Phishing is a kind of cyberattack usually waged through email in which the attacker sends a person a link and tricks them into clicking on it. Such links never lead anywhere good. They often end up downloading and running malware on your machine or sending you to a website that contains something malicious that will slow down your computer, corrupt your files, and steal your data. That’s why you so often hear warnings not to click on links in emails. Links in emails are bad.
It was late. I was tired. I was flustered. It had been a stressful day and …
I participate in an organization that runs an ongoing anti-phishing campaign. Such programs regularly send emails to the organization’s members that contain links and accompanying verbiage intended to get you to click. When you do click, instead of sending you to some vile corner of the Internet, it sends you to a polite though admonishing website that tells you of your sin, describes what could have happened if this had been an actual phish, and reminds you that clicking on links in emails is bad.
I know all this. I teach cybersecurity. I’d never click on …
The most effective phishing emails are the ones that look the most convincing. They feature professional-looking images and a style that at least evokes and perhaps exactly replicates sites you have visited before. Fading are the days when such emails were riddled with spelling and grammar errors that made it clear this particular email was not actually sent by Citibank. Today’s phishing emails look legitimate, because their senders want you to fall for their ruse.
But of course, I know you’re supposed to hover over the link before you …
When you see a link in an email, even if you are rather sure the purported sender is the actual one and is someone you know, you’re supposed to hover over the link with your mouse. Or, if you’re on your phone or tablet, you’re supposed to long-click it – touch the link with your finger and keep touching it – an action that seems to me to require too much fine-motor magic for aging people like me, but I don’t think aging people came up with that gesture. Regardless, when you do hover or long-click, the link’s destination address will be revealed, either in the lower-left corner of the browser or in a popup directly above your now-tired long-clicking finger. If that address has lots of funky-looking characters and doesn’t resemble an address you were expecting to see, DO NOT CLICK!
Gee, when is this guy going to tell me something I don’t know? Boring.
Some organizations distinguish between mail that originated within the group – say, from a coworker or teammate – from mail that was sent from the outside. For example, the organization’s email server might preface the subject of emails sent from the outside with the word “EXTERNAL”. This is supposed to heighten your awareness, make your spidey senses tingle with dread that this email you’re about to open was sent by someone you might not know, or at least by someone who isn’t part of your company or organization. You’re then supposed to employ extra caution.
Hmm. Two emails in a row marked EXTERNAL. I’m expecting that one. I’ll open it first.
Companies go through a lot of effort and expense to try to limit the effectiveness of phishing attacks.M
Man, I’m tired. <Clicks on the wrong one of the two adjacent EXTERNAL emails because he’s aging and his fine motor skills are fading and his eyelids are closing.>
After all, 75% of attacks against companies come from the outside. Of those, phishing attacks are the ones that most frequently lead to cybersecurity breaches.
This email is from HR. It says I have to do MANDATORY training, and MANDATORY is in all caps. Well that’s rude. Let me check this out.
All it takes is for one employee or member to click on one malicious link for your organization to be seriously harmed. Ransomware could get onto your machine and spread to other computers in your organization. A worm or virus could start making its way through your company’s systems and start stealing or corrupting data. Just one click can cause so much harm.
Wait … no … no … I didn’t … Oh come on …
I teach Computer Science for a living, including courses on cybersecurity. I even direct a program that trains future cybersecurity professionals. I should know better, right? Well, I do know better. That’s the thing. Most people know better than to click on a link in an email these days. It’s one of those pieces of wisdom that I think automatically costs a supposed expert to lose all credibility when they offer it as advice because … well … it’s just so obvious.
But, it’s like when your parents tell you not to get into an accident on the way home. Don’t you think I know that, Mom? And then you get into an accident anyway. Whether or not it was your negligence that caused it, it happened, not because you wanted to disobey your mother, but because danger and bad luck are sneaky little devils looking to get the better of you.
The comforting thing about traffic accidents, though, is that cars are much safer these days. The engine doesn’t fly into the cabin on the slightest impact anymore, and a barrage of air bags cushion you from every angle. We long ago acknowledged that car accidents are unavoidable. So, rather than offer the same fruitless warnings about trying not to get into an accident, we made cars far better at protecting the victim of the accident.
That is precisely the tact we need to take when it comes to protecting organizations from phishing attacks.
People are going to click on links. I never thought I would, but I did, and I can’t say I won’t accidentally do it again now that I’ve done it once. All the training I’ve had did not save me in my time of weakness. I clicked a link I shouldn’t have.
An effective anti-phishing program must focus on immediate detection and containment. It must quickly clamp down on the impact, limiting the spread of whatever the link downloaded, and it must surround the machine with a protective cluster of information air bags to cushion the crash. The best place to implement this is in the operating system of the machine the user used to click the link, because it can vigilantly and instantly compare what was clicked with a known list of confirmed or suspected phishing sites, inspect what was downloaded from such links, and cordon off the machine by shutting off its network connections and freezing processes on the spot.
I’ll end this post with a somewhat controversial statement. The worst way to fight phishing is to rely primarily on policy and training. Accidents happen. Certainly, educate and remind, frequently and in diverse ways. We all need to hear the message so that we may practice appropriate caution and form better habits. Ultimately, though, cybersecurity comes down to protecting people from themselves. That requires better technology.
Cars have crumple zones. So, too, must computers.