"Security researchers say the Chinese government-linked hacking group, Salt Typhoon, is continuing to compromise telecommunications providers," reports TechCrunch, "despite the recent sanctions imposed by the U.S. government on the group."

TechRadar reports that the Chinese state-sponsored threat actor is "hitting not just American organizations, but also those from the UK, South Africa, and elsewhere around the world." The latest intrusions were spotted by cybersecurity researchers from Recorded Future, which said the group is targeting internet-exposed web interfaces of Cisco's IOS software that powers different routers and switches. These devices have known vulnerabilities that the threat actors are actively exploiting to gain initial access, root privileges, and more. More than 12,000 Cisco devices were found connected to the wider internet, and exposed to risk, Recorded Future further explained. However, Salt Typhoon is focusing on a "smaller subset" of telecoms and university networks.
"The hackers attempted to exploit vulnerabilities in at least 1,000 Cisco devices," reports NextGov, "allowing them to access higher-level privileges of the hardware and change their configuration settings to allow for persistent access to the networks they're connected on... Over half of the Cisco appliances targeted by Salt Typhoon were located in the U.S., South America and India, with the rest spread across more than 100 countries." Between December and January, the unit, widely known as Salt Typhoon, "possibly targeted" — based on devices that were accessed — offices in the University of California, Los Angeles, California State University, Loyola Marymount University and Utah Tech University, according to a report from cyber threat intelligence firm Recorded Future... The Cisco devices were mainly associated with telecommunications firms, but 13 of them were linked to the universities in the U.S. and some in other nations... "Often involved in cutting-edge research, universities are prime targets for Chinese state-sponsored threat activity groups to acquire valuable research data and intellectual property," said the report, led by the company's Insikt Group, which oversees its threat research.

The cyberspies also compromised Cisco platforms at a U.S.-based affiliate of a prominent United Kingdom telecom operator and a South African provider, both unnamed, the findings added. The hackers also "carried out a reconnaissance of multiple IP addresses" owned by Mytel, a telecom operator based in Myanmar...

"In 2023, Cisco published a security advisory disclosing multiple vulnerabilities in the web UI feature in Cisco IOS XE software," a Cisco spokesperson said in a statement. "We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release."

SFGate shares the latest data on America's office-occupancy rates: According to Placer.ai's January 2025 Office Index, office visits nationwide were 40.2% lower in January 2025 compared with pre-pandemic numbers from January 2019.

But San Francisco is dragging down the average, with a staggering 51.8% decline in office visits since January 2019 — the weakest recovery of any major metro. Kastle's 10-City Daily Analysis paints an equally grim picture. From Jan. 23, 2025, to Jan. 28, 2025, even on its busiest day (Tuesday), San Francisco's office occupancy rate was just 53.7%, significantly lower than Houston's (74.8%) and Chicago's (70.4%). And on Friday, Jan. 24, office attendance in [San Francisco] was at a meager 28.5%, the worst of any major metro tracked...

Meanwhile, other cities are seeing much stronger rebounds. New York City is leading the return-to-office trend, with visits in January down just 19% from 2019 levels, while Miami saw a 23.5% decline, per Placer.ai data.
"Placer.ai uses cellphone location data to estimate foot traffic, while Kastle Systems measures badge swipes at office buildings with its security systems..."

The Verge's Jay Peters reports: Square Enix has shut down the iOS version of Final Fantasy Crystal Chronicles and removed it from the App Store following an unfixable bug that blocked people from accessing content they had paid for. [...] The company says that if you made in-app purchases in January 2024 or later, you're eligible to request a refund by contacting Apple Support. Square Enix says that Final Fantasy Crystal Chronicles will continue to be supported on other platforms. The game is also available on Android, PlayStation, and Nintendo Switch. "The issue is due to changes made to the in-app purchases model," Square Enix says in a post. "Further investigation revealed that we are unable to completely fix the bug and implement the new changes, making it unlikely to resume service for the game." Square Enix says it started receiving reports on January 24th about the issue, which "extends to the full paid version of the game."

