As much as enterprises love their anti–phishing training programs, they somehow don’t think about them when they communicate with their customers on important operational efforts. Many routinely send messages that look and act exactly like phishing messages.
What these corporate execs don’t seem to realize is that this kind of behavior undermines their own operations. How so? By training their customers — almost all of whom have access or credentials into that enterprise’s systems to varying degrees — to click on unknown links or open unknown attachments via emails they didn’t expect, they’re just asking for trouble.
Gosh, how could this possibly go wrong?
Look for the major cyber attackers to start sending candy and flowers to these companies’ CIOs and CISOs with a note: “Thanks very much for training your customers to fall for our phishing attacks more effectively! We owe you one. We’ll connect again when we send you our ransom demands. Talk soon.”
What prompted my concern? Two emails I recently received from two unrelated enterprises. One was from a major telecom carrier asking about a repair order scheduling issue and the other was from a large healthcare operation asking about a billing matter. Neither message was expected. The carrier one was vague and then asked me to click on a link. (“Yep,” I thought. “That is not going to happen.”) The healthcare one was also vague and it asked me to open a PDF attachment. (Again, I thought, “Nope. An unexpected PDF is barely one notch safer than a Zip file. Also not going to happen.”)
Two phone calls and a lot of on-hold muzak later, I learned both messages were legitimate. That’s not the point, though. The point is that their efforts to get people to click on an unknown link or open an unknown attachment is IT suicide.
John Gunn, CEO of authentication firm Token, compared the tactic to a parent trying to teach a three-year-old how to avoid being abducted.
“You can’t tell the three-year-old, ‘It’s OK to take candy from this stranger but not this other stranger. Or to help this stranger to look for a lost puppy but not this other stranger.’ These companies are putting an extra burden on the customer to discern what is legitimate and what is not,” Gunn said.
Part of the problem here is that the phrase “that email looks phishy” has changed quite a bit in the last year or so. (No longer, for instance, do these emails mean lots of typos.)
The proper way for enterprises to reach out on these matters is something like, “There is a new billing matter that requires your attention. Please log into your portal and look into it.”
Why don’t most enterprises do that? Some blame a lack of training — and there is absolutely a lot of truth in that. But, it’s often quite deliberate and intentional.
More responsible enterprises have tried doing this the proper way, but too many customers complained along the lines of, “Do you know how many portals I have to deal with? Give me a link to the portal you want me to use.”
This gets us right back to the security-vs.-convenience nightmare.
This problem is complicated because the situation is two-step. It’s not that the customer will be hurt if they click on your link. It’s that you’re inadvertently making them comfortable with clicking on an unknown link and they might get hurt two days from now when they encounter an actual phishing attack email. Will the enterprise be held liable, especially if you can’t prove the victim clicked because of what was sent?
It gets even worse. The old advice used to be to mouseover suspicious links and make sure they’re legitimate. Today, that advice doesn’t work. For one thing, many communications are moving to mobile environments where mouseovers don’t exist. (Bayse CEO David Pearson points out that a user on a mobile device can long-click, but that is dangerous because the link could easily open.) Secondly, attackers have mastered the art of faking mouse-overs, said Roger Grimes, Defense Evangelist at KnowBe4.
Beyond that, many companies now work with multiple third-party firms for all manner of functions, including billing, scheduling, shipping, payments, etc. That means customers expecting to see the name of their favorite retailer instead see an unfamiliar name.
That brings us back to the basic advice for users: never click on any unexpected link or open any unexpected attachment. No exceptions, unless the user can turn to a trusted means of communication to verify legitimacy, such as calling the number on the back of a payment card.
Allan Alford, an IT consultant, said it’s not easy to eliminate phishing-like messages.
“We train our users not to click the bad thing or suspicious things. Or things that look like our people, but that are not actually our people,” he said. “And then an outsourced HR SaaS product sends a companywide email impersonating the head of HR. And then marketing sends out the same thing and sales sends the same thing. The bottom line is that ‘don’t click the thing’ is impractical advice.”
Alford said the only response is to “teach end-users to reach out to the sender out-of-band and verify. And we then need to train the business to not do the thing we’re training users to not do.”
Much of this stems from internal disconnects between business units within the same company, said Padraic O’Reilly, CEO of cyber risk management company CyberSaint. “There’s often a disconnect between the security and IT functions and operational departments,” O’Reilly said. “Those functions are sometimes more discrete than they should be.”
Bryce Austin, CEO of TCF Strategy, was a bit more direct: “Any company sending anyone an email text or anything else that says please click their link needs to really rethink their business processes.”
The bigger problem, according to Pearson, involves the ROI attached to fixing email phishing issues.
“When they calculate the risk landscape, is this a high enough of a priority?” Pearson said, suggesting that the answer is that no, it is not an especially high priority.
That needs to change.
Communications Security, Security, Technology Industry
