Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're assuming, incorrectly, that phishing attacks can't come from the inside.



If a hacker hacked the CEO's email address, and then used that address to email their secretary asking for information, and the secretary responded.... that is not a security failure on the secretary's part. That's the CEO's security issue, and the company's security issue. Therefore, it's a useless pen test, unless the purpose is to tell employees no emails from anyone can be trusted.

A phishing email can come from the inside. But seeing whether employees will respond to a valid internal email is not a test of employee security. And in this case, it was as heartless as it was useless.


Turns out the email wasn’t sent from the internal domain, but from gocladdy.com. There was some poor kerning in the screenshots.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: