anecdotal, but can confirm it works because I trained myself to do it. I started doing it after a phishing scammer called me and left multiple urgent messages from the “IRS” about a fine I owed and had to pay immediately or I would be arrested. My first reaction was to panic and call them back, but fortunately I was driving at the time and could not. By the time I got home doubt had spread in my mind and I listened to the messages again, and since I wasn’t blindsided this time, was calm enough to catch little clues that this was not legit. After that I started forcing myself to wait a few minutes and think first (I started by consciously telling myself “it’s an email/voicemail… if I had chosen to go to the bathroom before checking it, it would have had to wait a few minutes, so it’s okay for it to wait a few minutes now”), and now overruling that first panicked impulse comes a lot more naturally.
   5. Roscoe* August 25, 2020 at 7:12 am

      I was kind of thinking this. Like, I’m not saying it isn’t a mean thing. But… it works. And that is often how phishing emails work by playing on emotion, so people need to be prepared. As someone who has gotten my share of phishing emails (not IT tests), it is very important to be dilligent. And this is a way to keep people on their toes.
      1. Jennifer* August 25, 2020 at 12:02 pm

         I tend to agree with this. People aren’t falling for the old school scams anymore that have been circulating for years.

         This happened here recently. My coworker received an email from someone claiming to be the CFO was requesting a meeting. We aren’t nearly important enough to have one-on-one meetings with the CFO. You have to take a deep breath and think for a second before you react when something like that pops up.
   6. Wintermute* August 25, 2020 at 9:17 am

      same here, I work in IT, this is brilliant and a great idea and MORE companies should have realistic phishing attacks. One we use is an employee ONBOARDING survey request.

      The threat to companies is existential. Ransomware, GDPR extortion, IP theft, theft of credentials and personal information, all of these can kill a company stone dead. You can’t expect people to handle the real world where criminals will say whatever it takes if your training is limited in scope. The closer to a real criminal you can get with your pen testing the better.
   7. So they all rolled over and one fell out* August 25, 2020 at 12:06 pm

      The IT department may or may not have much control over the contents of the phishing emails. My employer uses a phishing test third party provider.
   8. London Calling* August 25, 2020 at 1:21 pm

      Agree 100% – this is what a scammer email does, shock and panic you enough to click on the link. We had a similar exercise at work, except this one was about salary increases, and the head of IT was very robust in defending it – his point being that a real scammer would send something that hits people in the gut and makes them click before thinking. And as someone who fell for a work scam – I agree with him.
      1. Observer* August 25, 2020 at 9:47 pm

         I think that what a lot of people are also missing is that the issue is not just protecting the recipient from their panic reaction, but protecting everyone ELSE from the recipient’s panicked reaction.
8. Kimmybear* August 25, 2020 at 12:45 am

   #1 – We sent out a phishing test at the beginning of the pandemic and had serious conversations with senior leadership about which templates we were and were not going to use. Phishing has been taking advantage of people’s fear and using COVID subjects (e.g. COVID exposure) to get information and passwords. We decided not to use any of those templates because we didn’t want to dilute the real messaging or cause panic. We stuck with the generic “Your password will expire” and “John sent you a document “. People still fell for it, it justified our training budget, and kept cyber security on people’s radars.
   1. SatsumaWolf* August 25, 2020 at 2:36 am

      This kind of assessment (the impact on employees) is what is called for and what I would expect from IT. My large multinatuonal company sends phishing emails regularly and I understand the need for them. I once received one that I felt was inappropriate as I dont think it had been considered that women would read it differently than men, that is, a woman recipient would more likely imagine a specific scenario that would cause undue fear of a nature that I didn’t think an employee should have to face in the course of the working day if it can be avoided. I sent feedback to the appropriate IT channel along the lines of “I appreciate the need for phishing tests but perhaps this specific template could be reassessed as I thi k it likely to cause undue distress disproportionately to female employees”. I received a very thoughtful, detailed, grateful email back promising they would assess based on my feedback. I thought it might be helpful for people to hear that this feedback can be welcomed and taken seriously so it’s worth doing.
      1. Suzy* August 25, 2020 at 7:21 am

         I must admit that now I am kinda curious what it was… But I think everyone in this situation handled it gracefully. Kudos!
         1. AJH* August 25, 2020 at 9:19 am

            Warning about enhanced security around the building because of suspicious activity in the carpark, with a “click here” for link to police/security recommendations would be my bet.
   2. Batgirl* August 25, 2020 at 5:08 am

      Yeah my partner is usually really savvy about this stuff, but when one of the directors whatsapped him and asked him to do some personal favours to be expensed later “while he’s at home and our normal systems are down”, he didn’t query it. When everyone’s job is on the line, you don’t. May these scammers burn in hell.
      1. CmdrShepard4ever* August 25, 2020 at 11:12 am

         I assume that it was not actually his director that messaged him? That is a good word of warning. While working from home I talk with my boss on slack all the time, if they asked me to do something on slack I would probably be less likely to question it.
   3. LQ* August 25, 2020 at 8:35 am

      This is really important. The idea that causing panic is the point of it assumes that IT is the only department that matters and that it’s totally fine to lose hours of that person and the people they call in a panic about it and the virality of that panic potentially for a long time. It doesn’t matter that this person struggled, or that the OP spent time soothing the coworker.

      But those things do matter. The goal of IT can’t be to dance around singing a gotcha song. It needs to be actually effective and efficient.

      It also assumes that when people are panicked and full of adreneline are primed to do actual learning, which…is not where adult learning happens.
      1. Natalie* August 25, 2020 at 8:46 am

         The purpose of these test emails is testing, not teaching. Typically if you fail to spot the suspicious email you get referred to additional training.
      2. Shirley Keeldar* August 25, 2020 at 9:15 am

         This is a really good and important point. The people who are saying, “But it’s effective and important teaching!” are ignoring the part about the COST of that teaching. Something may work yet still be too costly or just too cruel.
         1. AJH* August 25, 2020 at 9:31 am

            I think it’s obvious that they actively do not care about the distress or damage caused to individuals or to the organisation. The term OP is using about herself, her coworker and the others who have heard about this incident is “shell-shocked.” Now, some of the people who are commenting on this thread are going, “Great, mission accomplished; they know not to click on suspicious emails now just because they’re panicking about their jobs.” And that may well be so. But the other lesson the employees have learnt, as well as the one about suspicious emails, is that the company on a fundamental level does not have their wellbeing at heart. They’re happy for IT to treat them as lab rats. They’re happy to say, ‘Up the voltage’ when the earlier shocks don’t have the requisite effects.

            My betting is that a whole lot of employees are now too terrified for their jobs (hence the effect of the experiment) to say anything. But I also bet any loyalty they owed to the company has gone by the board, too.
            1. Quill* August 25, 2020 at 10:12 am

               Also, it’s a very nasty trick to pull on those of us who already have, you know, shell shock / PTSD.
            2. Observer* August 26, 2020 at 12:07 am

               It’s only obvious to those people who have decided that without reading anything anyone has to say about the matter.

               I don’t know that this particular test was a good idea – it probably was not, but I can’t say that for sure. here is the thing – even with people being shell shocked, it’s better than some of the results that happen when people click on actual dangerous links. You can be sure that the person whose pay for the last two weeks gets stolen is going to be far more than shell shocked – even if the employer does the right thing and writes them another check immediately (It happened in my org. So will the people who are victimized by identity theft, people who can’t get critical services or the people who lose their jobs because the company went out of business because someone clicked on a wrong link.

               This is not about what IT wants or about their convenience. In fact, this is often not even the doing of IT. This is about the basic safety of the company and possibly legal requirements they have, to keep data safe.
      3. Nicki Name* August 25, 2020 at 12:26 pm

         It is still much cheaper to have an employee panicking for a few hours than to have to pay for exposing customer data, or to have ransomware removed from your critical systems.

         It isn’t about IT scoring points on other departments, it is, as ever, about the company’s bottom line.
   4. EvilQueenRegina* August 25, 2020 at 2:03 pm

      My employer sent a Covid themed phish test around May, but it was something from a fake doctor at “wh0.com” about cures. I thought it was a real phishing email and deleted it, thought no more of it until getting an email a few weeks later saying I passed the test.
9. Beth* August 25, 2020 at 1:16 am

   #1: I’d have been very tempted to, after figuring out it was a phishing email, have the coworker who got it send a very alarmed email to HR anyways asking if she’d missed some bad news. I’m sure they’d have some strong opinions on this practice!!

   In all seriousness, your coworker not wanting to play ‘tattletale’ is relatable, especially since you were able to determine it wasn’t real. But HR likely would want to know about this–at the very least, so they have a heads up in case anyone else got this email and wasn’t so savvy in recognizing it. This touches on their area of work, so they should be informed of it…not just as a way to escalate the problem, but also because it could have real practical implications for them.
   1. ...* August 25, 2020 at 5:17 pm

      asking HR if its legit would be like…..literally the best practice possible in the situation. I cannot wrap my head around the idea that HR would be strongly opposed to cybersecurity for the company.
   2. Observer* August 26, 2020 at 1:30 pm

      If you are suggesting looping HR in as way to get them to stop the practice, it’s highly unlikely to work.

      For one thing I would be surprised if HR wasn’t warned about it. For another, …. noted, checking with HR or IT is exactly what I would want staff to do anyway. So that kind of email would just put them on the list of people who didn’t click on the dangerous links.
10. Analyst Editor* August 25, 2020 at 1:17 am

    A company I worked for sent me lots of these phishing emails; very high-quality, and it took me a while to stop getting caught by them. They work on precisely generating that kind of panicky feeling to make you quickly do something. IT was doing their job here, I think.
    1. Stormfeather* August 25, 2020 at 1:37 am

       I mean, by that token managers would be “doing their job” by having their employees work four hours of unpaid overtime per day, and cutting lunch hours to 15 minutes. I mean, it’s got them getting the company’s work done faster and more completely, amirite?

       There’s more to doing your job than just being effective in one aspect of it. You also have to keep employees and their morale and, y’know, their mental health in mind.
       1. 10Isee* August 25, 2020 at 1:48 am

          But data security is a HUGE deal in education, as it is in Healthcare and finance (my field and my spouse’s, respectively). Both our companies regularly send all sorts of phishing emails and almost anything is fair game, because it’s imperative that we and our coworkers keep our data secure. In my partner’s company, if you fail one phishing test, you lose your annual bonus; if you fail two tests in one year, you lose your job. In some situations, it’s just that important.
          1. WhatAMaroon* August 25, 2020 at 1:57 am

             I do want to echo the importance of phishing tests. Phishing is a very effective method of infiltrating an organization and getting access to data quickly. From a data security perspective it is really important to keep people trained and vigilant on what the new angles and approaches are. However, with that said I do strongly agree the “fake layoff” experience was probably not necessary. They almost certainly could have conveyed that this might be a threat vector with training paired with another phishing test message.
          2. LQ* August 25, 2020 at 9:24 am

             Data security is a big deal. But if you want to actually help people get better then you need to do it in an effective way. Keeping everyone in your company in terror of losing their lively hood every time they open their email is actually a good way to make someone vulnerable to being an inside agent.

             If the goal is to make people panic you’re doing it wrong. The goal needs to be to make the company less vulnerable. You don’t do that with scared employees who are stressed they are going to lose their jobs and that is taking up a portion of their brain every time they look at an email. You do that with employees who are well trained, who are frankly well rested, who don’t have so much work to do that they can’t get it all done in a day and so just rush through everything in a blind panic.

