- You don't need to really be "fooled" by phishing. Not in the real sense. You just need to be tired one morning and click without looking. Even if you know how to check for phishing, you might need to click on content from 10s to 100s of emails per day. Scale this out to 1 year, and even the most educated among us can fail due to an honest mistake which we otherwise could have prevented.
- Part of the problem is just that a normal workflow is: receive email --> click on URL --> enter credentials into 3rd party website. ie, this is intentional and valid behavior for most white collar workers on a daily basis. This behavioral pattern is why phishing works, and in reality, email should not be a vector for this path. Until companies and technologies stop assuming this makes sense, phishing will continue to be successful.The servers should scan emails for links and not allow them. If a link somehow slips through, the client should not render it as something you can click on and follow.
On work machines where everything is managed by IT, there shouldn’t be any need to send links around anyway. If anyone thinks they need to send a link around as an ongoing process, then that’s the sign that the process still needs to be designed.
Completely agreed, and I think it's telling that so few email clients or webmail services actually allow you to always render as plain text.
How would people interact with vendors and salespeople that send links to product specs, troubleshooting articles, etc?
I don’t think it is short sited. Actually, I think if it has a flaw it is the opposite one. Workflows that involve mailing around links are convenient for quick little in-the-moment thrown together actions. It’s liberating. I’ve done it too, sure. But, in the long run everything should be integrated somehow or another and sending links should not be necessary. One might say it is ridiculous to expect every process to reach that end state. Possibly true, but it is a good goal…
Here's a crazy history of that happening...
I had a friend who was an employee of a Fortune 100 corporation. Part of employee training was not to click on links in emails. In the 1990s and the rise of the internet, they had an internal security "red team" periodically send a fake phishing emails to employees. If the employee mistakenly clicked on a link in that email, the red team would send a notice to the employee's manager. It worked well because employees would not want to be embarrassed by a manager having to review the security policy with them to get their access back.
When she retired, all that training became useless and she was phished by a fake AT&T email. Why? Because with the rise of smartphones, every _legitimate_ company started sending emails that had useful tappable links. With the touchscreen, you can't hover your finger over the link to see what the underlying url is. People just normalize pressing on links in transactional emails as a convenient thing to do. E.g. Amazon sends an email with a link to the order status. A legit bank will send an email with a link for "Please review your security setting."
Smartphones reversed 15 years of not clicking on email links.
The local Blink (or WebKit) renderer should be for internal or white listed sites only.
We need SSO to stop being gated behind enterprise tiers. SSO tax is real, and can help solve this problem. I've moaned about this before as the leader of an IT team for a medium-sized company reliant on a lot of SaaS.
Enterprise plans are too much (both in terms of cost and features) for us, but we are smart enough to have security requirements and one of those is SSO & SCIM. Very few SaaS offers that on anything but the most expensive "call for quote" tiers. That's a huge problem.
That whole email invite->click link->enter credentials workflow is gone with proper SCIM provisioning and SSO. It's the bare minimum a SaaS product should offer and should be on the lowest available tier.
The other problem are services like DocuSign, which offer free trials that are abused to send out fake documents. User gets a legitimate email from DocuSign's domain, clicks on it, opens up a real document in the real DocuSign site, but the doc has a link to the phishing site.
All DocuSign needs to do is require a CC for the trial or contacting sales for a trial, problem solved. But they don't, so as far as I'm concerned they are complicit in enabling phishing.
In my previous company they literally had an X-PHISHING-ID header.
In my current company the phishing emails don’t have a single Received header.
And then put fucking mimecast infront of everything so I legit can't do what they are training me to do...
So yeah, the training is worthless and just there to tick a box.
Then Microsoft sends out e-mail advertisements with fucking QR codes in them to everybody to get people to install software without IT department's knowledge. So you not only can't see the link, you can't even de-obfuscate it by hovering over it.
There's a really easy fix for this. It's so fucking easy it hurts my brain.
Disable HTML e-mails. Disable hyperlinks. Feel free to send URLs, but make people copy and paste the link. This way they have to at least select the link. When they get a 6000 character link and can't copy paste it? That's good! Because they have no idea what the link actually is.
Nobody will do it, and I don't get why not. Do you really need to market to your internal employees so badly with images and links? That's what a portal is for. Post updates on your portal and stop bombarding my goddamn email box.
