Auditors: Stop recommending that "The best way to stop phishing and social engineering is through user education and training". Please, just... stop. You can't train people not to be fooled, you can only build tools that catch them safely when they are.
-
-
This. I have never understood this obsession with "clicking links". Unless the attacker has a browser exploit (very unlikely in most contexts), what is the danger?
-
Don't need a browser exploit: - Attacker creates realistic clone of your site; user clicks link and is fooled into providing security information - Attacker finds dangling DNS records, registers an unused subdomain. User clicks link and has their session stolen.
- 6 more replies
New conversation -
-
-
Exhibit A in "why training people not to click links is a losing battle': Left: CA Gov advises everyone not to click dodgy links. Right: CA Gov force-pushes a screen to every phone in the state saying "A life threatening emergency is occurring, click this dodgy link please."pic.twitter.com/k7SD5kgFDP
- 1 more reply
New conversation -
-
Agree here. I see a lot of phishing which is no longer just theft of credentials or 'visit this link', but instead is asking for information ('Can I have the sheet with our numbers?), documents to be shared, or low key fraud ('can you buy gift cards for this department')?
-
For these, if your mail filter (let's assume it's Gmail) doesn't catch them, education is also pretty important.
- 7 more replies
New conversation -
-
-
I open every new link in a throw away vm and use ghidra to examine all binary content that is returned. Every link, every time, I'm doing my part! (One vm per link destination each redirect is a new link) it's the only way to be sure!
- End of conversation
New conversation -
-
-
Corporate IT: ”Never click on strange links in email or other messages” Also Corporate IT: ”We are conducting a survey on our services. Please click this strange link to an external survey website to participate”
-
LOL! Our company rolled out a new expense system and our team got >30 "is this a phish?" query.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.