Members of key congressional oversight committees wrote to the United States' new top intelligence official Thursday to warn that a British order demanding government access to Apple users' encrypted data imperils Americans. From a report: Ron Wyden, a Democrat on the Senate Intelligence Committee, and Andy Biggs, a Republican on the House Judiciary committee, wrote to just-sworn-in National Intelligence Director Tulsi Gabbard and asked her to demand the United Kingdom retract its order.

If the top U.S. ally does not back off, they said, Gabbard should consider limiting the deep intelligence sharing and cooperation on cybersecurity between the countries. The Post first reported the existence of the confidential British order last week. It directs Apple to create a back door into its Advanced Data Protection offering, which allows users to fully encrypt data from iPhones and Mac computers when putting it in Apple's iCloud storage. Apple cannot retrieve such content even when served with a court order, frustrating authorities looking for evidence of terrorism, child abuse and other serious crimes.

The order was issued under the Investigatory Powers Act, which allows the British Home Office to require technical cooperation from companies and forbids those companies from disclosing anything about the demands. It would apply globally, though the U.K. authorities would have to ask Apple for information stored by specific customers.

An anonymous reader shares a report: Australia's Department of the Treasury has found that Microsoft's Copilot can easily deliver return on investment, but staff exposed to the AI assistant came away from the experience less confident it will help them at work.

The Department conducted a 14-week trial of Microsoft 365 Copilot during 2024 and asked for volunteers to participate. 218 put up their hands and then submitted to surveys about their experiences using Microsoft's AI helpers. Those surveys are the basis of an evaluation report published on Tuesday. The report reveals that after the trial participants rated Copilot less useful than they hoped it would be, as it was applicable to fewer workloads than they hoped would be the case.

Workers' views on Copilot's ability to improve their work also fell. Usage of Copilot was lower than expected, with most participants using it two or three times a week, or less. reported using Copilot 2-3 times per week or less. Treasury thinks it probably set unrealistically high expectations before the trial, and noted that participants often suggested extra training would be valuable.

Longtime Slashdot reader theodp writes: Monday brought chilling news reports of the all-count trial convictions of three individuals for a conspiracy to rob and drug people outside of LGBTQ+ nightclubs in Manhattan's Hell's Kitchen neighborhood, which led to the deaths of two of their victims. The defendants were found guilty on all 24 counts, which included murder, robbery, burglary, and conspiracy. "As proven at trial," explained the Manhattan District Attorney's Office in a press release, "the defendants lurked outside of nightclubs to exploit intoxicated individuals. They would give them drugs, laced with fentanyl, to incapacitate their victims so they could take the victims' phones and drain their online financial accounts [including unauthorized charges and transfers using Cash App, Apple Cash, Apple Pay]." District Attorney Alvin L. Bragg, Jr. added, "My Office will continue to take every measure possible to protect New Yorkers from this type of criminal conduct. That includes ensuring accountability for those who commit this harm, while also working with financial companies to enhance security measures on their phone apps."

In 2024, D.A. Bragg called on financial companies to better protect consumers from fraud, including: adding a second and separate password for accessing the app on a smartphone as a default security option; imposing lower default limits on the monetary amount of total daily transfers; requiring wait times of up to a day and secondary verification for large monetary transactions; better monitoring of accounts for unusual transfer activities; and asking for confirmation when suspicious transactions occur. "No longer is the smartphone itself the most lucrative target for scammers and robbers -- it's the financial apps contained within," said Bragg as he released letters (PDF) sent to the companies that own Venmo, Zelle, and Cash App. "Thousands or even tens of thousands can be drained from financial accounts in a matter of seconds with just a few taps. Without additional protections, customers' financial and physical safety is being put at risk. I hope these companies accept our request to discuss commonsense solutions to deter scammers and protect New Yorkers' hard-earned money."

"Our cellphones aren't safe," warned the EFF's Cooper Quintin in a 2018 New York Times op-ed. "So why aren't we fixing them?" Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

An anonymous reader shares a report: Google has fixed two vulnerabilities that, when chained together, could expose the email addresses of YouTube accounts, causing a massive privacy breach for those using the site anonymously.

The flaws were discovered by security researchers Brutecat (brutecat.com) and Nathan (schizo.org), who found that YouTube and Pixel Recorder APIs could be used to obtain user's Google Gaia IDs and convert them into their email addresses. The ability to convert a YouTube channel into an owner's email address is a significant privacy risk to content creators, whistleblowers, and activists relying on being anonymous online.

