Auditors: Stop recommending that "The best way to stop phishing and social engineering is through user education and training". Please, just... stop. You can't train people not to be fooled, you can only build tools that catch them safely when they are.
-
-
I hate this; spoofing address bars with similar-looking strings is perfectly possible even in ASCII which we shouldn't be forcing anyway. Instead: for sites not in your password manager, only type your password if you navigated there yourself.
-
The point is, social engineering exists, but not because people click links. Your advice is just as flawed, typosquatting is a real thing. We have real solutions to this problem, like Webauthn, and it does not and cannot involve "trusted links".
- 1 more reply
New conversation -
-
-
100% agree. Personally, I think the solution here is 2FA on credentials that matter. I believe Google has made a pretty strong case for the success of that approach https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ …. Seems like a better bet than hoping users don't click things.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.