             Data security is about far more than just scaring people. That’s not the most effective way to make your company more secure.
             1. AJH* August 25, 2020 at 9:33 am

                That’s an excellent point. Terrified people cover up rather than admit fault. Next time someone does something that’s a slip up they aren’t going to forward the email to IT with “Oops, I opened this before I’d thought.”
             2. Important Moi* August 25, 2020 at 9:44 am

                The IT department can “see” who opened the email.

                Not coming forward is more likely to be to your detriment.
                1. LQ* August 25, 2020 at 9:51 am

                   Right, but the next slip up may be a real phish that could be addressed if someone if the person who clicked came forward. Not coming forward is to the company’s detriment. So you want people to not be afraid of coming forward. You want them to be encoruaged to come forward and say, “I’m sorry I was tired and wasn’t thinking, I clicked on something and I’m not sure.” rather than shoving it away because they are scared they’ll be fired.
                   1. Observer* August 26, 2020 at 1:35 pm

                      There is nothing here that keeps people from coming forward if they click. Being sent for additional training is hardly punitive.

                      This email was surely stressful and possibly ineffective. But claiming that it makes people scared of losing their jobs every time they look at their email is hyperbolic at best.
                      1. Anonyish* August 27, 2020 at 9:57 am

                         There is absolutely something here that keeps people from coming forward if they click in this scenario: the knowledge that they are working for a company that is fine with causing them significant distress *before* they have even made a mistake. When you know that as an empl0yee, you can feel pretty sure that if you do make a mistake their response is going to be much harsher.
             3. 10Isee* August 25, 2020 at 5:17 pm

                For what its worth, his company has an <5% annual fail rate on phishing tests, and extremely low turnover. They have paid, comprehensive training for every employee every year and pretty solid benefits. But when one mistake could make or break their clients, it's just not reasonable to keep on staff members who jeopardize data.
       2. Observer* August 26, 2020 at 1:33 pm

          You also have to keep employees and their morale and, y’know, their mental health in mind.

          Yes, and part of the is making sure that their information is safe. The simple fact that people think or phishing and these scams as a minor thing that only affects IT creates a huge danger to the company and everyone who works for them. Because they clearly don’t take the threat seriously. But the threat is real and hugely consequntial.
    2. Keymaster of Gozer* August 25, 2020 at 5:24 am

       Coming from one who used to design these tests I’d disagree.

       IT should plan tests for the results they want to achieve. If your goal is to incite serious panic in your coworkers then what are you going to gain out of that? Training people out of extreme fear reactions is out of scope for most IT depts.

       What they should be doing is trying to alter the day to day processing of people’s minds. Insert a ‘hang on…’ pause that becomes automatic when reading emails with links, attachments etc. My favourite test was designed to look like a company announcement that the HR system had crashed and everyone needed to re enter all their details…the link took people to a different website that looked like the system but if you looked at the url you’d see it wasn’t even on our corporate intranet.

       Of course, the ‘you missed an important call from your friend’ or ‘click here to release your printing job’ ones are fun too.
       1. Rockin Takin* August 25, 2020 at 8:00 am

          I just had one at work where it was a lady saying she had a candidate for a job I posted. But when I looked this lady up in the company’s system she didn’t exist. Her email looked like a real company email until you clicked info and found it had some numbers at the end of it.
       2. Grey Coder* August 25, 2020 at 8:34 am

          Yep, ours are usually “Q3 Bonus info” or “New voicemail received”. I am in a field where we work with highly sensitive data. Phishing is such a common (and often successful) attack vector that it is critical to establish that level of caution.
       3. Allonge* August 25, 2020 at 11:34 am

          That sounds better to me. By all means show people examples of the nasty stuff! But for testing, consider that there are other considerations.
    3. Threeve* August 25, 2020 at 9:25 am

       If you think it’s okay to make coworkers cry in the name of internet security, you should not be making any decisions about things like this unsupervised. If this happened to me, and I got confirmation that management was okay with it, I would be looking for a new job.
       1. Observer* August 26, 2020 at 1:40 pm

          Why do you think that “internet security” is a minor issue?

          Would you be ok with making some people cry as an unitneded side effect, in the interest of keeping your pay from being stolen from you? In the interests of keeping your highly sensitive personal data (such as medical diagnosis) away from people who will commit identity theft? In the interests of keeping your customers from having their ID or money stolen? In the interests of keeping critical (as in life saving) services operating?
11. Beth* August 25, 2020 at 1:23 am

    OP3: Is image (or photoshopping skill) in any way relevant to the job? If not, I’d be inclined to disregard this. It might be the result of insecurity, it might be bad editing skills, it might just be an old picture she hasn’t gotten around to replacing. Unless there’s a reason that this is relevant to the job at hand, I don’t think a social media photo is worth this much scrutiny.
    1. Peppa Pig* August 25, 2020 at 6:18 am

       The candidate is okay with the photo so no need to mention.
    2. Seeking Second Childhood* August 25, 2020 at 8:03 am

       Didn’t we have a letter here where the EMPLOYER had headshots taken–and they were all badly photoshopped?
    3. Clara B.* August 25, 2020 at 12:24 pm

       Hey Beth, LW#4 here. Thanks, that’s a good point–neither image nor photo-editing skills are important to this position, so I agree with you that it probably isn’t worth mentioning. As Alison says, the decision is ultimately up to my manager so I don’t plan to say anything at this time.
    4. Reasons* August 25, 2020 at 12:43 pm

       I recently changed my headshot to a highly edited version- it’s become a trend in my circle of art/design contacts. I’ve also deliberately chosen not to include client names on my personal page. I both know how to Photoshop correctly, and would be willing to have a professional headshot done for an employer’s website if the job required it. …Totally fine if it’s not your thing, but I’ve never had clients comment on my profile one way or another, and I’ve worked for some pretty conservative folks.
    5. A lawyer* August 25, 2020 at 2:44 pm

       I am sympathetic to the candidate. For YEARS my official photo on my firm’s website was ridiculously Photoshopped because one of the higher ups thought he was really good at it (he’s not, I looked like a cartoon character, my husband AND my mother burst out laughing when I showed them the picture). But maybe, unlike me, she liked her picture and thought it was nice (apparently some of the other higher ups thought my picture was really nice and didn’t understand why I lobbied so hard for a new photo).
12. Marika* August 25, 2020 at 1:29 am

    LW#4:

    My husband’s company is doing fine in the current environment – their Q3 numbers weren’t brilliant, but they were incredibly solid – and their stock is doing just fine, if what the paper says is true. They’ve straight up frozen all hiring that doesn’t involve replacing absolutely essential positions until December at the earliest.

    That’s the environment right now. It sucks – my husband’s team was about to make offers to SIX people (it’s a 20 person group) and believe me, they could use them … I can hear him on the keyboard now, and it’s 10:30 at night, and he’s still swamped. But, no dice.

    They’ll be making those offers as soon as they can – although my hubs says he’s willing to bet four of the six MINIMUM will have been snapped up before January.

    This environment is just strange for everyone I think.
13. Job Carousel* August 25, 2020 at 1:55 am

    #3 had me wondering how common or uncommon it is for LinkedIn users to edit their profile photos. I know I definitely used LinkedIn’s prebuilt filters to subtly tweak mine, whereas I imagine it’s also common to use photoshop to make cosmetic changes (blurring skin blemishes, etc.). I also imagine that many folks are using their corporate headshots which are often photoshopped anyway (with likely differing levels of skill/subtlety). So while seeing an image of a job candidate that seems noticeably photoshopped may be jarring to some, is it just one of those things that practically everyone does these days?
    1. Viette* August 25, 2020 at 6:11 am

       I think it really depends on the industry, and even the specialties within those industries. It’s probably quite common for some and for others it would be very weird. In mine, it’s more in the realm of a professional headshot with all the lighting tricks and staging that’s bound to make a person look as good as the photographer can manage.

       I know when I had professional photos taken for a recent job, the photographer clearly said she didn’t ever retouch anything except flyaway hairs without at least discussing it with the person in the photo, and the pictures still looked extremely good with any skin touch-ups or anything.
    2. Clara B.* August 25, 2020 at 12:26 pm

       Hey there, LW#4 here. This is a good point, I think the only reason this candidate’s photo jumped out at me was because it was on the more “cartoonish” side and immediately noticeable. But as I mentioned in a separate comment, I don’t ultimately find this to be that relevant to the position…just jarring, but it’s no reason to hesitate with a candidate, so I don’t plan to say anything to my manager at this time.
14. Christy* August 25, 2020 at 2:35 am

    #5
    Weird this came up today… I work closely with IT, and our assigned guy is slightly on the rocks right now with a notable difficult boss. He is great for me to work with, though, and I would be sad to see him go. Anyways, I responded to the IT ticket of something he spent a great deal of time on, and thanked him a bit effusively, and then ccd my boss. For two reasons, in that the IT ticket included all the details of the work and showed the considerable effort, and my boss should be made aware of that as she likely could pass on to her peer / his boss the compliment. Well, she did not like that, questioned why I would do that in a ticket, why didn’t I just email her about it, and “that was really transparent, you know.” Um, yeah of course it was. And oh yeah, but I worked hard on that problem too, you’re welcome? Seriously, is she just mad that I took initiative ve when I should have stayed in my lane? This was a case of no good deed…
    1. KateM* August 25, 2020 at 4:01 am

       So, why didn’t you email her about it? She could have been right that including that in the ticket (and ccing ticket?) was not the right way to go.
       1. Christy* August 25, 2020 at 10:20 am

          It’s a common thing to do, Ccing the ticket. She wants to know what’s done. Also thanking someone at the of the string of emails on one ticket is not unusual. It was just an efficient heads up that he had completed the work and did a great job. I suppose I am confused why something this innocuous warranted a hand slap.
          1. Jennifer Thneed* August 25, 2020 at 1:29 pm

             Oh, we’re all under a lot of stress right now. Is she a new manager? Anyway, next time email her and link the ticket… and maybe cc your IT guy’s boss also? (Honestly, you can email that boss directly too.)
    2. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 8:29 am

       It sounds like it was the method she didn’t like, not the praise of the colleague. Not sure if by responding to the ticket, the praise was actually part of the ticket – if yes, then no that wasn’t the way to go. And I’m not sure why you sent the praise to YOUR boss, hoping they’d share the info with IT guy’s boss. I understand that you were trying to do a good thing, but the way you did it was a little odd.
       1. Christy* August 25, 2020 at 10:16 am

          I didn’t create a new ticket, it was a back and forth of the original one where we discussed the problem and work. It is a natural sign off of well now we are done thanks so much. For me to send it to his boss would have been strange and seen as wasting her time. I copied it to my boss for her to see the work done, and this is not unusual. She also has complained about him before and she has influence over opinion on his work.
15. Ellie* August 25, 2020 at 3:23 am

    LW5, I do this a few times a year and I’ve only ever gotten positive reactions.

    My personal preference is to directly contact the supervisor with the praise about my co-worker, rather than Cc. I like to frame my feedback differently for managers than for the person themselves, though I do usually share my positive feelings directly with the coworker as well.

    Typically I receive a positive reply, and sometimes they ask to if it’s ok to share the positive feedback with the person it’s about.