An anonymous reader quotes a report from Ars Technica: On Monday, researcher Johann Rehberger demonstrated a new way to override prompt injection defenses Google developers have built into Gemini -- specifically, defenses that restrict the invocation of Google Workspace or other sensitive tools when processing untrusted data, such as incoming emails or shared documents. The result of Rehberger's attack is the permanent planting of long-term memories that will be present in all future sessions, opening the potential for the chatbot to act on false information or instructions in perpetuity. [...] The hack Rehberger presented on Monday combines some of these same elements to plant false memories in Gemini Advanced, a premium version of the Google chatbot available through a paid subscription. The researcher described the flow of the new attack as:

1. A user uploads and asks Gemini to summarize a document (this document could come from anywhere and has to be considered untrusted).
2. The document contains hidden instructions that manipulate the summarization process.
3. The summary that Gemini creates includes a covert request to save specific user data if the user responds with certain trigger words (e.g., "yes," "sure," or "no").
4. If the user replies with the trigger word, Gemini is tricked, and it saves the attacker's chosen information to long-term memory.

As the following video shows, Gemini took the bait and now permanently "remembers" the user being a 102-year-old flat earther who believes they inhabit the dystopic simulated world portrayed in The Matrix. Based on lessons learned previously, developers had already trained Gemini to resist indirect prompts instructing it to make changes to an account's long-term memories without explicit directions from the user. By introducing a condition to the instruction that it be performed only after the user says or does some variable X, which they were likely to take anyway, Rehberger easily cleared that safety barrier. Google responded in a statement to Ars: "In this instance, the probability was low because it relied on phishing or otherwise tricking the user into summarizing a malicious document and then invoking the material injected by the attacker. The impact was low because the Gemini memory functionality has limited impact on a user session. As this was not a scalable, specific vector of abuse, we ended up at Low/Low. As always, we appreciate the researcher reaching out to us and reporting this issue."

Rehberger noted that Gemini notifies users of new long-term memory entries, allowing them to detect and remove unauthorized additions. Though, he still questioned Google's assessment, writing: "Memory corruption in computers is pretty bad, and I think the same applies here to LLMs apps. Like the AI might not show a user certain info or not talk about certain things or feed the user misinformation, etc. The good thing is that the memory updates don't happen entirely silently -- the user at least sees a message about it (although many might ignore)."

The US, UK, and Australia (AUKUS) have sanctioned Russian bulletproof hosting provider Zservers, accusing it of supporting LockBit ransomware operations by providing secure infrastructure for cybercriminals. The sanctions target Zservers, its UK front company XHOST Internet Solutions, and six individuals linked to its operations. The Register reports: Headquartered in Barnaul, Russia, Zservers provided BPH services to a number of LockBit affiliates, the three nations said today. On numerous occasions, affiliates purchased servers from the company to support ransomware attacks. The trio said the link between Zservers and LockBit was established as early as 2022, when Canadian law enforcement searched a known LockBit affiliate and found evidence they had purchased infrastructure tooling almost certainly used to host chatrooms with ransomware victims.

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on US and international critical infrastructure," said Bradley T Smith, acting under secretary of the Treasury for terrorism and financial intelligence. "Today's trilateral action with Australia and the United Kingdom underscores our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security." The UK's Foreign, Commonwealth & Development Office (FCDO) said additionally that the UK front company for Zservers, XHOST Internet Solutions, was also included in its sanctions list. According to Companies House, the UK arm was incorporated on January 31, 2022, although the original service was established in 2011 and operated in both Russia and the Netherlands. Anyone found to have business dealings with either entity can face criminal and civil charges under the Sanctions and Anti-Money Laundering Act 2018.

