🆘Bill Cole 🇺🇦19h ago

I cannot concur…

It’s not realistic to ask people to *never* click a link in email. We’ve got 30+ years of experience with that advice not working because MUA developers have never stopped making links active & aggressively looking for anything in email that might be a link, regardless of URL conformance. That’s why SpamAssassin treats so many non-URLs as if they are URLs. Users will click clickable things. Telling them not to do so is unreasonable.
1/2
#InfoSec @AAKL https://infosec.exchange/@AAKL/116398057284422776

AA (@[email protected])

Never, never, never, never, never click on a link in your email. Contact the provider directly and not through the suspect email. "Approval phishing is a technique whereby victims are tricked into providing full access to their cryptocurrency wallets. Often, they are persuaded to click on a fake alert or popup spoofed to appear as if sent from a trusted app or service." Infosecurity-Magazine: Operation Atlantic Seizes $12m in Crypto Losses https://www.infosecurity-magazine.com/news/operation-atlantic-seizes-12m/ #infosec #phishing

Infosec Exchange
Show thread🆘Bill Cole 🇺🇦19h ago
Instead, users need to learn to *take* *care* with their clicks. That’s a tough assignment but at least it isn’t hopeless. People can learn to do things like checking where links actually go behind the clickable text and basic sanity checking: is the person who sent that mail likely to be who they claim to be and are they sending it for plausible reasons? If you cannot instantly answer those basic questions, you need to investigate before clicking.
#InfoSec #phishing
2/2
Show threadAA18h ago
@grumpybozo How many non-techie people are actually going to sleuth their way to the origin of the link or read the headers, if they even know where to find them, to trace the routing?
Show thread🆘Bill Cole 🇺🇦17h ago
@AAKL I’m not saying that people need to do that. Many MUAs will show the real target of a link when you hover over it. If the link text is a URL and the real target is some OTHER URL, that’s a bad sign.
Also, the real trick is the non-technical sanity check. The overwhelming majority of *legit* email is made up of messages that are to some degree expected. If a piece of email is a surprise, it is suspect.
Show threadAA

@grumpybozo I mean, I get what you're saying. You're right. But it's probably safer by far to avoid clicking the link and to copy it into a secure browser instead. A lot of people aren't going to scrutinize the links or the content as you suggest, and they end up falling for phishing schemes.

I was on the phone with a bank employee once - a bank employee - who casually told me she was an identity theft victim because her Facebook account was hacked. I'm not making the connection to phishing here. I'm just saying there are a lot of people who are not careful enough to do what you suggest.

Apr 14 at 2:36pmWeb
Show thread🆘Bill Cole 🇺🇦17h ago

@AAKL No, they’re not careful enough. Yet. But I don’t think that the best message is to tell people to *never* use the functionality of clickable links in email, because every MUA that makes links clickable is sending a very different message.

I think it’s a much better message to tell users that email is imperfect but comprehensible and that they should be more suspicious of email, at least to the degree of trying to understand whether the story being told to get a click is reasonable.

Show threadEpic Null16h ago

@grumpybozo @AAKL I am of the oppinion we need to take a break from talking to the users and start yelling at companies.

Users can't do a vague "be cautious", and all the best rules are non-starters due to how buisnesses require users to use their email.

Show threadAA16h ago
@Epic_Null @grumpybozo That certainly is an option.