    Just be genuine and specific — it does everyone a favor to call attention to good work!
    1. Christy* August 25, 2020 at 3:48 am

       I can’t even imagine the trouble I would be in if I wrote to the other supervisor about IT. I was sincere and genuine about the thanks… that wasn’t the transparent part. She called me out on trying to give positive feedback on someone who is so clearly falling out of favour.
       1. soon to be former fed really* August 25, 2020 at 3:35 pm

          Serious question: Why would you get in trouble for writing to the IT supervisor to give kudos to one of their employees? Sounds like an awful workplace to me.
       2. Ellie* August 25, 2020 at 3:45 pm

          It sounds like there’s some really problematic behavior going on at your office if saying “Sally did great and I wanted to let you know” gets someone in trouble.

          It also seems like the concern was over the public nature of the callout, so an email to only that person’s supervisor (rather than a CC. On a public ticket to your own) would probably have had a different reaction.
16. Ferret* August 25, 2020 at 4:08 am

    LW3: If the candidate is just overusing filters/ blur tools and not adding a whole extra limb I wouldn’t worry about it

    Hopefully this doesn’t count as a derail but I am desperate for an update on the photoshopping boss linked to in #3.
    1. Brooks Brothers Stan* August 25, 2020 at 7:35 am

       Honestly with LinkedIn basically becoming Facebook but With Resumes a picture like that wouldn’t even phase me at this point.
17. Smeralda* August 25, 2020 at 6:03 am

    Unfortunately I think that may have been a real phishing email. Are you positive it came from IT? The “you’ve been fired” ploy has been making the rounds on Zoom, I believe.
    1. Colette* August 25, 2020 at 10:11 am

       That’s also a possibility.
18. Batgirl* August 25, 2020 at 6:07 am

    The Instagram look is becoming so ubiquitous that I’d just put it in the same category as confusing a fashion look with a professional look. I’ve known lots of people who initially showed up for work in cut out shirts, midriff tops, short casual dresses, dangly chandelier earrings, stretchy lycra skirts of skimpage proportions from the stores which rip off tweens, and who developed into professionalism just fine after they learned the ropes. This is a similar professional misjudgement. I think most women of all teenage decades can probably remember being flogged the fashionable version of “This is what a woman looks like; play up the feminity” and then being told “Hah that is so unprofessional! Women with jobs look like this; play down the femininity”.
    Yes, it’s legit disturbing that women aren’t allowed textured skin or less than Manga sized eyes or non Barbie noses but there’s nothing new under the sun. These looks come straight from old Hollywood. It’s no more disturbing than young women thinking professional women show scads of skin and wear heels no matter how physical the job, or that the professional women on television shows really are representative.
    So the decision comes down to: is a bit of misjudgement acceptable for this role, at this level? How many misjudgements are we talking about? All of them or just this one? It does seem like inhuman filters are a new and a shocking misunderstanding of how to perform femininity, but the real wonder is that any of us know how to do it at all.
    1. Workerbee* August 25, 2020 at 8:22 am

       +1
    2. Researcherrrrr* August 25, 2020 at 10:47 am

       I’m with you on the assessment of how much misjudgment is acceptable for the role.
       The interviewer should take into account whether this is this a more entry-level position, or one that requires a substantive amount of experience. This sometimes comes with the territory for entry-level positions, and learning professional norms requires professional experience.

       Admittedly, this would carry more weight for me if I were hiring for a more senior position.
    3. Clara B.* August 25, 2020 at 12:29 pm

       Hey Batgirl, LW#4 here. This is a great point and something I want to be conscious of. The candidate with the edited photo otherwise looks good on paper, and her picture is only a single data point so I’m inclined to agree with Alison and most of the commenters here that this isn’t a big deal. Plus, as I mentioned elsewhere, image nor photo-editing are relevant for the position, so I don’t plan to say anything to my manager at this time.
       1. Batgirl* August 25, 2020 at 4:34 pm

          I mean…most of the glam squad Ive come across turn into serious on-tone professionals but there was that rare one who thought the job on a newspaper would be a great stepping stone to starring in a soap and marrying a footballer. It was not. So it definitely could mean something! I just think it’s way too soon to say.
    4. Lizzo* August 25, 2020 at 2:52 pm

       @Batgirl I agree with you that society is full of mixed messages about femininity, and that the line between professional and fashionable/sexy/not professional is razor thin and is constantly moving.

       That said, I am still stunned by poor judgment about what’s appropriate for a professional networking site, and the fact that not one person in that candidate’s circle might have spoken up and said, “Hey, that LinkedIn photo isn’t doing you any favors when it comes to conveying your professionalism.”
       1. Batgirl* August 25, 2020 at 4:16 pm

          She might not have a circle! I didn’t. I never had any professional guidance due to a working class background.
          1. Lizzo* August 25, 2020 at 8:33 pm

             I appreciate your reply and your perspective!
19. Elizabeth* August 25, 2020 at 6:11 am

    I have a follow up question to #5. Is praising someone to their boss only something you do for someone your level or below?

    I did that once (wrote thanking someone more senior to me in another department for their excellent support on one of my events, copying their boss), and when I mentioned to another colleague that I had done this, they were aghast. They said that it was patronizing/cheeky to do this if someone outranked you. Is that the case? or does it depend on your office culture?
    1. a username* August 25, 2020 at 7:29 am

       Hmm. I work in a profession where there are “professionals” who have the advanced degree and “technicians” who have sometimes had a career as technicians longer than some of the newest professionals that have been of voting age. Even though professionals technically outrank technicians, their praise certainly carries weight, especially if someone is new and learning the ropes. So at least where I’m at, it wouldn’t be cheeky.
    2. Tthankful for AAM* August 25, 2020 at 7:54 am

       I think it would depend upon how you did it. It might come off as cheeky if you said, higher than me person did a great job at x, like you weee evaluating them. But I think it would be lovely if you wrote, I so appreciate the way higher than me person handled x because it had y impact on me – made my job go more smoothly, improved outcomes for clients, or had other positive impact.
    3. Mandy* August 25, 2020 at 8:05 am

       My company heavily emphasizes mentoring, both formal and informal. So it would not be too out of place, but when I’ve given feedback like this in the past I’ve made sure to include the word “mentoring” in my feedback so it was clear.
    4. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 8:37 am

       I think it depends on office culture and the hierarchy at the company. It could come across as butt kissing to praise someone at a level above you. We all know some managers have no business being managers, but generally they reach that level and beyond because they’re good at their job and go above and beyond when needed. Not that they don’t need to be appreciated, but it would probably come across as insincere coming from an employee who reports to them.
    5. Enter_the_Dragonfly* August 25, 2020 at 10:00 am

       This is a little tangential but your comment reminded me of a time I got caught in a speed trap while in my work headspace. Upon receiving the ticket I actually thanked the officer ‘for making the experience as pleasant as possible’ and how I was really impressed with that. I’m not sure but I may have even told him that he did a good job *wince*. I don’t know exactly how many minutes it took for me to realize that was a very odd thing to do, but it did explain the look on his face as I drove off!
    6. Allonge* August 25, 2020 at 11:50 am

       Office culture and the difference in the seniority. It’s disingenious to praise someone – unprompted – to their boss if they are like two levels above your own. If I am Teapot Analyst we just finished a big project with Coffee Machine Senior Analyst, it’s not too weird to say thank you.

       But yes, it should not be coming across as evaluation.
20. Viette* August 25, 2020 at 6:17 am

    #2 – the question “Is using dates to establish a time line more important that the history itself?” seems to misunderstand a big purpose of having the dates on there. They’re not to establish a timeline exactly — it’s not like your employer wants dates on your resume because they need to be able to track your every movement going back 15 years.

    As Alison says, they’re to establish when you worked at the jobs you want to talk about, which is kind of a timeline, but also how long you worked there. “Having dates on your resume” is not the same as “list everything you did in chronological order no matter how irrelevant it is”. Alison has plenty of posts about how you don’t have to include every job on your resume. But if you want to add it, of course you have to include when you did it.
    1. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 8:41 am

       Yeah I’m baffled by that question. Sounds like they got some really bad job seeking advice. Dates are important for several reasons. Are you a serial job hopper? Have you been a llama groomer in the past, and want to become one again, but it’s been 10 years since you’ve done the job and you’re out of practice? Are you applying for a job in which you only have 6 months of experience? Have you been out of work for 10 years? Have there been giant gaps in between jobs?
21. Mannheim Steamroller* August 25, 2020 at 6:27 am

    Re: #5… [“If you think he genuinely does good work, it’s a great idea to let his manager know! It doesn’t matter that you rarely talk to her; managers generally are thrilled to get this kind of feedback about their teams, and it won’t seem weird.”]

    Good managers want such feedback. (Praise for Rory and Clara means that they’re key to the success of Missy’s team and she was right to hire them.)

    Bad managers don’t want such feedback. (Praise for Martha means that Mr. Saxon can’t take credit for her idea. Now he wants to fire her.)
    1. Seeking Second Childhood* August 25, 2020 at 8:11 am

       Pop culture reference I presume?
       1. allathian* August 25, 2020 at 8:48 am

          Doctor Who. Took me a while to catch on, though, it’s been so long since I last saw it.
          1. Mannheim Steamroller* August 25, 2020 at 11:09 am

             You win a trip in the TARDIS!
    2. EvilQueenRegina* August 25, 2020 at 2:00 pm

       Mr Saxon would have done more than fire her!
22. Roscoe* August 25, 2020 at 7:18 am

    #3 this didn’t sit right with me. Its basically judging someone based on appearance, which seems to have nothing to do with the actual job. Don’t get me wrong, if I’m on a dating app, and I see a cartoonishly photoshopped person, I may swipe left (say no) to them. But, if you are hiring for them to do a job, and they fit the requirements of the job, does that really matter? I mean, I’d even be ok with, once you hire them, mentioning that their picture isn’t the most professional. But I don’t think it should affect the actual hiring decision.
    1. Clara B.* August 25, 2020 at 12:31 pm

       Hey Roscoe, LW#4 here. Thanks for your comment, I appreciate it. Ultimately, I think the photo was more surprising for me than anything else but otherwise on paper, the candidate seems pretty solid so I’m inclined to treat this as a single data point that ultimately is not relevant for the position. In any case, the hiring decision ultimately lies with my manager and HR, and I will follow their lead here.
    2. Rusty Shackelford* August 25, 2020 at 4:12 pm

       I think there *are* circumstances where it can make you wonder how well they understand professional norms. I wouldn’t use that small bit of data to make a hiring decision, just like I wouldn’t make a hiring decision based on a resume typo, but it would raise a question that I would then attempt to answer in an interview.
23. irene adler* August 25, 2020 at 8:01 am

    #2:
    Does this advice hold true for older workers?

    I ask because including the actual dates of employment “outs” one’s age. And that often is enough to disqualify one from being asked to interview (yeah, I know it shouldn’t, but hey, few people can visualize “granny” having the skills to do the job).

    Yes, I recognize that one might want to omit the earlier jobs, thus shortening one’s work history and not giving away that one has worked for over 30 years instead of just 10 years.

    I discovered that when I put “3+ years” or “15+ years” for each job listed- instead of “1988-1992” and “1992-present”- I received more responses to my resume. Putting the time worked also gives an indication of how long I have worked at each job-just like the dates do.
    1. MassMatt* August 25, 2020 at 8:20 am

       One way around this is dropping older jobs that are no longer relevant. In most cases, going back 15 or so years is plenty.