The UK led the way with sanctions, placing six individuals and the two entities on its list, while the US only placed two of the individuals -- both alleged Zservers admins -- on its equivalent. Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, both 30 years old, were named by the US as the operation's heads. Mishin was said to have marketed Zservers to LockBit and other ransomware groups, managing the associated cryptocurrency transactions. Both he and Bolshakov responded to a complaint from a Lebanese company in 2023 and shut down an IP address used in a LockBit attack. The US said, however, it was possible that the pair set up a replacement IP address that LockBit could carry on using, while telling the Lebanese company that they complied with its request. The UK further sanctioned Ilya Vladimirovich Sidorov, Dmitry Konstantinovich Bolshakov (no mention of whether he is any relation to Aleksandr), Igor Vladimirovich Odintsov, and Vladimir Vladimirovich Ananev. Other than that they were Zservers employees and thus were directly or indirectly involved in attempting to inflict economic loss to the country, not much was said about either of their roles.

Google's Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and then generating and storing a better replacement. From a report: Google's preliminary copy suggests it's an "AI innovation," though exactly how is unclear.

Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, "Automated password Change" (so, early stages -- as to not yet get a copyedit), is described as, "When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in."

Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google's Password Manager and "is encrypted and never seen by anyone," the settings page claims.

Leading cybersecurity researchers at DEF CON, the world's largest hacker conference, have warned that current methods for securing AI systems are fundamentally flawed and require a complete rethink, according to the conference's inaugural "Hackers' Almanack" report [PDF].

The report, produced with the University of Chicago's Cyber Policy Initiative, challenges the effectiveness of "red teaming" -- where security experts probe AI systems for vulnerabilities -- saying this approach alone cannot adequately protect against emerging threats. "Public red teaming an AI model is not possible because documentation for what these models are supposed to even do is fragmented and the evaluations we include in the documentation are inadequate," said Sven Cattell, who leads DEF CON's AI Village.

Nearly 500 participants tested AI models at the conference, with even newcomers successfully finding vulnerabilities. The researchers called for adopting frameworks similar to the Common Vulnerabilities and Exposures (CVE) system used in traditional cybersecurity since 1999. This would create standardized ways to document and address AI vulnerabilities, rather than relying on occasional security audits.

According to consultancy firm Janco, the U.S. Bureau of Labor Statistics reclassified several job titles, "leading to a downward adjustment of over 111,000 positions for November and December 2024," The Register reports. This revision contributed to an overall decline of 123,000 IT jobs for the year. However, in reality, IT sector hiring is on the rise, with 11,000 new positions added in January. From the report: "Many CEOs have given CFOs and CIOs the green light to hire IT Pros," Janco CEO Victor Janulaitis said of the first month of 2025. "IT Pros who were unemployed last month found jobs more quickly than was anticipated as CIOs rushed to fill open positions." There's still a 5.7 percent unemployment rate in the IT sector in January, Janco noted, which is greater than the national average of 4 percent - and which could rise further as Elon Musk's Department of Government Efficiency (DOGE) pushes ahead with federal workforce reductions aimed at streamlining operations.

"Over the past several quarters much of the overall job growth was in the government sectors of the economy," Janulaitis said. "With the new administration that will in all probability not be the case in the future. "The impact of the DOGE initiatives has not been felt as of yet," Janulaitis added. "Economic uncertainty continues to hurt overall IT hiring." Despite this, Janco reported an addition of 11,000 new IT roles in January. Unfortunately, there's also been a surge in IT unemployment over the same period, with the number of jobless IT pros rising to 152,000 in January - an increase of 54,000 in a single month. [...]

Closing out the report, Janco offered a mixed outlook: While IT jobs are expected to grow over the next few years, many white-collar roles could be eliminated. "Over the next five years, the number of individuals employed as IT professionals will increase while many white-collar jobs in the function will be eliminated with the application of AI and LLM to IT," Janco predicted.

Apple has released emergency security updates for iOS 18.3.1 and iPadOS 18.3.1 to patch a zero-day vulnerability (CVE-2025-24200) that was exploited in "extremely sophisticated," targeted attacks. The flaw, which allowed a physical attack to disable USB Restricted Mode on locked devices, was discovered by Citizen Lab and may have been used in spyware campaigns; users are strongly advised to install the update immediately. BleepingComputer reports: USB Restricted Mode is a security feature (introduced almost seven years ago in iOS 11.4.1) that blocks USB accessories from creating a data connection if the device has been locked for over an hour. This feature is designed to block forensic software like Graykey and Cellebrite (commonly used by law enforcement) from extracting data from locked iOS devices.

