I'm working in a small organization which I do not consider an easy target. Not so much because we work with IT and security, but more because I normally have a pretty good idea what I should expect to receive from my fellow workers. And again, as they normally write to me in Danish, that narrows it down as well (for the same reason most spam is easy to spot as it is in English). But those of you working in large and/or multi-national and/or high-profile organizations should read the "DoD Battles Spear Phishing" post by Robert Hersing. Robert asks this question -
So how would YOUR organization fair against a spear phishing attack
like the ones hitting the DoD?? Are your employees aware of the threats
posed by seemingly legitimate emails with seemingly 'innocent' / 'safe'