       Unless the employer requests or demands a full job history, stick to the most recent and relevant. Unless you’re resuming a career after a detour, jobs you had in the 80’s are not likely to be what lands you the job today.
       1. irene adler* August 25, 2020 at 9:16 am

          How do you “drop” a job that you’ve worked at since 1992? That’s why I use “15+ years” instead of “1992-present”.
          1. CmdrShepard4ever* August 25, 2020 at 11:28 am

             When you do the 15+ for your current job do you indicate that you are still at that job? If you just had 15+ years I would assume that you are no longer working there and I would wonder how long you have been out of a job, why you are not working, did you quit, get fired, laid off etc… The suggestions “somebody else” and “colette” made below are good ones.
    2. No Longer Working* August 25, 2020 at 8:35 am

       I’ve read your work history shouldn’t go back more then ten or fifteen years. Some fields might be exceptions of course. If you can stick to that time period it doesn’t reveal your age.
       1. irene adler* August 25, 2020 at 9:19 am

          It will reveal one’s age if one has worked at the same job for almost 30 years.
          That’s my situation. And every person that learns this complements me on having a steady work history. And then I’m told how I am completely unemployable because I did NOT move to new jobs. Even recruiters tell me to start at entry level. But when I do, I’m told that “I’d like to hire you but I fear you’ll get bored with the job and move on in short order.”
          And I’m ignored at middle level jobs.
          Can’t win.
          1. SomebodyElse* August 25, 2020 at 10:29 am

             That’s really weird advice from the recruiters. Of course companies are going to question an entry level position that you don’t really want. Personally (and I know I’m an outlier in this area) I’m not going to get hung up on a long tenure at a company. I will probably focus on how how you would deal with the transition and will ask more than the average number of questions on your adaptability.

             How is your resume formatted? I’m assuming after 30 years you’ve held a number of positions and roles. It would be a little weird to have this:

             Acme Co 1990-Present
             Manager, Paper Clip Sorting
             -accomplishment 1
             -accomplishment 2
             -accomplishment …

             I would expect something like:

             Acme Co 1990-Present
             Manager, Paper Clip Sorting 2015-Present
             -accomplishment 1
             -accomplishment 2
             -accomplishment …
             Supervisor, Paper Clip Sorting 2005-2015
             -accomplishment 1
             -accomplishment 2
             -accomplishment …
             Other Positions Held:
             Lead, Paper Clip Sorting 2000-2005
             Paper Clip Sorter 1990-2000
             1. Colette* August 25, 2020 at 10:35 am

                Or
                Acme Co. 2015 – present
                Manager, Paper Clip Sorting
                – accomplishments
                Acme Co. 2005-2015
                Supervisor, Paper Clip Sorting
                – accomplishments

                I.e. you could drop the earlier jobs within that company.
                1. SomebodyElse* August 25, 2020 at 10:37 am

                   Agreed… I think I got carried away with the copy paste :) Personally I would probably cap at 2-3 positions.
          2. SomebodyElse* August 25, 2020 at 10:45 am

             Sorry… one other thought. Can you highlight in your accomplishments some examples that demonstrate you are adaptable?

             Examples might be
             -projects that brought innovation (changing systems, developed new something, etc)
             -changing jobs or departments

             Your cover letter will also be a good place to highlight these skills and abilities. Basically you need to demonstrate somehow that you would be a good fit in a new environment and with a new employer and that you won’t be the “At my old job we did …” guy.
          3. doreen* August 25, 2020 at 11:26 am

             I’m not sure if the “same job for almost 30 years” isn’t as much as or more of a problem than your age in itself. I work for a government agency and lots of us are here for 20, 30 or even 40 years. Even so, when it comes time for a promotion, the person who has been in the same office for 20 years has a disadvantage compared to someone who has worked in four or five different offices over those 20 years.
          4. Lizzo* August 25, 2020 at 3:02 pm

             Can you:
             Focus on what you’ve accomplished and contributed during your tenure at the job
             Talk to your network about those accomplishments and contributions so that they can keep their ears open for companies who are in need of your skills

             That’s how I got my last job: leader recognized that they needed my skills at the organization, and brought me on board to leverage those skills for the org’s benefit.
    3. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 8:46 am

       Leaving dates off of your resume makes it look like you’re hiding something. Yes I realize that some people will look at your resume and think “she’s too old to do this work”, but would you really want to work for them anyway with that attitude?
       1. irene adler* August 25, 2020 at 10:31 am

          I need a job.
          1. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 11:17 am

             Ok but that doesn’t change the first part of my comment.
          2. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 11:19 am

             Hit submit too soon. Either you risk being overlooked due to your age by putting dates on your resume, or you risk looking shady by leaving them off.
       2. That Girl from Quinn's House* August 25, 2020 at 10:43 am

          This is honestly the fallacy of this site.

          “You don’t want to work for someone who uses (crappy hiring practice.)”

          OK that’s great, but a lot of companies use crappy practices and a lot of people aren’t superstar enough workers to have their pick of jobs from elite companies. Now what?
          1. SomebodyElse* August 25, 2020 at 10:48 am

             Agreed. Sometimes it’s enough to get a paycheck from anyone and then you get the breathing room to be choosy.

             Hopefully irene adler gets some advice that works for the first part then can focus on bigger and better if that’s what they want to do.
          2. ThisColumnMakesMeGratefulForMyBoss* August 25, 2020 at 11:16 am

             Ok fine, but that doesn’t change my first sentence. Leaving things off of your resume makes it seem like you’re hiding something.
          3. Ask a Manager* Post authorAugust 25, 2020 at 11:36 am

             When I give that advice (“you don’t want to work for someone who X”), I try to caveat it with “if you have options” and acknowledge that you may not. I agree that commenters too often leave that out.

             But leaving the dates off your resume is going to screen out WAY more employers than leaving them on, because it looks so odd and like you’re hiding something.
24. Sneaky Ninja for this one* August 25, 2020 at 8:16 am

    We get the occasional phish test mail. I had one last week. Mine was a meeting invite, though. The fake person sent it after my working hours for the same day – can you join we urgently need you. I caught that it was fake, though, and hit the phish button.

    It’s a PITA and annoying to think that IT is doing that, but at least mine was a harmless subject line. Exit interview would have totally thrown me.
25. Workerbee* August 25, 2020 at 8:21 am

    #3 This is why a headshot on resumes is discouraged, lest people discount someone based on appearance and all of their own conscious or subconscious edicts. I’d let it go. What’s important is what’s behind the eyeballs: Heart and brains.

    As others have said, the pressure to appear as whatever the conventional norms are is immense and pervasive.

    Point is, sure, we can judge on appearance to ourselves all we want, but it’s worth it to actively try not to let that judgment masquerade as assessing someone’s actual character.
    1. Important Moi* August 25, 2020 at 8:53 am

       I believe LW3 has discounted this applicant based on the “poor judgement” of having a heavily edited picture and is seeking a way to see if boss shares her bias without asking boss directly. It is the type of thing that can’t be taken back once said out loud. What if the boss does not think that that the picture should be used in evaluating an applicant but only work experience? Boss may wonder what other criteria LW has for evaluating applicants that boss does not agree with.
    2. anon just to be safe* August 25, 2020 at 10:40 am

       I know a lot of brilliant medical researchers whose idea of what is their “best” headshot is not in line with what most people would see as a nice professional headshot. I worked with one person for a while who kept trying to offer up a terrible, extremely closely cropped shot (it was so close on his face that you couldn’t even see his ears) — thankfully as it was somehow a .bmp file I could just tell him it wasn’t compatible with our printer and get the more standard photo his research institution used (which he hated even though it was perfectly nice).

       People can be weird about photos but in my experience it usually has very little bearing on their professional acumen.
    3. JJ* August 25, 2020 at 10:51 am

       You are totally right, and #3 made my skin crawl. It sounds like the filter is one of those glam-up ones, so I’m hearing what OP is saying as: femininity/her focus on her own beauty is some sort of professional red flag. Also OP says she shouldn’t have to look “perfect” but she should look “natural”, meaning OP still requires her to look the way THEY want. You’re skirting into dangerous territory.

       Leave this alone, OP, and if she is hired and shows up with a bunch of makeup on, you’re not allowed to treat her like she doesn’t know what she’s doing. Sephora VIBs are just as capable as anyone else.
    4. Clara B.* August 25, 2020 at 12:34 pm

       Hey folks, LW#4 here. Thanks for your comments, I’m think you’re right that I need to check some of my own hang-ups here about appearance. I’ve been in workplaces in the past that were super strict about dress-code and other rules for women employees and I’m starting to realize this may have gotten into my head more than I realized. In any case, I’m inclined to agree with Alison that this isn’t important, so I don’t plan to mention anything to my manager at this time.
       1. Batgirl* August 25, 2020 at 4:55 pm

          I think you’re being hard on yourself. Those pics can be unnerving. It’s way easier to be academic when you haven’t seen it. If I had seen it, I would have cocked an eyebrow, kidded myself that I looked passed it and then unconsciously tutted over it. You’ve genuinely explored it. I do so wish someone would tell the young’uns they’re allowed to have human faces. I try to remind myself it’s just fun experimentation and expression but then I see that cosmetic surgery is up and apparently you can’t have “peach fuzz” on your face anymore. It is disturbing. Somehow more so at work when, yeah, you shouldn’t have to worry about appearance. It does make you wonder about the value of Linkd In pictures to be honest.
    5. Batgirl* August 25, 2020 at 4:45 pm

       I’d love to be able to submit resumes under like a pen name or identity number. I could be Currer Bell or George Eliot. Theres a reason that writing was one of the first successful careers for women.
26. I'm Not Phyllis* August 25, 2020 at 8:26 am

    I make it a point not to google or look at LinkedIn profiles of candidates at least until after a first interview for exactly this reason, OP3. I think photos are a particular bad practice of many sites because – purposefully or not – folks develop an opinion of others based on race, gender, hair style or overly photoshopped picture before they even walk in the door, perpetuating all kinds of biases. It is too late, obviously, to take that into consideration with these candidates, but I would urge folks to meet people first instead of forming opinions based on social media profiles. After you have met them and/or talk to them, I do see further value in this kind of search, but I’d speak with them first.

    Obviously I do know that not everyone sees it this way and that looking at LinkedIn is a very common thing to do for people who are recruiting – it’s just a thorn in my side :)
27. Wintermute* August 25, 2020 at 8:40 am

    Working in IT, I disagree entirely on the Phishing test: that’s brilliant, it’s a great idea and more companies should do it. First of all, ransomware is a huge deal, so companies need to be ensuring that people are looking out for these. AS YOU TRAIN, SO YOU FIGHT. Phishers, Spearphishers, and business email compromise attackers will use emotion to try to get around your guards. They’ll pretend to be the CEO, they’ll pretend to be HR, they’ll use compromised HR accounts, and they’ll say whatever they have to in order to get you to panic, shut down your critical thinking, and click their malicious link. They’ll say you’ve been accused of harassment, they’ll say your insurance has been cancelled, they’ll say your tax witholding was wrong and you may owe thousands of dollars, anything to make you panic and not take a second to think before you click.

