As someone who takes this seriously I’m only working jobs where your ass will get fired immediately for clicking that link in the clearly dumb email.
If leadership won’t bring the same rigour of safety culture - which is mandated by legislation - to security? Don’t bother, just move on.
OkayPhysicist•2mo ago
Traveling to the wrong webpage pwning you is a piece of hacklore so outdated they replaced it with the updated QR code version. Clicking a link has not been a dangerous activity for years. When the rare browser exploit is discovered, it's patched immediately.
gnabgib•2mo ago
I must be misunderstanding you because phishing happens weekly with huge consequences. It's not browser exploits, it's an email that looks legit enough with an incorrect URL or a page that's so convincingly identical to PayPal you feed it the information. Just this week:
Phishing is tricking someone into providing confidential information to a malicious party/site. "Don't click on suspicious links" is, IMO, an overreaction that fails to teach people the core lesson that is "Always confirm that you're providing sensitive information to the party you think you are".
Online, we've made it exceptionally easy to make those sorts of checks: a website, served over HTTPS, is coming from the url. Other systems are so, so much worse about this. Any system where unauthorized impersonation is possible is a technical failure, and the fault for abuse of that unauthorized impersonation is on the providers and designers of that system. Like phone calls. Or email.
People tend to be pretty good at differentiating between "this person can be trusted with sensitive information", and "I shouldn't trust this stranger". What they need are the tools to determine who they're talking to.
ianpenney•2mo ago
If leadership won’t bring the same rigour of safety culture - which is mandated by legislation - to security? Don’t bother, just move on.
OkayPhysicist•2mo ago
gnabgib•2mo ago
SitusAMC https://www.situsamc.com/databreach
Harvard University https://www.bleepingcomputer.com/news/security/harvard-unive...
Iberia Airline https://www.bleepingcomputer.com/news/security/iberia-disclo...
Salesforce via gainsight https://status.salesforce.com/generalmessages/20000233
OkayPhysicist•2mo ago
Online, we've made it exceptionally easy to make those sorts of checks: a website, served over HTTPS, is coming from the url. Other systems are so, so much worse about this. Any system where unauthorized impersonation is possible is a technical failure, and the fault for abuse of that unauthorized impersonation is on the providers and designers of that system. Like phone calls. Or email.
People tend to be pretty good at differentiating between "this person can be trusted with sensitive information", and "I shouldn't trust this stranger". What they need are the tools to determine who they're talking to.