In November, Apple introduced another security feature (dubbed "inactivity reboot") that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software. The zero-day vulnerability (tracked as CVE-2025-24200 and reported by Citizen Lab's Bill Marczak) patched today by Apple is an authorization issue addressed in iOS 18.3.1 and iPadOS 18.3.1 with improved state management.

The list of devices this zero-day impacts includes: - iPhone XS and later,
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

An anonymous reader shared this report from Fortune: More than 14 million job seekers' applications went completely ignored in a single quarter last year, according to one hiring platform. Now, sites like Greenhouse and LinkedIn are experimenting with new ways to hold companies accountable for making the hiring process so miserable for applicants. Three of the biggest job search sites — LinkedIn, Indeed and Greenhouse — have put tools in place to highlight which companies frequently respond to applicants in a timely manner... According to Greenhouse, half of applicants say they've been ghosted after an interview.

Meanwhile, new artificial intelligence tools have made it easier for candidates to play a numbers game, generating tailored resumes for hundreds of roles. But that's led to an increasingly overwhelming flood of applications for companies, making it nearly impossible to process the deluge and respond to every hopeful in a timely manner — let alone find their perfect match... [LinkedIn is] refining its "job match" feature that uses AI to see how well qualified a candidate is for a given listing. The feature is designed to help cut down on the flood of applications companies are receiving by nudging users to focus their efforts on jobs where they actually have a good shot at hearing back. That, in theory, should make the hiring process more efficient for both parties...

Indeed chose to focus on encouraging employer responsiveness after the issue showed up as the biggest pain point for job seekers in a recent survey. While the platform has issued "responsive employer" badges since 2018 to recognize companies that consistently reply to more than half of all messages, it started releasing even more detail in 2023, including labels that share the employer's median response time with candidates... Greenhouse, meanwhile, is testing a set of four badges that would verify an employer meets the platform's respectful, communicative, prepared and fair hiring process standards for a given job posting... For "communicative," they're expected to clear out active candidates on closed jobs and send out rejection emails.
LinkedIn is also adding "responsiveness insights," according to the article, which "show applicants which listings are being actively reviewed by employers.

"It's testing the insights on a small number of job postings before rolling them out sitewide in the coming months."

Slashdot reader headlessbrick writes: Google security researchers have discovered a way to bypass AMD's security, enabling them to load unofficial microcode into its processors and modify the silicon's behaviour at will. To demonstrate this, they created a microcode patch that forces the chips to always return 4 when asked for a random number.

Beyond simply allowing Google and others to customize AMD chips for both beneficial and potentially malicious purposes, this capability also undermines AMD's secure encrypted virtualization and root-of-trust security mechanisms.
Obligatory XKCD.

The unemployment rate in America's information technology sector "rose from 3.9% in December to 5.7% in January," reports the Wall Street Journal. (Alternate URL here.) Meanwhile last month's overall jobless rate was just 4%, they point out, calling it "the latest sign of how automation and the increasing use of artificial intelligence are having a negative impact on the tech labor market."

Companies began implementing their annual spending cuts in January, and there were layoffs at large tech companies like Meta. But whatever the reason, "The number of unemployed IT workers rose from 98,000 in December to 152,000 last month, according to a report from consulting firm Janco Associates based on data from the U.S. Department of Labor," while the Labor Department said the overall economy added 143,000 jobs.

One management consulting firm offers this explanation: Job losses in tech can be attributed in part to the influence of AI, according to Victor Janulaitis, chief executive of Janco Associates. The emergence of generative AI has produced massive amounts of spending by tech giants on AI infrastructure, but not necessarily new jobs in IT. "Jobs are being eliminated within the IT function which are routine and mundane, such as reporting, clerical administration," Janulaitis said. "As they start looking at AI, they're also looking at reducing the number of programmers, systems designers, hoping that AI is going to be able to provide them some value and have a good rate of return."

Increased corporate investment in AI has shown early signs of leading to future cuts in hiring, a concept some tech leaders are starting to call "cost avoidance." Rather than hiring new workers for tasks that can be more easily automated, some businesses are letting AI take on that work — and reaping potential savings. The latest IT jobs numbers come as unemployment among white-collar workers remains at its highest levels since 2020, according to Cory Stahle, an economist at hiring website Indeed. "What we've really seen, especially in the last year or so, is a bifurcation in opportunities, where white-collar knowledge worker type jobs have had far less employer demand than jobs that are more in-person, skilled labor jobs," Stahle said.
Stahle notes that job postings at Indeed.com for software developers declined 8.5% in January from a year earlier...

