Profile picture
Martín Obiols @olemoudi
, 27 tweets, 7 min read Read on Twitter
Unpopular opinion of the day: #phishing awareness campaigns and teaching your users to stay frosty is a close to useless endeavour. A waste of resources. Read on to see my point (1/n) /cc @troyhunt @randomdross @sirdarckcat
I know anti-phishing is a business that feeds a lot of people but the way this war is fought today just seems off to me.
First, I differentiate targeted phishing campaigns (usually APTs) from massive or moderately massive phishing. I don't think I need to point out why you can't fight the former with awareness.
Massive phishing is like mail spam: Cheap, risk-free and thrives under big numbers. 1 victim for each 100 targets might seem a low turnover but if you have 100k targets from the same bank figures suddenly get grimmer, while staying cheap for the phisher.
But 1% is sooo distant from real world figures for phishing click-through from regular users. In one of my past gigs we conducted regular internal phishing on employees massively. Click-through never went below 10%.
Awareness campaigns ensued to deliver guidance to people to look out for unexpected emails, not opening attachments or clicking on links. Results still randomly ranged between 10% and 20% regularly.
It was common to hear victims state how coincidental it was that Rachel, the phisher, shared first name with some other Rachel who regularly emailed them. I don't blame them.
The message will happen to be believable enough to someone, somewhere. It just happens.
And we are just getting started on the "don't click on unknown links" silly security adagio you still often get from awareness campaigns.
Yeah right, as if in 2018 you could know where the hundreds of links you click every day take you: link shorteners, open redirects from trusted domains, no status bar preview on touchscreens, TOCTOU, tabnabbing... blogs.msdn.microsoft.com/dross/2012/04/…
If you still believe you can prevent users from brainlessly clicking on links, consider also there are links that do not look like links at all. Exhibit A: twitter.com/i/web/status/8…
OK, people brainlessly click through. But at least we can teach them not to put their credentials on untrusted sites right? Well just before you start with the awareness there is some prep work you need to do
For your awareness campaign to be remotely successful, you need to keep your login pages (that is, the forms where your users put credentials) *consistent*.
Consistent means you cannot have a myriad of places (URLs, frames, apps) where your users can login (and all with a different UI or CSS). Multiple logins, on different sites, UI dialogs, CSS... it's just bad security urbanism krausefx.com/blog/ios-priva…
You can only have your users putting credentials on a *single* place. If they are not gonna check the URL properly (or they actually can't, more on that later) at least give them a fixed familiar form to mentally refer to when things get ugly. accounts.google.com
That helps them build mentally a model of "how does it look when this company asks for credentials". Sending them email messages telling them that they won't be asked for a password via email or phone won't help.
Also, by doing that you retain control and can properly notify users of upcoming changes so they actually expect them gsuiteupdates.googleblog.com/2018/06/a-new-…
But even if you do that, you still need to give users a way of actually checking whether it is you or some phisher the one asking for the credentials. It turns out there is only one way to do that: The Almighty Browser Address Bar lists.openwall.net/full-disclosur…
So let's say after your awareness campaign your users actually glance at the address bar (which is assuming a lot)
First, are they able to do that? There is a ton of situations where you are just out of luck with no clear indicator of who is actually receiving your credentials insights.sei.cmu.edu/cert/2016/08/t…
In some other cases, you are being deceived by UI bugs:
Even the size of your screen matters:
And... it's not enough to only check the address bar *only once*, heh, what were you thinking?
Lastly, have you considered Mobile UI design principles? Real state is pricy so the address bar is just not there sometimes:
I could go on but you get the point. How do we effectively fix this in a sustainable manner? Not by focusing on awareness that's for sure. Cheers
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Martín Obiols
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!