A lot of companies use cybersecurity training to prevent phishing attacks. A UC San Diego study says they should find a better way to protect their digital assets.
Totally agreed, I get it’s easier to consider it a fail if you open the link, and that simply opening a random link has some inherent risk, but there should at least be a fake page to enter credentials and evaluate how many people actually go through with that, and break that out as a CRITICAL where the other clicks are HIGH or MEDIUM status, to classify the risk.
Also, this is just an anecdote, but in a similar phishing simulation i helped with, we had to bypass filters for rejecting emails with links for websites registered in the last 60 days. Obviously this isn’t a foolproof way to prevent phishing attempts, but it does cut out a lot of junk, and we’ve indirectly been training employees to not deal with that.
mfa is not going to help when people will literally transfer their money to a scammer, because the scammers convinced them that said money are in danger and only way to protect them is to transfer them to “secure account”. you can’t fix stupid with technical limitations.
I would be more interested in a study of people entering credentials or taking other risky actions after clicking.
Yes, people whose job includes lots of link clicking are going to click links.
And one obvious but good conclusion: invest in mandating MFA for sensitive actions.
Totally agreed, I get it’s easier to consider it a fail if you open the link, and that simply opening a random link has some inherent risk, but there should at least be a fake page to enter credentials and evaluate how many people actually go through with that, and break that out as a CRITICAL where the other clicks are HIGH or MEDIUM status, to classify the risk.
Also, this is just an anecdote, but in a similar phishing simulation i helped with, we had to bypass filters for rejecting emails with links for websites registered in the last 60 days. Obviously this isn’t a foolproof way to prevent phishing attempts, but it does cut out a lot of junk, and we’ve indirectly been training employees to not deal with that.
mfa is not going to help when people will literally transfer their money to a scammer, because the scammers convinced them that said money are in danger and only way to protect them is to transfer them to “secure account”. you can’t fix stupid with technical limitations.