I can't believe that this is still a thing, but if your risk model is noticeably impacted by the adversarial capability of _writing an email in the English language_ then I'm pretty sure your threat model is already broken.
NSA official: hackers use AI bots like ChatGPT to perfect English
NSA Cybersecurity Director Rob Joyce said the spy agency has seen hackers use chatbots like ChatGPT to perfect their English for phishing schemes.Kevin Collier (NBC News)
cR0w
•cR0w
•To prove the point that users will continue to click links, regardless of how obvious it is that they shouldn't, I worked with the person in charge of the monthly phishing trainings at $dayjob last month. Historically, they have used the hated ruses like fake gift cards, and I wanted to try to get away from that, especially during the holidays. We ended up using something to the effect of the following:
---
Hello <first name>,
Happy Holidays. This is the monthly phishing test. Yes, really. It's not a trick. Use the <phishing reporting function> to report this as phishing. If you do not know how to use <phishing reporting function>, feel free to ask a colleague. If you still have questions, search for <phishing reporting function> on <internal docs site>.
Do not click the following link as it is there for metrics and will cause you to be assigned phishing awareness training: <phishing training 'malicious' link>
Sincerely,
IT Security Team
---
I don't know how well it was received by users, but I do know that
... show moreTo prove the point that users will continue to click links, regardless of how obvious it is that they shouldn't, I worked with the person in charge of the monthly phishing trainings at $dayjob last month. Historically, they have used the hated ruses like fake gift cards, and I wanted to try to get away from that, especially during the holidays. We ended up using something to the effect of the following:
---
Hello <first name>,
Happy Holidays. This is the monthly phishing test. Yes, really. It's not a trick. Use the <phishing reporting function> to report this as phishing. If you do not know how to use <phishing reporting function>, feel free to ask a colleague. If you still have questions, search for <phishing reporting function> on <internal docs site>.
Do not click the following link as it is there for metrics and will cause you to be assigned phishing awareness training: <phishing training 'malicious' link>
Sincerely,
IT Security Team
---
I don't know how well it was received by users, but I do know that we still had more clicks than two other months in 2023, despite being explicitly told not to click the link. Users will always click links with their link-clicking machines. Relying on their discretion is either ignorant, or I expect in some cases, malicious in that there will always be a scapegoat to blame for the inevitable breach.
#phishing #infosec
Kinetix
•@hypolite
cR0w
•I disagree. People click links. It's up to security to ensure that the impact is mitigated. If users had to fear for their jobs if they happened to click a link that security allowed into their inbox, you would run out of productive employees.
There are entire workflows that require the users to click links sent to them from the general public. If security is so poor that it allows malicious links to the user, how can the user be expected to pick up what the specialists missed?
Hypolite Petovan
•Kinetix
•Why can't people be held accountable for being maliciously stupid? People aren't allowed to do many stupid things, but would you blame the janitor for someone flinging poo on a wall after being explicitly told not to?
Thinking InfoSec people are going to catch everything is delusional, and normalizes nonsense like spying on all content in and out of the corporate network. (while ignoring that there's still handfuls of other ways to yank data from the company).
@hypolite
Hypolite Petovan
•Kinetix
•I would be curious to know what kind of job has 'indiscriminate link clicking' as part of it's role, but if I had to have someone in such a position and I couldn't trust them to actually read emails that say "Do not click this link" (and am I setting them up for failure anyway with poor incentivization?), then they're going to be off on an isolated network with access to sweet nothing.
Would you hang on to a millwright who kept cutting off limbs because they just couldn't pay attention to what they're doing? I mean, this discussion revolves around someone clicking a link in an email that specifically says to not click the link.
@cR0w
Hypolite Petovan
•