Don’t train your customers to be phishing victims
There’s an ever increasing growth in press reports of cyber breaches. A shocking number of these start with a phishing attack, and a naïve person who innocently clicks on what looks to them like an innocuous link. The APWG Phishing Activity Trends Report shows 755,436 unique phishing sites for the first half of 2016.
My customers generally have a wide range of controls to help protect their assets, including staff training to try and teach people not to click links that they haven’t verified. But however much training we put in, people continue to click, and phishing attacks continue to succeed. What’s going wrong? What can we do to help prevent it?
Well, the first thing might be to stop encouraging people to click on links in their email.
Sadly, I regularly see organizational behaviour that actively encourages people to click on such links. This is likely to be much more persuasive than any training that tells them not to. It’s particularly likely to lull people into a false sense of security if they do click on such a link, and it turns out to be exactly what it claimed to be. If they click on such links and nothing terrible happens, how do you suppose people will react next time they see a link in an email? And what if the next time it does turn out to be a phishing attack?
Consider for example this email that I received a few months ago from the organization responsible for London Congestion Charging.
This email has all the attributes of a phishing attack. In fact, it is a perfect example of the kind of email you might use when training people to watch out for phishing attacks:
- It’s addressed to Dear Customer, not to me by name
- It asks me to open an attachment but gives no indication of what is in the attachment
- The attachment has a meaningless file name
- There is no personal information to show that they know who I am
- There is no indication of what transaction this is about
I wrote to the organization that sent this email and they replied assuring me that it was genuine, and that I should open it! When I opened the PDF file I saw that it included my full address, and information about a transaction that I had made. I sent the organization another message explaining that they were training their customers to be vulnerable to phishing, but they didn’t seem to grasp the problem. After all, the email WAS genuine!
Do you ever send messages with links to your staff or customers? Do you include enough information in the email to help the recipient be absolutely sure that the email really is legitimate? If you send emails like the one above then you’re teaching people to be phished, and eventually they will click on a link or open an attachment that comes from an attacker.
So please, review every email communication that you send to your staff or customers and:
- If possible, remove the links and encourage people to navigate to your site and log in instead
- Include identifying information to prove to the customer that you know them. This should AT LEAST include addressing them by name, but you should also include (part of) an account number or other information that proves you hold their records
- Include information about why you need them to click on your link or open your attachment, for example “Here is the receipt for your purchase of ITEM on DATE”
Remember, if you’re not part of the solution then you’re part of the problem.
Image Credit: Laurel L. Russwurm