Lots of companies have email security testing practices in place to help train employees on what to look for and, identify weaknesses in threat identification. There are lots of third-party tools for this kind of thing. The other day, I was reading one comment from the head of digital security for a large corporation that in his opinion, if someone repeatedly fails these tests, it should be grounds for termination, because the cost of failure is just so high. But the fact is, the biggest weakness to security is human, because try as we might, individual vigilance is never consistent enough.
And, our abilities shift depending on a number of factors, including our emotional state. A good phishing message is going to be one that lowers a persons guard and compels them to respond or act quickly without fully thinking through what they are doing, which is what recently happened in a test I heard about.
A subset group at the company received termination letters from the head of People and Culture, with a dropbox link to the file. This was obviously a phishing email, because there is no way in hell the company uses dropbox for any internal processes, and no way in two hells for this kind of communication. Yet, because people had an emotional response, the understanding about the standard procedures, as did all the checks and balances that look for warning signs (like the warning that it has come from an external email) went out the door and some people apparently clicked on the link.
Test failed?
Well, that depends on how you look at it, because it succeeded in making it clear how some people react under emotional stress. The vast majority of people however, didn't even open the email, they could see it was a phishing attempt just from the title, and reported it directly.
And, while some people have complained that this is going to far in some way, that it is too controversial to do it through termination letters, I tend to disagree. Because, real phishing attempts don't care about our sensibilities and whether we feel something is unfair or not. They are phishing, and will leverage any means necessary to gain access. They don't care if it makes people feel bad.
Pretty much all phishing attempts leverage our emotions in the hope that they can squeeze one past us. For instance, we will find a lot of greed-based attempts on Hive and in Discord, making too good to be true offers, yet there are often people who still accept the offer. Sure, the people doing the phishing are assholes, but what about those falling for it?
Similarly, there are lots of instances on Hive where people put in links and people seem to click on them, and then log into random websites using their Hive keys. And, it doesn't matter if it is using Keychain, make sure you read which permissions you are granting every time you grant. If it is asking for active or owner key - say no - unless you are very sure you know what you are doing.
When it comes to security, is it better to be tested in ways that don't upset us, but aren't likely going to be strong enough to prepare us when needed? I don't think so. Personally, I think it is better to bleed in the safe space so that there is resilience in the real world - which seems to go contrary to what a lot of people believe for themselves. I also think that this kind of testing gives the opportunity for adequate triage and training before something really serious happens.
The situation is however, that people are always going to make errors, so the goal is to reduce instances and mitigate the risks, taking as much potential cost off the table as possible. Likely, a lot of this will be even further handled through AI tools in companies, but I strongly believe that we as individuals have to maintain an adequate level of security consciousness, especially those of us in crypto.
Not your keys, not your crypto - right?
So, it doesn't matter if you see phishing as losing your keys or giving them away, the result is the same - a lot account, wallet, tokens. So, we can reduce our risk by taking some simple steps, like how we handle links and of course, when we get that emotional rise, calm down and pay more attention to what is actually happening, rather than trying to respond quickly, because chances are, it is engineered to play on our think fast mechanisms, not our think slow.
Have you ever fallen for a phishing scam? What were the conditions and why do you think you failed? Whose fault was it? What did it cost you?
If you could go back in time, would you have preferred to have been trained on how to deal with those kinds of situations prior to them happening?
The system used by the the company I work for, is a gamified process that randomizes a lot of the communications and methods employed. It has been used for a couple years now and on average, people seem to enjoy it and track the leaderboards. The company itself is already very security conscious due to the nature of the business, but it is always good to have that consistent reminder that when there is gain to be had, someone will try an exploit.
Taraz
[ Gen1: Hive ]