It happens all the time at my work place. I work at a big company and I get emails from random people in the company to go to submit info to random places on the Internet, usually related to employee benefits or surveys. I always report them as suspicious and move on with my work.

Once in a while you'll see a follow up email from the sender saying that they are aware of many people reporting the email as a phishing attempt and that reporting the email was wrong and that link to that particular website is a company approved tool and that employees are required to complete the survey at the link for some department or center's benefit.

This wouldn't be a problem if we had internal websites with standard tools like a survey builder and such, but getting our IT contractor in my org to do the basic functions of their jobs takes a herculean effort, getting them to support a basic internal tool would be a multi-year campaign. I can appreciate how much easier (and cheaper) it can be to use external tools and train users to disobey IT and security recommendations about phishing.

The problem with bureaucracies and hackers is that both will take the path of least resistance, and the hard problem of IT security in large orgs is how to separate the two into distinct categories.

> Once in a while you'll see a follow up email from the sender saying that they are aware of many people reporting the email as a phishing attempt and that reporting the email was wrong and that link to that particular website is a company approved tool and that employees are required to complete the survey at the link for some department or center's benefit.

That's exactly what a spearphisher would say. Still not clicking a link. Of course, I would rarely read the company email anyway.

Marketing teams at companies are always a risk vector for security IMO and their practices should be looked at by infosec people. Not just concerned citizens (but thank you for spending your time trying to help).

I've seen some wonky stuff being put out by them and they are oblivious. As their work often crosses the line into actual web-dev stuff that has security implications. ie, landing pages and emails. And not 2FAing the countless marketing tools they use nor letting the more experienced devs know what they are up to.

Banks, and health providers too. I love when my health insurer, say Mega Health Care for a fictitious example, decides to have a marketing page at megahealthcare.com, a patient portal at mymhc.com and a special page for covid stuff at mhccovidresponse.com . All of these have independent certs so it’s entirely possible it’s a phishing site. But it’s legit, and these companies are just encouraging bad behavior. This crap is why phishing happens.

The only way to get them to make a reasonable response to these things is to make a redacted screenshot and shame them publicly on social media. Otherwise, your email is just an annoyance for someone who (perhaps proudly?) thinks "these customers think they are experts when we have a whole team dealing with security".

My previous employer's internal PR team sent out emails that were just short clickbait text in images with a single link that went through the same tracking urls as external emails. You had to click through to get useful information, much to the annoyance of the security team