Friday on a Washington Post podcast, their columnists discussed the hybrid/remote work trend, asking why it "seems to be reversing". Molly Roberts: Why have some companies decided finally that having offices full of employees is better for them?

Heather Long: It's a loaded question, but I would say, unfortunately, 2025 is the year of operational efficiency, and that's corporate speak for save money at all costs. How do you save money? The easiest way is to get people to quit. What are these return to office mandates, particularly the five day a week in office mandates? We have a lot of data on this now, and it shows people will quit and you don't even have to pay them severance to do it.

Molly Roberts: It's not about productivity for the people who are in the office, then, you think. It's more about just cutting down on the size of the workforce generally.

Heather Long: I do think so. There has been a decent amount of research so far on fully remote, hybrid and fully in office. It's a mixed bag for fully remote. That's why I think if you look at the Fortune 500, only about 16 companies are fully remote, but a lot of them are hybrid. The reason that so much companies are hybrid is because that's the sweet spot. There is no productivity difference between the hybrid schedule and fully in the office five days a week. But what you do see a big difference is employee satisfaction and happiness and employee retention....

I think if what we're talking about is places that have been able to do work from home successfully for the past several years, why are they suddenly in 2025, saying the whole world has changed and we need to come back to the office five days a week? You should definitely be skeptical.
"Who are the first people to leave in these scenarios? It's star employees who know they can get a job elsewhere," Long says (adding later that "There's also quantifiable data that show that, particularly parents, the childcare issues are real.") Long also points out that most of Nvidia's workforce is fully remote — and that housing prices have spiked in some areas where employers are now demanding people return to the office.

But employers also know hiring rates are now low, argues Long, so they're pushing their advantage — possibly out of some misplaced nostalgia. "[T]here's a huge, huge perception difference between what managers, particularly senior leaders in an organization, how effective they think [people were] in offices versus what the rank and file people think. Rank and file people tend to prefer hybrid because they don't want their time wasted."

Their discussion also notes a recent Harvard Business School survey that found that 40% of people would trade 5% or more of their salaries to work from home....

An anonymous reader shares a report: Users are now receiving notifications regarding their Microsoft 365 subscriptions and must take action if they wish to avoid Copilot and its extra charges.

The email from Microsoft warns that the cost of a 365 Personal Subscription will jump, however, there is no need to worry -- Microsoft knows what's best and will increase your payment in return for all those AI-powered Copilot services it knows you want.

We noted the upcoming increases last month and how users could turn off the generative AI assistant. At the time, Microsoft said users would be able to switch to plans without Copilot. However, unless a user takes action, the price they pay for their "Current Subscription" will increase, and AI-powered delights will be added to their plan.

An anonymous reader shares a report: India's central bank is introducing an exclusive ".bank.in" domain for banks from April 2025 as part of efforts to combat rising digital payment frauds and bolster trust in online banking services.

[...] The central bank plans to roll out a separate 'fin.in' domain for non-bank financial institutions. "Increased instances of fraud in digital payments are a significant concern," said RBI Governor Sanjay Malhotra, adding that the new domain system aims to reduce cyber security threats and malicious activities like phishing.

U.S. employers are deploying increasingly aggressive phishing tests to combat cyber threats, sparking backlash from workers who say the simulated scams create unnecessary panic and distrust in the workplace. At the University of California, Santa Cruz, a test email about a fake Ebola outbreak sent staff scrambling before learning it was a security drill. At Lehigh Valley Health Network, employees who fall for phishing tests lose external email access, with termination possible after three failures.

Despite widespread use, recent studies question these tests' effectiveness. Research from ETH Zurich found that phishing tests combined with voluntary training actually made employees more vulnerable, while a University of California, San Diego study showed only a 2% reduction [PDF] in phishing success rates. "These are just an ineffective and inefficient way to educate users," said Grant Ho, who co-authored the UCSD study.