Tested Lock and Key
Lots of companies have email security testing practices in place to help train employees on what to look for and, identify weaknesses in threat identification. There are lots of third-party tools for this kind of thing. The other day, I was reading one comment from the head of digital security for a large corporation that in his opinion, if someone repeatedly fails these tests, it should be grounds for termination, because the cost of failure is just so high. But the fact is, the biggest weakness to security is human, because try as we might, individual vigilance is never consistent enough.
And, our abilities shift depending on a number of factors, including our emotional state. A good phishing message is going to be one that lowers a persons guard and compels them to respond or act quickly without fully thinking through what they are doing, which is what recently happened in a test I heard about.
A subset group at the company received termination letters from the head of People and Culture, with a dropbox link to the file. This was obviously a phishing email, because there is no way in hell the company uses dropbox for any internal processes, and no way in two hells for this kind of communication. Yet, because people had an emotional response, the understanding about the standard procedures, as did all the checks and balances that look for warning signs (like the warning that it has come from an external email) went out the door and some people apparently clicked on the link.
Test failed?
Well, that depends on how you look at it, because it succeeded in making it clear how some people react under emotional stress. The vast majority of people however, didn't even open the email, they could see it was a phishing attempt just from the title, and reported it directly.
And, while some people have complained that this is going to far in some way, that it is too controversial to do it through termination letters, I tend to disagree. Because, real phishing attempts don't care about our sensibilities and whether we feel something is unfair or not. They are phishing, and will leverage any means necessary to gain access. They don't care if it makes people feel bad.
Pretty much all phishing attempts leverage our emotions in the hope that they can squeeze one past us. For instance, we will find a lot of greed-based attempts on Hive and in Discord, making too good to be true offers, yet there are often people who still accept the offer. Sure, the people doing the phishing are assholes, but what about those falling for it?
Similarly, there are lots of instances on Hive where people put in links and people seem to click on them, and then log into random websites using their Hive keys. And, it doesn't matter if it is using Keychain, make sure you read which permissions you are granting every time you grant. If it is asking for active or owner key - say no - unless you are very sure you know what you are doing.
When it comes to security, is it better to be tested in ways that don't upset us, but aren't likely going to be strong enough to prepare us when needed? I don't think so. Personally, I think it is better to bleed in the safe space so that there is resilience in the real world - which seems to go contrary to what a lot of people believe for themselves. I also think that this kind of testing gives the opportunity for adequate triage and training before something really serious happens.
The situation is however, that people are always going to make errors, so the goal is to reduce instances and mitigate the risks, taking as much potential cost off the table as possible. Likely, a lot of this will be even further handled through AI tools in companies, but I strongly believe that we as individuals have to maintain an adequate level of security consciousness, especially those of us in crypto.
Not your keys, not your crypto - right?
So, it doesn't matter if you see phishing as losing your keys or giving them away, the result is the same - a lot account, wallet, tokens. So, we can reduce our risk by taking some simple steps, like how we handle links and of course, when we get that emotional rise, calm down and pay more attention to what is actually happening, rather than trying to respond quickly, because chances are, it is engineered to play on our think fast mechanisms, not our think slow.
Have you ever fallen for a phishing scam? What were the conditions and why do you think you failed? Whose fault was it? What did it cost you?
If you could go back in time, would you have preferred to have been trained on how to deal with those kinds of situations prior to them happening?
The system used by the the company I work for, is a gamified process that randomizes a lot of the communications and methods employed. It has been used for a couple years now and on average, people seem to enjoy it and track the leaderboards. The company itself is already very security conscious due to the nature of the business, but it is always good to have that consistent reminder that when there is gain to be had, someone will try an exploit.
Taraz
[ Gen1: Hive ]
Posted Using LeoFinance Alpha
Gamified cybersecurity sounds fun. Completely agree on using whatever means necessary; even faked termination notices. Also real ones if they continue to be reckless with company info like that.
