As much as enterprises love their antiâphishing training programs, they somehow donât think about them when they communicate with their customers on important operational efforts. Many routinely send messages that look and act exactly like phishing messages.Â
What these corporate execs donât seem to realize is that this kind of behavior undermines their own operations. How so? By training their customers â almost all of whom have access or credentials into that enterpriseâs systems to varying degrees â to click on unknown links or open unknown attachments via emails they didnât expect, theyâre just asking for trouble.Â
Gosh, how could this possibly go wrong?Â
Look for the major cyber attackers to start sending candy and flowers to these companiesâ CIOs and CISOs with a note: âThanks very much for training your customers to fall for our phishing attacks more effectively! We owe you one. Weâll connect again when we send you our ransom demands. Talk soon.â
What prompted my concern? Two emails I recently received from two unrelated enterprises. One was from a major telecom carrier asking about a repair order scheduling issue and the other was from a large healthcare operation asking about a billing matter. Neither message was expected. The carrier one was vague and then asked me to click on a link. (âYep,â I thought. âThat is not going to happen.â) The healthcare one was also vague and it asked me to open a PDF attachment. (Again, I thought, âNope. An unexpected PDF is barely one notch safer than a Zip file. Also not going to happen.â)
Two phone calls and a lot of on-hold muzak later, I learned both messages were legitimate. Thatâs not the point, though. The point is that their efforts to get people to click on an unknown link or open an unknown attachment is IT suicide.Â
John Gunn, CEO of authentication firm Token, compared the tactic to a parent trying to teach a three-year-old how to avoid being abducted.
âYou canât tell the three-year-old, âItâs OK to take candy from this stranger but not this other stranger. Or to help this stranger to look for a lost puppy but not this other stranger.â These companies are putting an extra burden on the customer to discern what is legitimate and what is not,â Gunn said.
Part of the problem here is that the phrase âthat email looks phishyâ has changed quite a bit in the last year or so. (No longer, for instance, do these emails mean lots of typos.)
The proper way for enterprises to reach out on these matters is something like, âThere is a new billing matter that requires your attention. Please log into your portal and look into it.â
Why donât most enterprises do that? Some blame a lack of training â and there is absolutely a lot of truth in that. But, itâs often quite deliberate and intentional.
More responsible enterprises have tried doing this the proper way, but too many customers complained along the lines of, âDo you know how many portals I have to deal with? Give me a link to the portal you want me to use.â
This gets us right back to the security-vs.-convenience nightmare.Â
This problem is complicated because the situation is two-step. Itâs not that the customer will be hurt if they click on your link. Itâs that youâre inadvertently making them comfortable with clicking on an unknown link and they might get hurt two days from now when they encounter an actual phishing attack email. Will the enterprise be held liable, especially if you canât prove the victim clicked because of what was sent?Â
It gets even worse. The old advice used to be to mouseover suspicious links and make sure theyâre legitimate. Today, that advice doesnât work. For one thing, many communications are moving to mobile environments where mouseovers donât exist. (Bayse CEO David Pearson points out that a user on a mobile device can long-click, but that is dangerous because the link could easily open.) Secondly, attackers have mastered the art of faking mouse-overs, said Roger Grimes, Defense Evangelist at KnowBe4.
Beyond that, many companies now work with multiple third-party firms for all manner of functions, including billing, scheduling, shipping, payments, etc. That means customers expecting to see the name of their favorite retailer instead see an unfamiliar name.
That brings us back to the basic advice for users: never click on any unexpected link or open any unexpected attachment. No exceptions, unless the user can turn to a trusted means of communication to verify legitimacy, such as calling the number on the back of a payment card.
Allan Alford, an IT consultant, said itâs not easy to eliminate phishing-like messages.Â
âWe train our users not to click the bad thing or suspicious things. Or things that look like our people, but that are not actually our people,â he said. âAnd then an outsourced HR SaaS product sends a companywide email impersonating the head of HR. And then marketing sends out the same thing and sales sends the same thing. The bottom line is that âdonât click the thingâ is impractical advice.â
Alford said the only response is to âteach end-users to reach out to the sender out-of-band and verify. And we then need to train the business to not do the thing weâre training users to not do.â
Much of this stems from internal disconnects between business units within the same company, said Padraic OâReilly, CEO of cyber risk management company CyberSaint. âThereâs often a disconnect between the security and IT functions and operational departments,â OâReilly said. âThose functions are sometimes more discrete than they should be.â
Bryce Austin, CEO of TCF Strategy, was a bit more direct: âAny company sending anyone an email text or anything else that says please click their link needs to really rethink their business processes.â
The bigger problem, according to Pearson, involves the ROI attached to fixing email phishing issues.Â
âWhen they calculate the risk landscape, is this a high enough of a priority?â Pearson said, suggesting that the answer is that no, it is not an especially high priority.
That needs to change.