    And if you fall for it? You may have literally just caused your company to go bankrupt, caused customer information to wind up for sale on dark web cybercriminal forums, leaked sensitive IP and patent information to foreign governments, given a foreign government blackmail material, or just caused your company so many fines they cannot survive.
    There’s a new GPDR extortion tactic we’re seeing from some advanced persistent threat groups– the attackers do things in such a way to maximize the potential fines, basically weaponizing the government as their axemen by betting you can’t afford to pay the fines and legal costs. Even if it’s not that sophisticated, we’re talking days of lost productivity, lost vital data, loss of customer trust, customer data and internal company data for sale or just put up on pastebin for anyone to use, your company’s IP for sale, and customer and employee accounts and passwords being used to try to break into their bank accounts and other services.

    You can’t train people on softballs and expect them to detect and appropriately handle the real thing. attack simulations need to be as realistic as possible if they have any value, the absolute ideal is to do actual red team attacks, where you have a group that has permission to do anything a criminal would do, to dive through dumpsters to break into email, to lie, cheat, steal, pretend to be vendors, pretend to be elevator repairmen, call up and say they’re from the CEO’s office, call up and say they’re from the FBI, whatever it takes because that’s what criminals would do.

    The costs of NOT doing so are just. too. high.

    Also for what it’s worth, you’re lucky that getting sent for training is all they do if you fail. Bank I worked at first time your network access was disabled for 72 hours and you were taking an unpaid vacation like it or not (without manager override), second time your network access was disabled until your manager signed off AND you completed a training course to be scheduled with IT, until which time you were on unpaid suspension. And third time you were fired, because IT could no longer trust you with credentials.

    Of course, we were a bank, and people have high expectations of banks and their IT security, the consequences could be ruinous and actually injure the economy, and country itself and because of that you’re absolutely a target for state actors who would love to see the Dow Jones drop a few thousand points. But even if you’re not the threats are existential, companies that don’t take phishing seriously risk being unceremoniously shut down, either because of the high costs of failure, or by the government.
    1. LQ* August 25, 2020 at 9:48 am

       If your IT structure is so poor that one entry-level person can bankrupt the company they are doing IT all wrong. If humans, deeply deeply flawed, tired, overworked, underpaid, scared humans are your only line of defense and you think that the way to get them to be perfect is by scaring them all the time then you shouldn’t be in IT or security.

       I don’t get the idea that people think everyone should just get fired, and be terrified of getting fired at a single error. An expensive error surely, but the real error is that that person had access to systems that were sufficiently interlinked, sufficiently open without any need for secondary checks. I hope every IT shop that advocates this that has any gaps in security gets the entire IT shop fired and an actual competent shop brought in. And that the IT shops regularly run pen tests against themselves in multiple ways including long term honey pot situations. That’s a big vulnerability too.
       1. What the What* August 25, 2020 at 10:13 am

          This poster was clear that it took three incidents to get fired and that the first two came with a reprimand and training. They also didn’t say that only entry level employees were subject to these tests.

          A three strikes rule seems very reasonable for any company, but especially one dealing with sensitive data.

          And yes, I imagine any IT department worth their salt subjects themselves to tests too, acknowledging that any security compromise to their credentials could be ruinous. I imagine most hold themselves to a higher standard than rank and file employees in matters of security. The loss of reputation for an IT security professional who fell for phishing could potentially end a career.
          1. Wintermute* August 25, 2020 at 12:59 pm

             Spot on, I was in IT and got the tests too! Also, we had a senior VP fail one, it was his first fail so the CFO had to call and give manager permission for an emergency unlock– we couldn’t afford for a senior executive in the accounting department to take time off unplanned.

             Also, spot on about context– when you’re a bank trust is your lifeblood. In this day and age people NEED to be able to trust that their bank, who has all the keys to their financial kingdom, and all your personal data , is protecting those keys.
       2. Wintermute* August 25, 2020 at 10:16 am

          It’s not that it automatically WOULD, it’s that it could. There’s an entire phase of an attack that involves traversing the internal network from your point of entry to get to something valuable. State-sponsored or other very advanced attackers may be using zero-day attacks that there are no defenses against as part of that network traversal.

          Obviously any company will have an internal NIPS that will be looking for suspicious traffic, and antimalware systems that look for the telltale signs of someone attempting to pivot from an initial entry into a full-scale attack. But again, if they’re using a novel attack there may not be much to see. The reason ransomware is so dangerous is that it doesn’t involve command and control which can be detected at the network level, once it gets to file servers.

          This is not academic– big, company-destroying attacks have initiated from entry-level employees, they’ve even started with vendors who were not EVEN employees with full access.

          Also I never advocated for firing someone for one mistake, the place I worked you got three strikes and plenty of training, but if you just could not learn then you were too big a risk to keep employed, and even then there was some leeway. I think that’s fairly reasonable. In event of a real attack it’s not that you’d be fired for letting it in the front door– it’s that your company may not survive the event or that they may lose so much money that layoffs are required. That’s why it’s an existential threat.
       3. London Calling* August 25, 2020 at 1:33 pm

          Frankly, if a company is operating with ‘tired, overworked, underpaid, scared humans’ then tests like this are even more crucial, because those are the ones who let the scammers in.
       4. Observer* August 26, 2020 at 1:49 pm

          
          If your IT structure is so poor that one entry-level person can bankrupt the company they are doing IT all wrong.

          Unfortunately, that’s just not true. Yes, having the right (expensive) infrastructure does help. But ultimately, people are still the weak link. Esepcially with people working remotely. It add a layer of danger that’s just not funny.
       5. Observer* August 26, 2020 at 2:35 pm

          
          If your IT structure is so poor that one entry-level person can bankrupt the company they are doing IT all wrong.

          Unfortunately, that’s just not true. Yes, having the right (expensive) infrastructure does help. But ultimately, people are still the weak link. Esepcially with people working remotely. It add a layer of danger that’s just not funny.

          Of course if your business model relies on your staff all being “tired, overworked, underpaid”, then phishing is probably not your biggest concern anyway. Deliberate insider malfeasance is a bigger threat. But there is no reason to think that the OP works for such a place.
    2. Dan* August 25, 2020 at 10:09 am

       Yeah, and the reality is that if you only train on softballs because you don’t want to create a panicked response, what are the phishers going to do? They’re going to send panic inducing emails because they know people will click them. It’s the equivalent of placing an armed guard at the front door while leaving the backdoor wide open without a security camera.

       I posted upthread that at my org, they prefix email with an indicator noting when emails are sent from outside the company. There was push back on *that* on this thread. Huh?
       1. Anonymous at a University* August 25, 2020 at 10:15 am

          Yeah, if people are going to push back on anything that an IT department does, not just the OTT e-mail the OP described, then it’s no wonder some IT departments are ignoring any complaint. Sorry that you can’t just click any link you like and will sometimes see “External” in front of an e-mail, I guess?
          1. Colette* August 25, 2020 at 10:25 am

             I think the perception of these malicious actors is that it’s some teenager sitting in the basement trying to see what they can get in to. But the reality is that this is big business – there are people who do this as a job, and they have far more dedicated resources and money to do it than the typical security department at your company.
             1. Anonymous at a University* August 25, 2020 at 10:32 am

                I didn’t think of that, but that’s a pretty good point. I got a weird-as-hell e-mail from a compromised university account last year, and after I reported it to IT, I went over to tell the person whose account it was face-to-face since she didn’t answer her phone when I tried to call. She said, “Oh, it doesn’t really matter.” I mean…yes, it does? She actually wound up not being able to work for a couple of days because she was supposed to handle some sensitive things by e-mail and they had to figure out what to do. But if she was thinking of this like some teenage prank, then it makes sense.
             2. Jill* August 25, 2020 at 11:34 am

                This is exactly the point. People that are already scamming you for money don’t care that job situations are stressful right now, money is tight, or someone you know might have died from COVID, they’re banking on it. Just like everyone else trying to capitalize on COVID their whole business model just got a bunch of new data points they can target you on.
                1. Grapey* August 25, 2020 at 12:08 pm

                   I see both sides. IT and leadership should really hammer this home in trainings BEFORE sending out panicky emails and at least try to empathise with employees first. Like “Scammers use emotional subjects. Please check email senders and attempt talk to another human if something seems extreme.”

                   But I also do agree that stress tests should be just that.
             3. Annie Moose* August 25, 2020 at 12:57 pm

                Exactly this. It seems every couple weeks there’s another major company who’s fallen victim to a ransomware attack or other serious intrusion–and nine times out of ten, it was because someone thought, “what’s the big deal with [plugging this USB drive into my work computer/clicking on this strange link/accepting this meeting invite I didn’t expect]?”

                Phishers are smart, they are organized, and they pick their targets carefully. If you’re working with sensitive data and you aren’t getting solid security training and testing, your company needs to step it up.

                (recent example–Garmin got hit in July by ransomware and had to pay millions in ransom. It’s not known how they were specifically infiltrated but common vectors include tricking people into clicking on an infected website or downloading malicious attachments. Both of those can be minimized when people are on guard about email links and attachments–even very scary emails)
                1. A.N. O'Nyme* August 25, 2020 at 1:53 pm

                   We even had a city hall fall victim to ransomware within the last year or so. Luckily they still had typewriters lying around (even the mayor was surprised) so they could still do most of their jobs while it was being removed. If I recall correctly that was confirmed as being caused by someone clicking something they shouldn’t have.
                2. GS* August 25, 2020 at 4:13 pm

                   We were down for two weeks because the contractor that handled our software & data clicked on a phishing link. They eventually paid the ransom. It was a serious problem for us, let alone them.
             4. Wintermute* August 25, 2020 at 1:03 pm

                Very good point! It’s not some teenage script kiddie anymore, cybercrime is a multibillion-dollar business, the unlock fee for a big malware attack can be in the millions of dollars. Also, state-sponsored actors are starting to realize the potential for disruption, and for self-funding– North Korea’s threat team is surprisingly competent and is a major source of funding the regime uses to buy overseas goods for dear leader, and so they get a lot of resources thrown their way. Terrorist groups, too, are embracing the potential for societal disruption and fundraising.

                Plus there’s organized criminal gangs that sell and rent ransomware services to anyone who can send them enough money.
    3. Batgirl* August 25, 2020 at 5:05 pm

       One of the fundamentals of being a teacher; if you want people to pick up skills, then you have to teach before you test. All testing and no teaching? It’s setting people up to fail.
       I get that people have to have to do harsh testing; active shooter drills aren’t fun either but they’re necessary.
       But for the love of Thor, you need to warn them that they are going to be tested in dramatic and upsetting ways. Be specific too! Its ok to give away the secret to this test; check and double check upsetting news. Get them on the lookout for that! It’s true that people learn from failures, but theyre also very, very willing to avoid failing dramatically after getting the shock of their life.
28. M2* August 25, 2020 at 8:58 am

    #3 your husband should be applying for other jobs. My spouse was told verbally in person and in an email by the CEO and EVP that they were giving him the SVP job. HR came back and said they would send an formal offer they just needed to come up with a final number. They did reference checks, background, etc all which went great. After two weeks and no written formal offer he reached out and was told they were still working on it. He never got the written offer and was basically ghosted. This is a global company and if I said the name here most everyone would know the name.

    Luckily he got a different, better job and found out later through contacts that they hired one of his former coworkers for the job (?!). They fired that person a short while later.

