Don’t train your customers to be phishing victims

Phishing imageThere’s an ever increasing growth in press reports of cyber breaches.  A shocking number of these start with a phishing attack, and a naïve person who innocently clicks on what looks to them like an innocuous link. The APWG Phishing Activity Trends Report shows 755,436 unique phishing sites for the first half of 2016.

My customers generally have a wide range of controls to help protect their assets, including staff training to try and teach people not to click links that they haven’t verified. But however much training we put in, people continue to click, and phishing attacks continue to succeed. What’s going wrong? What can we do to help prevent it?

Well, the first thing might be to stop encouraging people to click on links in their email.

Sadly, I regularly see organizational behaviour that actively encourages people to click on such links.  This is likely to be much more persuasive than any training that tells them not to. It’s particularly likely to lull people into a false sense of security if they do click on such a link, and it turns out to be exactly what it claimed to be. If they click on such links and nothing terrible happens, how do you suppose people will react next time they see a link in an email?  And what if the next time it does turn out to be a phishing attack?  

Consider for example this email that I received a few months ago from the organization responsible for London Congestion Charging.


Phishing email

This email has all the attributes of a phishing attack.  In fact, it is a perfect example of the kind of email you might use when training people to watch out for phishing attacks:

  • It’s addressed to Dear Customer, not to me by name
  • It asks me to open an attachment but gives no indication of what is in the attachment
  • The attachment has a meaningless file name
  • There is no personal information to show that they know who I am
  • There is no indication of what transaction this is about

I wrote to the organization that sent this email and they replied assuring me that it was genuine, and that I should open it! When I opened the PDF file I saw that it included my full address, and information about a transaction that I had made.  I sent the organization another message explaining that they were training their customers to be vulnerable to phishing, but they didn’t seem to grasp the problem.  After all, the email WAS genuine!

Do you ever send messages with links to your staff or customers? Do you include enough information in the email to help the recipient be absolutely sure that the email really is legitimate? If you send emails like the one above then you’re teaching people to be phished, and eventually they will click on a link or open an attachment that comes from an attacker.

So please, review every email communication that you send to your staff or customers and:

  • If possible, remove the links and encourage people to navigate to your site and log in instead
  • Include identifying information to prove to the customer that you know them. This should AT LEAST include addressing them by name, but you should also include (part of) an account number or other information that proves you hold their records
  • Include information about why you need them to click on your link or open your attachment, for example “Here is the receipt for your purchase of ITEM on DATE”

Remember, if you’re not part of the solution then you’re part of the problem.


Image Credit: Laurel L. Russwurm

comments powered by Disqus

Optimal Service Management Ltd.

7 Ingatestone Road, Woodford Green,
Essex, IG8 9AN, UK

Registered No: 8791379 England

Phone: +44 20 8504 2002

Recent Posts

  • 2018 01 02 Incident Management Isnt Just For IT Image
    Incident Management Isn’t Just For IT

    If you define an incident as "... interruption to an IT service..." then you're not really focussing on customers. One of my clients has a much more business-focussed definition, and this drives completely different behaviours...

  • 2017 11 28 Managing IT is just like running a barbershop IMAGE
    Managing IT is just like running a barbershop

    Delivering services isn’t something that is unique to IT. We know good service when we receive it, and so do our customers. If you focus on service levels and processes your customers will never see you as more than an internal cost centre; if you focus on outcomes and customer experience instead then you can become a valued partner.

  • 2017 11 16 You Need a Vision IMAGE 1
    You Need a Vision

    Many IT organizations think that defining a vision is too abstract, they don’t see the point, and they just want to get on with it. So they jump straight into the important work. The results are as predictable as they are sad. IT staff work very hard, but fail to arrive anywhere helpful, with results that are not nearly as good as they could have been.

Latest Tweets