42 comments

[ 2.5 ms ] story [ 50.0 ms ] thread
The part about sharing among other employees when an internal phishing test is active is intriguing to me. In my organization, when someone gets a phishing lure - they tell everyone around them to watch out for it. I wonder how this impacts success rates.
Phishing has a few basic conceptual problems which no one seems to want to address:

  - You don't need to really be "fooled" by phishing. Not in the real sense. You just need to be tired one morning and click without looking. Even if you know how to check for phishing, you might need to click on content from 10s to 100s of emails per day. Scale this out to 1 year, and even the most educated among us can fail due to an honest mistake which we otherwise could have prevented.

  - Part of the problem is just that a normal workflow is: receive email --> click on URL --> enter credentials into 3rd party website. ie, this is intentional and valid behavior for most white collar workers on a daily basis. This behavioral pattern is why phishing works, and in reality, email should not be a vector for this path. Until companies and technologies stop assuming this makes sense, phishing will continue to be successful.
The fact that your employer might direct you to a URL that doesn't look like their normal domain (or through some kinda link shortener so you can't see it without clicking) for legitimate reasons basically undoes all security yeah. Why can't security teams focus on correcting those parts?
These both seem like arguments for phishing-resistant auth methods to me (like passkeys).
I’m somewhat surprised that enterprise email solutions still allow links… like, at all, in general.

The servers should scan emails for links and not allow them. If a link somehow slips through, the client should not render it as something you can click on and follow.

On work machines where everything is managed by IT, there shouldn’t be any need to send links around anyway. If anyone thinks they need to send a link around as an ongoing process, then that’s the sign that the process still needs to be designed.

I don't click on any urls from email. This should be the standard.
> - Part of the problem is just that a normal workflow is: receive email --> click on URL --> enter credentials into 3rd party website. ie, this is intentional and valid behavior for most white collar workers on a daily basis.

Here's a crazy history of that happening...

I had a friend who was an employee of a Fortune 100 corporation. Part of employee training was not to click on links in emails. In the 1990s and the rise of the internet, they had an internal security "red team" periodically send a fake phishing emails to employees. If the employee mistakenly clicked on a link in that email, the red team would send a notice to the employee's manager. It worked well because employees would not want to be embarrassed by a manager having to review the security policy with them to get their access back.

When she retired, all that training became useless and she was phished by a fake AT&T email. Why? Because with the rise of smartphones, every _legitimate_ company started sending emails that had useful tappable links. With the touchscreen, you can't hover your finger over the link to see what the underlying url is. People just normalize pressing on links in transactional emails as a convenient thing to do. E.g. Amazon sends an email with a link to the order status. A legit bank will send an email with a link for "Please review your security setting."

Smartphones reversed 15 years of not clicking on email links.

Exchange ought to have the capability of rewriting the links' hrefs to a "link gateway" where a sandboxed renderer presents the outside page, maybe running over rdp and purged after the end of every session.

The local Blink (or WebKit) renderer should be for internal or white listed sites only.

Re: the receive email -> click URL -> enter credentials.

We need SSO to stop being gated behind enterprise tiers. SSO tax is real, and can help solve this problem. I've moaned about this before as the leader of an IT team for a medium-sized company reliant on a lot of SaaS.

Enterprise plans are too much (both in terms of cost and features) for us, but we are smart enough to have security requirements and one of those is SSO & SCIM. Very few SaaS offers that on anything but the most expensive "call for quote" tiers. That's a huge problem.

That whole email invite->click link->enter credentials workflow is gone with proper SCIM provisioning and SSO. It's the bare minimum a SaaS product should offer and should be on the lowest available tier.

The other problem are services like DocuSign, which offer free trials that are abused to send out fake documents. User gets a legitimate email from DocuSign's domain, clicks on it, opens up a real document in the real DocuSign site, but the doc has a link to the phishing site.

All DocuSign needs to do is require a CC for the trial or contacting sales for a trial, problem solved. But they don't, so as far as I'm concerned they are complicit in enabling phishing.

You can tell if an email is from a training program just by looking at the email headers. I have a filter in outlook and those emails don’t even hit my inbox.
I have lost count of how many jobs train me specifically to look at the URL's in emails by hovering over them to confirm that it is legitimate.

And then put fucking mimecast infront of everything so I legit can't do what they are training me to do...

So yeah, the training is worthless and just there to tick a box.

I had an exec at a tech company once send out an email with the subject line "Important." All there was, was an attached .docx file, and a sentence saying to read it immediately. This guy should have been fired for this level of incompetence. No, it wasn't a phishing test.

Then Microsoft sends out e-mail advertisements with fucking QR codes in them to everybody to get people to install software without IT department's knowledge. So you not only can't see the link, you can't even de-obfuscate it by hovering over it.

There's a really easy fix for this. It's so fucking easy it hurts my brain.

Disable HTML e-mails. Disable hyperlinks. Feel free to send URLs, but make people copy and paste the link. This way they have to at least select the link. When they get a 6000 character link and can't copy paste it? That's good! Because they have no idea what the link actually is.

Nobody will do it, and I don't get why not. Do you really need to market to your internal employees so badly with images and links? That's what a portal is for. Post updates on your portal and stop bombarding my goddamn email box.

(comment deleted)
I received an email this week which read at the top in red text "THIS IS NOT A PHISHING EMAIL." I thought...isn't that exactly what a phishing email would say?
The only anti-phishing program I've ever seen that was even a little effective was at one company I worked at, where there was an ongoing phishing test.