Users were randomly selected to get the test, and each phish was hand-crafted to trick people specifically at our company (but using only publicly available information). Anonymized results were posted quarterly, divided by department.
I only got fooled once, but man, it felt so bad to see Engineering show up on the dashboard with one hit that quarter.
(Sales was usually at the top of the list, which makes sense, since they interface with a lot of folks outside the org)
It's hard to be resistant to phishing at that point and you have bigger problems.
What if Susan in HR falls victim to token theft (let's say conditional access/MDM policies don't catch it or aren't configured, which many businesses don't bother with). Her email account is now pwned, and the company gets an email from her, it passes all verification checks because it's actually from her account.
It's still phishing, but the users have no way to know that. They don't know Susan just got compromised and the email they got from her isn't real. If this is a human attacker and not just bots, they can really target the attack based on the info in her inbox/past emails and anything else she has access to.
So there's no way for the organization to be resistant at that point until IT/security can see thea account compromise and stop it. Ideally, it's real-time and there's an SOC ready to respond. In practice, most companies don't invest that much into security, or they are too small and don't have the budget for a huge security operation like that.
It's a really hard problem to solve
Somebody in every big company is compromised already.
One person actually did fall for it but decided to physically bring the cards to the CEOs office. Thankfully that exposed the attack and effectively halted any damage done.
These criminals are relatively clever.
The actual response to phishing is to use authentication mechanisms that resist phishing.
Because you cannot fix humans, technology is the most effective approach.
Company: Stop clicking on links to third party sites.
Also Company: All of IT, HR, benefits, cloud storage, customer management, and employee portal is moving to its own third party platform!
It's no surprise people didn't engage with training material on the pretend phishing site!! At that stage, they're told it was a trap and they shouldn't even be there so of course they're going to get out asap.
The secure thing to do is: Read mail that tells you to click link to whatever online tool you work with. Then instead of clicking link in mail you open a browser and manually visit the site the link was pointing to. If there is a message, notification, or something else that the emails wants you to look at, then it will also be there when you login “directly”.
Is there a good way (right now) to defend against this? I'm willing to live with a browser that only accepts ASCII in the address bar, and disables Unicode in email (replaced with �?)
No more logos, no more masked links (you have to acutally copy and paste the text, giving you a chance to review the URL), no more QR code phishing, no more realistic looking but fake DocuSigns. Get rid of attachments while we are at it, there are other, better ways to share files within an office environment (because ultimately, if we enforce text only, then all phishing would then arrive via attachment in the form of a PDF or rich word doc with the fake logos and a clickable link).
When you propose a security solution, someone is going to say "oh my users are too smart to be phished, don't worry about this". Ive had this argument for rolling out mfa at nearly every company ive worked with.
Phishing tests give you the "well actually" data.
To call this "training" is highly misleading.
It's no surprise that the mere existence of training materials does not help if nobody reads and studies the training materials.
They should preface the training materials with "$100,000 USD will be transferred to your bank account if you read this and successfully answer the questions at the end."
Kurt Got Got - https://news.ycombinator.com/item?id=45520615 - Oct 2025 (216 comments)
That advise would be fine (albeit maybe extreme) if it wasn't the case that for the last year I have been spammed by emails from said training company telling me to click on the included link to complete the next cybersecurity course. Even worse they use some nondescriptive weirdly named domain not their own to host the training courses. So if anything the courses are training people to click on phishing emails.
My suspicion is the training company realized no one was falling for the obvious bait anymore and they needed to gin up the numbers to keep the company convinced that paying for their services was worthwhile.
Meanwhile all corporate teams use the same VLAN and DHCP Address Pool. There is zero separation of departments on the network. A lot of companies get this precise situation backwards as we have.
IIUC, some of them will pre-load a page by opening it for you.
I take a page from Jayson E. Street's DefCon talk from a few years ago with my students: promote "Security Awareness", not Security Training. Get people to think about what is being asked of them and the consequences of said actions. People tend to take "Security Training" as "I need to remember A, B, C, etc." Humans are bad at this sort of thing, typically.
I admit that "Security Awareness" isn't all that easy, but clearly our current approaches leave much to be desired.
If there's trust and respect, they'll reach out without fear of reprisal and inform right away when there's a problem.
If there's a culture of punishment, they'll fear the IT gestapo and try to cover up mistakes that could cost them their job.
It really is that simple.
httpsoverdns•2h ago