Communications Security, Security, Technology Industry
â As much as enterprises love their antiâphishing training programs, they somehow donât think about them when they communicate with their customers on important operational efforts. Many routinely send messages that look and act exactly like phishing messages.Â
What these corporate execs donât seem to realize is that this kind of behavior undermines their own operations. How so? By training their customers â almost all of whom have access or credentials into that enterpriseâs systems to varying degrees â to click on unknown links or open unknown attachments via emails they didnât expect, theyâre just asking for trouble.Â
Gosh, how could this possibly go wrong?Â
Look for the major cyber attackers to start sending candy and flowers to these companiesâ CIOs and CISOs with a note: âThanks very much for training your customers to fall for our phishing attacks more effectively! We owe you one. Weâll connect again when we send you our ransom demands. Talk soon.â
What prompted my concern? Two emails I recently received from two unrelated enterprises. One was from a major telecom carrier asking about a repair order scheduling issue and the other was from a large healthcare operation asking about a billing matter. Neither message was expected. The carrier one was vague and then asked me to click on a link. (âYep,â I thought. âThat is not going to happen.â) The healthcare one was also vague and it asked me to open a PDF attachment. (Again, I thought, âNope. An unexpected PDF is barely one notch safer than a Zip file. Also not going to happen.â)
Two phone calls and a lot of on-hold muzak later, I learned both messages were legitimate. Thatâs not the point, though. The point is that their efforts to get people to click on an unknown link or open an unknown attachment is IT suicide.Â
John Gunn, CEO of authentication firm Token, compared the tactic to a parent trying to teach a three-year-old how to avoid being abducted.
âYou canât tell the three-year-old, âItâs OK to take candy from this stranger but not this other stranger. Or to help this stranger to look for a lost puppy but not this other stranger.â These companies are putting an extra burden on the customer to discern what is legitimate and what is not,â Gunn said.
Part of the problem here is that the phrase âthat email looks phishyâ has changed quite a bit in the last year or so. (No longer, for instance, do these emails mean lots of typos.)
The proper way for enterprises to reach out on these matters is something like, âThere is a new billing matter that requires your attention. Please log into your portal and look into it.â
Why donât most enterprises do that? Some blame a lack of training â and there is absolutely a lot of truth in that. But, itâs often quite deliberate and intentional.
More responsible enterprises have tried doing this the proper way, but too many customers complained along the lines of, âDo you know how many portals I have to deal with? Give me a link to the portal you want me to use.â
This gets us right back to the security-vs.-convenience nightmare.Â
This problem is complicated because the situation is two-step. Itâs not that the customer will be hurt if they click on your link. Itâs that youâre inadvertently making them comfortable with clicking on an unknown link and they might get hurt two days from now when they encounter an actual phishing attack email. Will the enterprise be held liable, especially if you canât prove the victim clicked because of what was sent?Â
It gets even worse. The old advice used to be to mouseover suspicious links and make sure theyâre legitimate. Today, that advice doesnât work. For one thing, many communications are moving to mobile environments where mouseovers donât exist. (Bayse CEO David Pearson points out that a user on a mobile device can long-click, but that is dangerous because the link could easily open.) Secondly, attackers have mastered the art of faking mouse-overs, said Roger Grimes, Defense Evangelist at KnowBe4.
Beyond that, many companies now work with multiple third-party firms for all manner of functions, including billing, scheduling, shipping, payments, etc. That means customers expecting to see the name of their favorite retailer instead see an unfamiliar name.
That brings us back to the basic advice for users: never click on any unexpected link or open any unexpected attachment. No exceptions, unless the user can turn to a trusted means of communication to verify legitimacy, such as calling the number on the back of a payment card.
Allan Alford, an IT consultant, said itâs not easy to eliminate phishing-like messages.Â
âWe train our users not to click the bad thing or suspicious things. Or things that look like our people, but that are not actually our people,â he said. âAnd then an outsourced HR SaaS product sends a companywide email impersonating the head of HR. And then marketing sends out the same thing and sales sends the same thing. The bottom line is that âdonât click the thingâ is impractical advice.â
Alford said the only response is to âteach end-users to reach out to the sender out-of-band and verify. And we then need to train the business to not do the thing weâre training users to not do.â
Much of this stems from internal disconnects between business units within the same company, said Padraic OâReilly, CEO of cyber risk management company CyberSaint. âThereâs often a disconnect between the security and IT functions and operational departments,â OâReilly said. âThose functions are sometimes more discrete than they should be.â
Bryce Austin, CEO of TCF Strategy, was a bit more direct: âAny company sending anyone an email text or anything else that says please click their link needs to really rethink their business processes.â
The bigger problem, according to Pearson, involves the ROI attached to fixing email phishing issues.Â
âWhen they calculate the risk landscape, is this a high enough of a priority?â Pearson said, suggesting that the answer is that no, it is not an especially high priority.
That needs to change.
Communications Security, Security, Technology Industry   Read More ComputerworldÂ
+ There are no comments
Add yours