Don’t train your customers to be phishing victims

Phishing imageThere’s an ever increasing growth in press reports of cyber breaches.  A shocking number of these start with a phishing attack, and a naïve person who innocently clicks on what looks to them like an innocuous link. The APWG Phishing Activity Trends Report shows 755,436 unique phishing sites for the first half of 2016.

My customers generally have a wide range of controls to help protect their assets, including staff training to try and teach people not to click links that they haven’t verified. But however much training we put in, people continue to click, and phishing attacks continue to succeed. What’s going wrong? What can we do to help prevent it?

Well, the first thing might be to stop encouraging people to click on links in their email.

Sadly, I regularly see organizational behaviour that actively encourages people to click on such links.  This is likely to be much more persuasive than any training that tells them not to. It’s particularly likely to lull people into a false sense of security if they do click on such a link, and it turns out to be exactly what it claimed to be. If they click on such links and nothing terrible happens, how do you suppose people will react next time they see a link in an email?  And what if the next time it does turn out to be a phishing attack?  

Consider for example this email that I received a few months ago from the organization responsible for London Congestion Charging.


 

Phishing email


This email has all the attributes of a phishing attack.  In fact, it is a perfect example of the kind of email you might use when training people to watch out for phishing attacks:

  • It’s addressed to Dear Customer, not to me by name
  • It asks me to open an attachment but gives no indication of what is in the attachment
  • The attachment has a meaningless file name
  • There is no personal information to show that they know who I am
  • There is no indication of what transaction this is about

I wrote to the organization that sent this email and they replied assuring me that it was genuine, and that I should open it! When I opened the PDF file I saw that it included my full address, and information about a transaction that I had made.  I sent the organization another message explaining that they were training their customers to be vulnerable to phishing, but they didn’t seem to grasp the problem.  After all, the email WAS genuine!

Do you ever send messages with links to your staff or customers? Do you include enough information in the email to help the recipient be absolutely sure that the email really is legitimate? If you send emails like the one above then you’re teaching people to be phished, and eventually they will click on a link or open an attachment that comes from an attacker.

So please, review every email communication that you send to your staff or customers and:

  • If possible, remove the links and encourage people to navigate to your site and log in instead
  • Include identifying information to prove to the customer that you know them. This should AT LEAST include addressing them by name, but you should also include (part of) an account number or other information that proves you hold their records
  • Include information about why you need them to click on your link or open your attachment, for example “Here is the receipt for your purchase of ITEM on DATE”

Remember, if you’re not part of the solution then you’re part of the problem.

 

Image Credit: Laurel L. Russwurm

This work is licensed under CC BY-SA 4.0 

comments powered by Disqus

Optimal Service Management Ltd.

7 Ingatestone Road, Woodford Green,
Essex, IG8 9AN, UK

Registered No: 8791379 England

Phone: + 44 791 3344 143

Recent Posts

  • 2022 02 15 Risk appetite
    Defining your risk appetite

    How to create simple definitions of risk appetite levels, and then assign these to each of your organization’s projects, services, business units or any other clearly identifiable part of your work.

  • 2021 11 25 Mentoring inage
    Mentoring 101

    Mentoring is a great way to develop both professionally and personally, and the mentor can gain as much from the relationship as the mentee. This blog gives an overview of how you can get started as a mentor, or as a mentee.

  • 2019 09 11 A great customer journey has to be planned from end to end
    A great customer journey has to be planned from end-to-end

    Have you tried mapping out your customers’ journeys? If not, then it’s an exercise well worth doing.

Latest Tweets