Those of you who know me from Twitter may have seen that I posted a pretty convincing Phishing email that I received on Sunday night on my school email account. I took away a few things as a security practitioner from this event.
1. Display names should always be displayed with an email address. Sure, display names look pretty but seeing "Amazon Student" instead of the spammy email address that was hiding behind that probably leads to far more clicks that it would if people saw the whole picture up front.
2. Phishing emails are getting really REALLY good. People will fall for them not because they're lazy of overly gullible, they will fall for them because there is an art to spamming.
3. Links should be displayed - I turn off HTML formatting when I see a suspicious message. Maybe we can pop up something that displays just the domain name of the link before a user is allowed to follow it? I am open to suggestions here.
These get better every day, and no user training in the world is going to eliminate this activity. Tight content filtering policies would have prevented this one, when I cross checked the destination URL it showed up as an uncategorized site.
No comments:
Post a Comment