Users were randomly selected to get the test, and each phish was hand-crafted to trick people specifically at our company (but using only publicly available information). Anonymized results were posted quarterly, divided by department.

I only got fooled once, but man, it felt so bad to see Engineering show up on the dashboard with one hit that quarter.

(Sales was usually at the top of the list, which makes sense, since they interface with a lot of folks outside the org)

I always suspected technical tools were more effective (time, effort, money) than the training programs. However, only company-wide training programs provide visibility to the CISO, so they tend to be popular even if ineffective.

Because you cannot fix humans, technology is the most effective approach.

> After sending 10 different types of phishing emails over the course of eight months, the researchers found that embedded phishing training only reduced the likelihood of clicking on a phishing link by 2%.

Company: Stop clicking on links to third party sites.

Also Company: All of IT, HR, benefits, cloud storage, customer management, and employee portal is moving to its own third party platform!

Seems like they counted it as a failure if the user just clicked the link in the email. But what are the supposed to do? Never click links in emails? Only click links to some white-list of domains they hold in their head? I would think clicking a link is fine, but entering credentials is not.

It's no surprise people didn't engage with training material on the pretend phishing site!! At that stage, they're told it was a trap and they shouldn't even be there so of course they're going to get out asap.

Most companies would have a much easier time with phishing if they quit sending official correspondence that mimics phishing. Sure, phishing is always evolving to look legitimate, but C͟l͟i͟c͟k͟ h͟e͟r͟e͟!͟ in literally every official email when whatever it is you need to do _should_ be reachable via known links. All the "click here" 's and "please see attached" tricks would quit working if it wasn't normal.
Ive argued for a while: the value of these programs is to solve the management problem.

When you propose a security solution, someone is going to say "oh my users are too smart to be phished, don't worry about this". Ive had this argument for rolling out mfa at nearly every company ive worked with.

Phishing tests give you the "well actually" data.

It's not about preventing the phishing, it's about preventing the liability from the phishing. If someone can show you didn't follow cybersecurity training best practices, you may be liable for any failure of cybersecurity. Best way to prevent that is to follow the best practices, even if they don't work. A lot of things in the corporate world work this way.
> Overall, 75% of users engaged with the embedded training materials for a minute or less. One-third immediately closed the embedded training page without engaging with the material at all.

To call this "training" is highly misleading.

It's no surprise that the mere existence of training materials does not help if nobody reads and studies the training materials.

They should preface the training materials with "$100,000 USD will be transferred to your bank account if you read this and successfully answer the questions at the end."

The reason might be that the training programs are just ridiculously bad. I clicked on a pretend phishing link out of interest to see what happens. I was treated to a lecture of how clicking on links in emails is always bad and to never do it.

That advise would be fine (albeit maybe extreme) if it wasn't the case that for the last year I have been spammed by emails from said training company telling me to click on the included link to complete the next cybersecurity course. Even worse they use some nondescriptive weirdly named domain not their own to host the training courses. So if anything the courses are training people to click on phishing emails.

"Cybersecurity Training Programs Don’t Prevent Employees from Falling for Phishing Scams - Click Here to Find Out How to Really Protect Your Employees"
A very straightforward technical solution is to convert all html emails to plain text (ASCII). Mutt users rarely get phished. :-)
I think the conclusion of this article is slightly flawed. The issue isn't with engagement with the training (although, the typical corporate training material is pretty bad), rather how we go about teaching cybersecurity.

I take a page from Jayson E. Street's DefCon talk from a few years ago with my students: promote "Security Awareness", not Security Training. Get people to think about what is being asked of them and the consequences of said actions. People tend to take "Security Training" as "I need to remember A, B, C, etc." Humans are bad at this sort of thing, typically.

I admit that "Security Awareness" isn't all that easy, but clearly our current approaches leave much to be desired.

It's a culture problem. The real solution is to teach people to trust their security department.

If there's trust and respect, they'll reach out without fear of reprisal and inform right away when there's a problem.

If there's a culture of punishment, they'll fear the IT gestapo and try to cover up mistakes that could cost them their job.

It really is that simple.

I looked at the paper. How it's being reported is highly misleading. There were 4 different active training groups. One of the groups benefitted from the training and one of the groups actually got worse. So as a whole phishing training only has a 2% boost. However the message is not that phishing training is useless, only that if applied incorrectly it is useless.
The point of trainings is only secondarily to stop these things from happening. The goal is for the institution to avoid liability by transfer responsibility for their having happened to others.
I love also safe link protections. You actually try to check the link, but instead it is mangled beyond recognition. Then you try to squint and figure out how it is encoded... And just give up...
There’s something else I notice in my daily work with all kinds of different people, which I like to call “tech avoidance.”

For example, this week I helped someone set up an account on an online library platform we use. I had to tell them multiple times not to tap the buttons in the email, website, or app right away, but to read them first. They were clearly nervous, and you could tell they just wanted to finish as quickly as possible and get out of “that very techie situation” to simply use the apps.

I mean, yeah, I get it. Technology isn’t for everyone. But the (sad) fact is that we live in a world largely dominated by it. And although it has created many problems we now need to solve with even more technology, it also helps us solve many of the problems we had before.

My hope is that AI will evolve to the point where it can become a kind of companion for those people, guiding them through situations involving technology that they find difficult or intimidating.