    So yeah keep looking even until it’s a written formal offer and even then in this state of the economy I would still keep looking until I started working.
29. Natalie* August 25, 2020 at 9:07 am

    Every phishing test email I’ve received had an virtually instant reply telling me it was a test and whether or not I handled the suspicious email correctly. I would probably suggest that be added to the testing protocol rather than suggesting they make the suspicious emails less compelling.
    1. Sneaky Ninja for this one* August 25, 2020 at 9:18 am

       Ours, too. As soon as it’s reported, there’s a popup box. However, that doesn’t stop the panic of the Exit Interview subject line.
    2. CTT* August 25, 2020 at 10:28 am

       Yeah, that’s how ours’ works as well (there’s a “report phishing email” button built into our Outlook) and I think it’s really helpful; if it is a test one sent by our IT, I know right away, and if it’s an actual phishing email, it’s been safely reported and IT will usually send a firm-wide email alerting people to it.
       1. SomebodyElse* August 25, 2020 at 10:59 am

          I hate that phishing button in outlook… I can never find the stupid thing. So more times than not I just do a full delete because I don’t have 20 min to find the button.
30. juliebulie* August 25, 2020 at 9:27 am

    And I thought my employer’s IT department was bad. They send fake phishing emails all the time, but I don’t think they would ever send something like what OP1 described.

    I guess it’s a common practice now for IT departments to send fake emails to employees. It is a very poor way to build trust. But sending an invite for an exit interview… that’s just super low.
31. Yet another Alison* August 25, 2020 at 9:32 am

    #3

    We talk SO MUCH about why you should never send a resume with a photo or judge a candidate by appearances*, I do still struggle with the concept of LinkedIn photos. It DOES make a difference and I don’t know how I feel about it, especially when some industries use LinkedIn to hire, rather than a resume screened by HR. Perhaps this candidate is worried that their appearance, for whatever reason, will prevent them from opportunities and they use a (badly) photoshopped version. Who knows. Either way, I’m a bit uncomfortable.
    1. irene adler* August 25, 2020 at 10:01 am

       Some say that you are not a serious job candidate unless you post a LI photo.
       While others say that photos are used to gauge age. Hence, the photoshopping.
       1. Yet another Alison* August 25, 2020 at 10:09 am

          Exactly.

          One thing I’ve been noticing about my peer group (women in their 40s to 50s), is that poorly-done, heavily photoshopped pictures appear at a higher rate than other age/gender groups. It’s typical on Facebook and it’s emerging on LinkedIn too.

          Sure, lots of my women peers do NOT do this, but I can’t help but feel many of them are feeling the pressure of looking “old”, “tired”, or whatever – rather than being judged on their workplace skills and qualifications. I have no idea if #3’s candidate is in this category, but it really speaks to the lengths that some people feel they need to go to in order to be taken seriously, which obviously can backfire if low quality or excessive.
32. Jill* August 25, 2020 at 9:36 am

    #1, I’m not sure about all phishing-test programs, but the one my old job use didn’t have an option to select what kind of emails got sent it was always just random, but unfortunately that’s kind of the point of this exact test. There’s no reason a scammer wouldn’t send something like an exit interview or even a straight up firing notice, specifically because it stresses you out too much to think about it clearly and you’re more likely to click. She passed the test by calling right away, but the purpose of training is also that the hiring/firing practices should be clear enough that she would’be known immediately that it’s fake, not just IT email clues.
    1. Allonge* August 25, 2020 at 11:01 am

       This, exactly. If it can seem real to you, then that is at least half the issue with IT security, right there. It’s not suspicious if it could be the real thing.
33. Phony Genius* August 25, 2020 at 9:41 am

    On #4, if he continues job hunting and finds a job that’s not as good as the one that may come through in October and takes it, then gets an offer in October for the job on hold, how should he handle it? Would quitting the first job so soon hurt him in the long run?
34. Amanda* August 25, 2020 at 9:51 am

    As someone who works in an IT department that sends out faux phishing emails, please know that usually the IT department is not specifically choosing these emails. It’s pretty much driven by AI and the software tries to send you something that will catch you specifically. Your IT department may not realize the specifics of this particular campaign and you can certainly let them know. Unfortunately security concerns are huge and ransomware can cost a company millions and cripple them until it’s paid or resolved.
35. Erin* August 25, 2020 at 10:04 am

    I have emailed a helpful/awesome co-worker’s manager a few times in the past. My comments have been very well received on each occasion.

    I have also received positive random feedback about my direct report employees. I have been thrilled to forward the email up above my level, as well as to the employee. I love that someone would take the time and energy to drop a positive note about working with someone on my team. It is always welcome and awesome.

    Also, I definitely advocate for more good news inside (and outside!) of the workplace….especially these days.

    Send the email!! :)
36. LQ* August 25, 2020 at 10:06 am

    #5 I’m a really big fan of doing the send to boss cc the person. It’s like complimenting someone to someone else in front of them. It’s a nice way to do it, especially in detail. Even if I don’t know someone’s boss I do this. I’ve never had a boss be anything other than glad to hear from me as a random person about the work they are doing.
    1. CM* August 25, 2020 at 3:09 pm

       I’m LW#5. This is what I should have done! I already sent the email, and sent it directly to the person CCing the boss.
37. AllieKatt* August 25, 2020 at 10:13 am

    Regarding #1, this is not a bad practice. Phishing campaigns have been shown to be effective in reducing security breaches related to phishing, which is a top 5 cause of security incidents.It is the JOB of the security team to test for vulnerabilities, and it is very likely that an attacker could use this exact tactic, exploiting the emotional reaction of the recipient. It is the whole POINT of these campaigns to evoke a response in the recipient that might induce them to do something they shouldn’t, thus exposing the systems to attack.

    If any *attacker* can do it, infosec needs to be able to test it to see if it works. I’m sorry it is distressing, but protecting the security of the computer systems is of a higher priority (to IT) than a very temporary negative response from a staff person. I’m actually impressed with this tactic, and may well adopt it myself.

    Verizon does a study of phishing attacks each year, and education has the highest failure rate of phishing emails (5% of recipients fall for the attack). Infosec’s job is to reduce this. I honestly don’t see this approach as a bad attempt. If this would work if done by an attacker (which it very well might), then IT needs to know so they can put in place controls. On this one? I think Allison’s wrong.
    1. Quill* August 25, 2020 at 10:21 am

       If IT is going to continue with that attitude, it had better be the first in line to stand up to bosses and metrics and say “no, it’s totally reasonable that someone lost their whole afternoon to a panic response, we send phishing emails that are supposed to panic people.”
       1. AllieKatt* August 25, 2020 at 10:23 am

          If a person is losing a whole afternoon to a panic response because they got a bogus email, then one has to question that person’s maturity and ability to function in a role. This isn’t rocket science. Pick up the phone. Call HR or your boss, or the helpdesk. Problem solved in 5 minutes.
          1. Quill* August 25, 2020 at 10:26 am

             Maturity? You’re really going to come for anxiety disorders and say that people who have them are immature? The problem is not with resolving the “is it phishing” the problem is with the fact that you just got a week’s worth of adrenaline dumped into your system and even after it’s solved your brain focus is just gone.

             Yes, the response is disproportionate – that’s why it’s a disorder. The human brain learns to fear and does not easily let go of it.

             God I would love to live in your world where people apparently don’t have damn good reasons to run from paper tigers.
          2. JelloStapler* August 25, 2020 at 10:43 am

             Allie, please be aware that it is not rocket science to someone with a disorder. Logic does not always get through the fog of panic. There are plenty of mature, responsible workers out there who’s biochemistry would misfire here.

             No fake phishing email should do that.
             1. AllieKatt* August 25, 2020 at 10:49 am

                Jello, I understand the perspective. But firstly, the OP did not mention anything about an “anxiety disorder”. And even if she did? If a person would react to a phishing (or other attack) in a way that would endanger the computer systems (which in fact can endanger others…phishing is the #1 way that ransomware is introduced into corporate environments, and ransomware has, in the past, critically endangered lives my making medical records unavailable, and disabling medical equipment at hospitals), then IT needs to know *that* too.

                If this worked in a phishing exercise, why would you think that it wouldn’t work if an attacker tried it? Do you think an attacker would refrain because it might affect somebody vulnerable? That is the POINT of their attacks.

                I genuinely don’t see anything wrong with the approach taken by IT, and in fact laud them This is *precisely* what they are paid to do. Identify vulnerabilities, whether they are in people, processes or technologies.
                1. Quill* August 25, 2020 at 1:10 pm

                   The point being that if we’re going to take this response, IT had better realize that vulnerable members of the company (who are NOT more likely than anyone else to endanger the computer system, but ARE more likely to experience significant disruptions to their work routine and/or suffer medical consequences such as panic attacks) could be penalized due to their reaction to this tactic, even if they do the correct thing and get the email ID’d and handled.

                   Essentially, if IT intentionally breaks someone’s adrenaline balance, they’d better show up in support of the people who are having a very bad work day.
                   1. EchoGirl* August 25, 2020 at 11:25 pm

                      Quill, you hit on something I’ve been seeing a lot in this thread — it seems like a ton of people are just assuming that panicking is going to automatically mean doing the dangerous thing. It’s entirely possible for an employee to have a panic reaction that doesn’t involve endangering the company (whether in the sense of intentional handling of the situation or in the sense of, say, being too upset and freaked out to interact with the email any further) and still have major mental health repercussions.
                2. Batgirl* August 25, 2020 at 5:28 pm

                   I struggled with whether or not to give you this advice… but it’s truly not necessary to put quotes around the names of medical conditions. I hesitated because I’m honestly not policing punctuation! I just thought you should know that it comes across pretty awful; like ‘is this even a real thing?’
                   1. AllieKatt* August 26, 2020 at 7:32 pm

                      Hi Batgirl. The reason it was in quotations was because the *responder* stated it (the OP didn’t say a word about it), and I was responding to a specific thing that was said. Just like any other citation would be, it was put in quotes to make it clear that I was responding to that specific phrase. It had nothing to do with whether I thought it was or was not a real disorder. Nothing whatsoever.
          3. I Wrote This in the Bathroom* August 25, 2020 at 12:12 pm

             I do not have a second income or a partner with medical insurance to back me up, and one of my sons is still on my insurance and has had a bunch of medical issues recently… I would absolutely be out of commission for the rest of the day if I received an email invite to my own firing. HR/boss might not be available, helpdesk would not know.
          4. Batgirl* August 25, 2020 at 5:11 pm

             I think there are probably better ways to prepare your staff to be calm and ready, than just shrugging and taking the privileged position that nobody would get panicked about losing their jobs. Im not even talking about disorders. A lot of people are a few paychecks away from homelessness.
    2. GothicBee* August 25, 2020 at 10:49 am

       I feel like people are missing the point that there’s a huge gap between suggesting that an employee is losing their job and sending a super obvious phishing email that almost no one would fall for. I think Alison is correct that IT shouldn’t be suggesting an employee is being fired. IT can still send other phishing emails. It’s not like there’s a dearth of options for phishing emails that will make people panic and respond.
       1. Roscoe* August 25, 2020 at 11:48 am

          Exactly. I understand the sympathy. But the reality is phishing attacks would absolutely use something like that to get access to data. So if she falls for it, she needs to figure out how to handle this.
          1. AllieKatt* August 25, 2020 at 1:02 pm

             Precisely. The whole POINT of these exercises is to determine where the weaknesses are. If she is particularly susceptible to this attack, then she (and her manager and IT) needs to know so that she won’t be exploited in a real attack; perhaps with extra training or additional controls.

             Because if she was attacked this way (especially after having been trained on phishing) and she fell for it, and there was a breach or a ransomware attack that disabled the company? She might well be having an exit interview *for real*.
       2. I Wrote This in the Bathroom* August 25, 2020 at 12:14 pm

          This x100. We receive phishing-test emails at my work too, some are pretty crafty and realistic to the point where it takes a while to recognize that it is a phishing test. My workplace somehow manages to conduct these tests without terrifying and traumatizing people, though!
    3. The Man, Becky Lynch* August 25, 2020 at 12:34 pm

       Literally all they need to do is not use an EXIT interview as bait. They can do this same thing with a disciplinary action meeting.

       It’s less “Your grandma just died!” and more “your grandma is in the hospital.” Both shake a person and bring on that panic feeling you’re trying to create to get them to take the bait.

       I do understand your POV as well, I think it has to be some kind of emotional response involved but temper it down a tiny notch.
38. Jennifer* August 25, 2020 at 10:17 am

    Re: photoshop

    Give the lady a break. Women get so many mixed messages about appearance when it relates to job searching we sometimes don’t know which way is up. I just said the heck with it and took my picture down altogether. Magazines with huge budgets botch airbrushing jobs sometimes so it stands to reason a layperson would do it. If she looks like a cartoon character, then yes, it may say something about her judgment. If it just looks like a fake overly airbrushed magazine ad, I’d leave it alone.
    1. Lucette Kensack* August 25, 2020 at 10:31 am

       Yep, women can’t win. Look our age? We’re too young or too old. Use filters to hide our age? We’re too edited. Wear make up? Trashy. No makeup? Old, tired, “given up.” We’re all forced to try to thread the world’s tiniest needle — we should effortlessly look like 28-year-old Boden models.
       1. Jennifer* August 25, 2020 at 10:57 am

          Exactly. To hell with it.
       2. I Wrote This in the Bathroom* August 25, 2020 at 12:09 pm

          I loved it how in my field of work, I seemingly went straight from “too young to be good at anything” to “dinosaur”. At least guys get a decade or two in between. We don’t.
39. JelloStapler* August 25, 2020 at 10:37 am

    My job does the fake phishing too. They once sent out one about foos trucks on campus and i am pretty sure about 90% of the very excited Faculty and Staff clicked on it. LOL!

    That said, how irresponsible of them to do anything that makes someone woryr about their job even for a moment.
    1. JelloStapler* August 25, 2020 at 10:39 am

       Food* not Foos. :)
       1. MissDisplaced* August 25, 2020 at 10:45 am

          I’d think it was the Foo Fighters in a Truck on Campus! Like YAY! I’d hit that!
40. MissDisplaced* August 25, 2020 at 10:43 am

    1. Phishing test
    Oh! this is a terrible test! What on Earth were they thinking?
    I’m not sure I even agree with your company’s idea about sending fake phishing tests to employees, as this seems more like a shaming over training response. How about just TRAINING all them period? I have to complete this type of training 2x per year, and it takes only about 15-20 minutes to watch the videos. But to make employees feel they were fired? Right now? just OMG!

    3. Job candidate filter happy photo
    Hm… I wouldn’t immediately put a candidate out of the running over over-use of filters. It’s a lewk! And some people also do it as kind of a joke, even on LinkedIn. But if you’re hiring for a social media or designer type role, I might question them as to why, as well as looking at their other work.

    4. How likely it is that this job will come through?
    Always expect that it won’t. Seriously. When it comes to job searching, it’s best to take a mindset things won’t work out, and the job offer won’t happen. Don’t stop searching and wait. Sometimes you’re pleasantly surprised when it does happen, but you never wait around on companies.

    5. CCing a manager to compliment their employee
    Please, please pass on the good feedback (if it is warranted). So many people in companies don’t do nearly enough of this, and often their manager doesn’t even know how an employee is helping people in other areas. I know maybe it seems weird if the coworker asked you to, but how else are we employees supposed to toot our own horn? Sometimes you need to prompt it a little.
    1. londonedit* August 25, 2020 at 11:08 am

       I agree that a phishing test email that makes people think they’re being fired is awful, but I think the problem with just doing training is that people are convinced that they’d never fall victim to a scam or a phishing attempt. So they do the training, but they’re thinking ‘OK, well, this is all fair enough but obviously I’m not stupid enough to fall for these things’. So they don’t internalise the message as well as they should, and then when a real phishing email does the rounds, they fall for it. With things like this, it’s much better to show people how easy it is to fall for a fake email – *then* they realise it can indeed happen to anyone, and they realise that they do need to be vigilant.
       1. Environmental Compliance* August 25, 2020 at 11:15 am

          Why not combine the two?

          Do the training. Specifically mention that there are now widespread phishing scams that make you think you’re getting fired, or under a PIP, etc. Remind staff of the actual HR policies, and remind them that the company will not deviate from those policies. Specifically mention that phishing scams intend to scare you into clicking on things. Show examples.

          Then send out the Scary Email.

          You should not just send out the email intended to cause panic without giving a toolkit of how to handle it. Causing panic is not a training tool.
          1. AnonInTheCity* August 25, 2020 at 11:21 am

             +1
             At my last company we had mandatory, very comprehensive training about different types of phishing attacks, and then we were explicitly told that we would be getting phishing emails from IT and given instructions on how to report them. If someone is not tech-savvy and doesn’t know that fake emails are even a thing, they can’t possibly be on alert for them.
          2. Batgirl* August 25, 2020 at 5:14 pm

             Hallelujah. Seems obvious don’t it?
       2. Wintermute* August 25, 2020 at 1:57 pm

          also, many industries require testing to ensure compliance. Doing phishing checks may not be their choice it may be mandatory. It certainly is best practice according to many frameworks and the payment card industry.
41. Shramps* August 25, 2020 at 10:45 am

    3. Most of the great professionals I know don’t have a LinkedIn. Most of the people my age- mid millennials- made one when they graduated 8-10 years ago and haven’t changed the photo from whatever wedding-guest-attire kinda-nice pic they uploaded then. I’m locked out of the account I made when I was 21.

    I wouldn’t think twice about it. If you do an in person or video call you’ll get your answers.
42. mdv* August 25, 2020 at 10:58 am

    Letter #1 reminds me of a time (last year? year before?) when our university IT department was doing a similar thing, sending out fake phishing attacks to see who fell for them, then sending all who did fall for it to remedial training… Eventually, they started emailing people’s managers when they fell for it.

    THEN ONE DAY … the phone starts ringing OFF THE HOOK in my office with hundreds of people CALLING us … because someone thought maybe it was a good idea to make the fake phishing email look like it had come from my department, and it was a fake notice of a parking ticket that was overdue. As soon as we figured out what had happened (as we got our own parking notices that were totally fake), our director got to someone very high up in IT and we had immediate permission to TELL all the callers it was a fake phishing attempt, AND the IT people had to send out a university-wide retraction/apology for that idea.

    They definitely did NOT think this one through.
43. RussianInTexas* August 25, 2020 at 11:06 am

    LW#1
    My partner works with cyber security. (I am not IT or any tech anywhere). The protocol for their company is:
    1. A lot of training, including fake e-mails.
    2. You are limited to three clicks on bad links. The first two get you training, the 3rd will have a high chance of getting you fired. Regardless if it was a real of fake phishing.
    They are really strict about this. They don’t allow you to leave your work laptop in your car (even in the trunk) without you being in the car. You are not allowed to leave your work laptop without physically locking it to something in your own house if you are not there. You are not allowed to leave your laptop unlocked (screen) inside your own house when you are not there.
    If your work laptop is stolen due to your negligence it’s potentially a fireable offence. They work with a lot of very valuable data.
    1. Mannheim Steamroller* August 25, 2020 at 11:18 am

       The issue in Letter #1 wasn’t cyber security, or even phishing tests in general. (All of us agree that cyber security and phishing tests are GOOD things.)

       The problem was that this specific phishing test (a fake calendar invite for an exit interview) actually scared somebody into thinking that she had already been fired. Someone with heart issues could actually suffer cardiac arrest and DIE from the shock of being (falsely) told they were fired. It’s NOT amusing and NOT appropriate as a phishing test.
       1. Colette* August 25, 2020 at 11:24 am

          She wasn’t told she was fired; she was invited to a (fake) exit meeting. It could have been an error, or she could have been asked to hold the meeting with someone who was leaving. She jumped to the conclusion that she was being fired.

          But if someone is so medically fragile that they will die from reading an email, a lot of emails could give them cardiac arrest. Problem with your bank account, unexpected charge to your credit card, etc. are all typical phishing subjects.
          1. Mannheim Steamroller* August 25, 2020 at 11:32 am

             From Letter 1: “Obviously, my coworker panicked, thinking she’d lost her job….”

             Would anyone really be invited on the fly to attend somebody else’s exit interview? I think not.

             It was fully reasonable for the coworker to interpret “a calendar invite for an exit interview” as meaning that she herself had been fired, because that is what “exit interview” clearly implies.
             1. Natalie* August 25, 2020 at 11:37 am

                Because people make mistakes with meeting invites and email addresses literally all the time?
                1. Colette* August 25, 2020 at 1:07 pm

                   And I’ve definitely received invitations to meetings before the person who wanted me to go walked over and said “I need you to go to this meeting for me.”
             2. Jill* August 25, 2020 at 1:46 pm

                No one is saying it was unreasonable for her to panic, it’s a stretch to immediately go to “I’m obviously fired” and to not think of any other possibility. Whoever sending the email could’ve also made a human error, like autofilling an address or a spelling mistake. She also responded appropriately, immediately calling her manager to figure it out, it doesn’t even seem like she clicked on the invite which is great and ALWAYS the better option if you’re suspicious, but without seeing the email there could’ve been other clues in it to know it was fake. I’m honestly more upset with her manager that communication has gotten so poor at the organization that this could potentially be the way she’d hear about her own firing.
       2. RussianInTexas* August 25, 2020 at 12:18 pm

          Yes, but phishing tests need to be scary and feel real. If it’s something like “your eBay account will close in 24 hours”, no one will click on it.
       3. EventPlannerGal* August 25, 2020 at 12:20 pm

          Look, I understand and agree with the viewpoint that this was an insensitive and poorly-timed choice, especially as it doesn’t seem to be accompanied by a larger program of cybersecurity training. But I think it is really excessive to start arguing on the basis of “you can’t send anyone worrying emails because WHAT IF THEY LITERALLY JUST DIE”. That is not a good faith position.
          1. Anonymous at a University* August 25, 2020 at 2:00 pm

             Yeah, between that and the “you could have made her essentially drive drunk” argument upthread, I don’t feel like the people who are arguing back against the phishing e-mail are actually making a good case for themselves.
       4. ...* August 25, 2020 at 1:40 pm

          Are you actually saying that sending a test phishing e-mail is akin to murder?
       5. Wintermute* August 25, 2020 at 2:03 pm

          That’s utterly ridiculous and hyperbolic.

          People are placed under stress as part of business, that’s just how the world works. You need to be able to handle a certain degree of stress, and if you can’t that’s not really on the company. That’s exactly what real attackers do so you need to train people to recognize it. Yes it’s uncomfortable. Losing your job because you clicked a link and now the place is going out of business because they can’t afford the government fines and business losses is stressful too and that’s the potential risk of not testing.
          1. Batgirl* August 25, 2020 at 5:17 pm

             ” you need to train people to recognize it.”
             Yes! But you can’t train someone in self defence by jumping out of a bush.
44. Monty* August 25, 2020 at 11:14 am

    LW #3: Is there some aspect of this that you might not be considering? I don’t think your letter mentions if this candidate is a person of colour, disabled, fat, or otherwise someone whose appearance might be used against them. I know using extreme amounts of photoshop seems like it’d only backfire, but for some people, especially in bro-y/male-dominated/overwhelmingly white industries, it might be necessary to get their foot in the door.

    Anecdotally, I have a fat relative who works in finance and anytime she has been on the job market, she’s had headshots taken in professional hair and make-up with heavy editing after the fact. She has also used professional hair and makeup services before job interviews because she knows that, as a fat woman, people will assume she’s unkempt, lazy, slovenly, etc. if she’s less than a total glamazon. It’s bizarre because these photos look nothing like her (she looks lovely all on her own) but if she can bamboozle a hiring manager into inviting her to an interview on the assumption that she’s thinner than she really is, then she can prove herself as an asset no matter her actual size.
45. The Man, Becky Lynch* August 25, 2020 at 11:49 am

    Don’t look at pictures of candidates before you’ve started interviewing. This is why we don’t put pictures on our resumes in the US as well, it’s bad practice and leads to us being bias without meaning to. It doesn’t matter what she looks like or what she did to her photos to make her feel better about posting on publicly unless you’re hiring for some kind of modeling gig.
    1. I Wrote This in the Bathroom* August 25, 2020 at 12:07 pm

       Oooh this is a good point. You don’t want to be subconsciously biased before you’ve even started interviewing. In light of that, would you recommend that people remove photos from their LinkedIn profiles? It took me some time and dozens of tries this year to come up with one where I don’t look exactly my (probably super-unemployable in my field) age, to replace an old profile pic that was ten years old. Would frankly be a relief if I didn’t have to do any of that stuff, but everyone I know has their photos on theirs and I worry about standing out if I don’t.
       1. The Man, Becky Lynch* August 25, 2020 at 12:28 pm

          I wouldn’t recommend anyone remove their Linkedin photos, I recommend the hiring manager stop digging early. You shouldn’t be doing a social media search until after you’ve had the first interview, then you can dig around and see what you find if you’re looking for extra information. That way you have seen the person and gotten their scope first is the main deal.

          It’s not on the candidate to watch out for the biases of the interviewer, it’s on the hiring manager not to allow subconscious bias in. It’s an HR thing, that puts the company at risk.

          Some people are “harder” at judging those who are of a protected class. You see it directed mainly at women and BIPOC. Since society puts different pressures on them to be “mainstream”. Do we see a lot of CIS white guys using filters, smoothing their perceived blemishes and whitening their teeth and sometimes skin!? I’m sure they exist, there’s always someone but it’s very rare.

          I wouldn’t recommend it to a job searcher because honestly, you’re in a lesser power position. This is a way to try to sell yourself and you should use it to the best of it’s advantage. But again, it’s something to keep in mind that you’re damned if you do and damned if you don’t :(
          1. Agent Diane* August 25, 2020 at 5:39 pm

             +1.

             The thing about unconscious bias is it’s unconscious: who knows what other biases you’ve unknowingly introduced to your second eye review by doing a LI search that wasn’t asked for? I’m not saying you did, just you have no way of knowing what else you’ve unconsciously attached to people as a result. Do an LI check as part of the second sift, never the first.
46. Berkeleyfarm* August 25, 2020 at 12:05 pm

    For #1 … I am one of the people who composes those phish test campaigns and my jaw is on the floor with horror. OMG NO. Do something else.

    Phish test campaigns, properly run, are indeed effective at training a lot of people how to recognize a fake (or at least recognize there are fakes).
47. Death Before Dishonor* August 25, 2020 at 12:51 pm

    I hate that LinkedIn gives the option to post pictures at all, and they encourage it every time you log in. It can be used to discriminate against people of color, people who are over thirty, people who are fat, or people who don’t photograph well.

    That said, as long as someone isn’t using an obvious Glamour Shot, I don’t blame them for using Photoshop.
    1. The Man, Becky Lynch* August 25, 2020 at 1:11 pm

       It’s what kept me off that site for as long as I could fight it. But when I moved to a more populated area that depends more highly on it, I had to give in. Bleh! I was hoping it’d die out like other attempts *more stink face*
    2. ...* August 25, 2020 at 1:45 pm

       Does age discrimination start at 30 now? Thats like 7 years out of college. Lol.
       1. Cynical B***** August 25, 2020 at 2:54 pm

          The younger you are, the more they’ll try to undercut your salary.
          1. ...* August 25, 2020 at 5:23 pm

             Guess im screwed forever then!! (at least with that attitude I sure am)
48. Clara B.* August 25, 2020 at 12:57 pm

    Hi everyone, LW#4 here. I appreciate all of your comments and thoughts–I won’t be able to respond to all of them, but have read as many as I can. Several commenters have pointed out that judging a candidate on their appearance is unfair, and I agree with you. As I mentioned in a different response, I’ve been in some workplaces that were extremely strict about appearance, especially for women employees and I felt a lot of pressure to conform. I think I need to do some more examining of whether these attitudes are sticking closer with me than I had thought, I absolutely don’t want to perpetuate the same pressures I experienced to other women, including candidates we are interviewing. Thank you all.
    1. Lizzo* August 25, 2020 at 3:15 pm

       But in this case, are you judging someone on appearance? Or judging them for poor choices about how to represent themselves in a professional setting? There’s a difference that’s worth noting.
       1. Clara B.* August 25, 2020 at 5:44 pm

          I think for me it was more about the latter, since this was her profile picture on LinkedIn. It did make me wonder about the judgment to use that specific photo for what essentially a profile about your professional history. I do agree that judging on appearance and judging the choice to use the photo are not exactly the same, but I don’t think the two are completely unrelated.
          1. Lizzo* August 26, 2020 at 4:32 pm

             No, not completely unrelated, but I do think it’s reasonable to have some concerns about professional judgment based solely on the photo choice. That said, another commenter did point out that she may not have anyone in her life who can advise on professional norms, so…it’s one data point without a lot of context. I think you’re right to not say anything, but do tuck the data point away in case it becomes relevant later.
49. Elizabeth West* August 25, 2020 at 1:17 pm

    I’m confused about the answer to #2. If I leave my graduation date off, I feel like it makes me seem older. The work dates start in 2004 or 2005 (depending on which jobs are relevant) and I graduated in 2005. If I leave it on, it looks like I started working while I was in school, which a younger person would do. Leaving it off feels like, oh, did this person graduate in 1960 and is trying to hide it?

    I’m having a hard enough time with unemployment discrimination; I don’t need to add ageism on top of that. :(
    1. Colette* August 25, 2020 at 1:21 pm

       In your case, it might make sense to keep it on. I graduated in 1995; my job history on my resume starts much later than that because I’ve removed some of the older jobs. So for me it makes sense to keep the graduation year off.
    2. I Wrote This in the Bathroom* August 26, 2020 at 9:29 am

       I graduated in 1989 (yikes). That date stays off. I have been leaving my older jobs off, too. My work history on my resume begins in 2000, for a job I left in 2006. Frankly, any job I had before that is no longer relevant to the skillset I have now.
50. Jaded Like A Fox* August 25, 2020 at 1:40 pm

    For #1…I work for a company that quite literally just laid people off this way. Sending emails like this isn’t effective–many people, including myself, would weigh the potential risks and choose to find out whether they had just been fired over any security concerns.

    Not to mention, emails from HR are always marked “external sender” because they work for our parent company, and often come from HR employees whose names I’ve never heard. It’s not a great system.
51. The Spinning Arrow* August 25, 2020 at 3:24 pm

    I have a follow up question on OP5, relating to the “you want this to be genuine” advice – there was a week that celebrated work our org is involved in a while back, and our leaders decided all of our employees should choose 3 people outside our org we work with and send them thank you emails with their CEOs CC’d. I thought this was a terrible idea, would overwhelm folks trying to get work done, and would be seen as not genuine since we all had to send them (I did not voice any of these concerns, just picked people I thought I could compliment genuinely and wrote earnest thank yous to them). Everyone else at my company loved it, raved about it for a week afterward, and our CEO told us he received feedback from the other CEOs that their staff loved it as well. I recognize that giving thanks is a great thing, but I just felt off having it be planned/required like that.

    Any thoughts on whether I was being a grumpy curmudgeon with my first impression of this plan, or am in an org that’s a bit off the norm?
52. Letthemknow* August 25, 2020 at 5:32 pm

    Please send the manager a good review if the person is doing well! I usually just shoot IMs to people’s managers when they’re doing a good job. It’s so easy to complain, if they deserve the praise, take a few minutes to let their manager know.
53. Ladycrim* August 25, 2020 at 7:11 pm

    People really aren’t thinking through their email subjects. I got one the other day that said something like “Confirming your interview tomorrow at 11:00”, but it was a political survey/fundraising plea. I actually wrote them and told them off for writing such a subject line when so many people are out of work and desperately trying to get interviews.
54. RagingADHD* August 25, 2020 at 8:19 pm

    Im appalled (can’t say I’m completely surprised, but appalled) that anyone would automatically assume a random calendar invite for an “exit interview” was a real notification they were being fired.

    Unless you’re expecting to be fired/laid off, wouldn’t your first response be “What on earth? This makes no sense.”

    Does nobody check or follow up on anything out of the ordinary? Or does everyone assume their coworkers are infallable?

    Maybe I’m overly cynical, but I always assume a nonsensical message is an error, because errors are just so much more common than bizarre behavior (which an invite like that would be).

    I got a routine notification from payroll yesterday about my direct deposit, and the amount was about 1/10th what it should be.

    I didn’t think the company was stiffing me, or that they’d retroactively reduced my pay – because that’s nonsensical. I certainly didn’t call my spouse and tell them we were broke.

    I contacted payroll and asked them why. And there was a perfectly logical reason. Two minutes, solved.

    I suppose if nobody spiraled over random emails, the “Nigerian prince” or “Iraqui boullion” scammers would go out of business.

    As would Snopes.
    1. Bowserkitty* August 25, 2020 at 8:56 pm

       Im appalled (can’t say I’m completely surprised, but appalled) that anyone would automatically assume a random calendar invite for an “exit interview” was a real notification they were being fired.

       There are a lot of toxic companies out there. My own lay-off years ago was 100% out of the blue (as were the 79 other people included in it). But yeah, that was a lay-off and not a firing.
    2. The Man, Becky Lynch* August 27, 2020 at 5:15 pm

       I have made payroll errors [precious few, thankfully!] over many years and everyone always acts like I’ve just stiffed them or did it on purpose, so you’re actually very much the outlier! Despite the fact these people know me personally too, I’m not some faceless payroll processing person in another world that nobody sees on a daily basis. And yeah, they are all riled up and ready for a fight!

       The thing is everyone has a different emotional response and logic about them when something bad and possibly world shaking happens to them.
55. Chaordic One* August 25, 2020 at 9:23 pm

    We’ve often read (sometimes on this site) that exit interviews are usually a waste of time and there have been members of the commentariat here who have ghosted them. It’s not incomprehensible that someone getting a phishing email like the one described might simply box up their personal possessions and walk out the door leaving her co-workers and supervisor to wonder,”What happened?”

Comments are closed.