Yep. At some point, there has to be some personal responsibility.
You are absolutely right. In fact, phishing is based on social engineering and its purpose is to influence people by identifying emotional, cultural, social, family, etc. weaknesses. Even if you are aware of all aspects and have strong knowledge about these issues, you may make mistakes. There is always a mistake on our part, sometimes in the form of a wrong click or even unintentionally and unknowingly!😱
I don't think anyone intends to be the weakness, but most people think they are not the weakest link :)
Truth is, we can never be careful enough not to fall for a phishing scam because they are always trying to play on our intelligence by making us act fast without thinking twice about it, I wonder how that is been is done, though.
On Hive, most successful phishing attempts rely on greed.
The company I work for do those tests from time to time and some employees still fall into the trap :) I think they keep statistics of how many opened the mail, how many clicked the link.
Yep, they have to check and see how many people fall for what kinds of scams. Not many are security conscious. But it also indicates that some don't understand the internal policies.
Losing my Hive is one of my greatest fears. It took me nearly 6 years to climb here...
Make sure you have your keys safely stored and be careful when and where you use them.
We use a service called Wizer where I work. It has a education piece and then you can run campaigns if you want, but we haven't done that yet. I think it is important to educate people, but singling someone out isn't necessarily the best approach. Take what just happened to MGM for example, that was all social engineering, not a phishing attempt or anything. Solely focusing on one avenue leaves you vulnerable to other ones. It's amazing how many people don't feel this is important though. I get to read all the nasty comments about that after their do the training :P
The one we use is called hoxhunt - it plugs into Outlook.
So many think they are too smart to fall for them, but so many do. Then, there is using across multiple devices, making it harder to detect some things due to client differences.
I bet it is pleasant.
Yeah, exactly like yous aid, some of them say things like "this is all common sense" and yet people get duped by it day after day. Clearly it isn't for everyone! Knowb4 is one of the big ones that does it, but they are insanely priced and I don't like their sale practices. They were co-founded by Kevin Mitnick though.
That is a pretty painful but effective test. Emotions are usually a target for these scams. We've had a few tests in work before, and a few failed as well. I agree that humans are the weakest link most of the time, and training can only do so much. That is why tight security on passwords [using an application or an RSA SecurID] and using virtual machines to connect to databases are used to make it more secure.
Password security is another vector. Most things of importance have gone to 2FA or similar. It is interesting how often people just aren't paying attention though.
Since the discomfort caused by the hacking of my hive user a couple of weeks ago, I have been forced to implement the same security that we handle at Trebas University Institute, here in Ontario-Canada, since, looking for answers to how they managed to invade my user after 6 years of account existence; and it turns out that I found a light at the end of the tunnel, and it seems, that everything comes from accepting Microsoft's Windows Hello application about two months ago.
From then on, I noticed an atypical upload consumption, an unusual behaviour with the files that were opened or sent to Trebas, after the permission of Windows Hello with the use of my personal pin. I removed all that and everything is back to normal.
I think one seriously considers the issue of security when something personal happens to us that directly affects us. Not only that, but I had heard users on the hive refer to their accounts being hacked, but since it wasn't me, I didn't take it seriously, until it happened to me.
We live in modern times, of technological updating and where the implementation of security systems based on VLAN NETWORKS are essential.
So many unnecessary services create vulnerabilities. A lot of the apps of convenience people use are just gateways, whether it be on desktop or mobile.
There are some people who have had the same thing happen to them multiple times. There are also the slipups, where someone posts their key into a post. Once on chain, it is on chain and there are bots out there looking for keys. There is also one that tries to get to them before they are exploited called keydefender.
This is new one. I have seen Whatsapp PDF attachment where the termination was sent. However it seems like things have gone pretty creative. Maybe microsoft teams video call as next termination call. God, pandemic times have created new drama in the workforce. We at workplace use notion, and office suite more though.
Phishing has become a part of real life and there are always going to be times when people are careless. We just make mistakes but I think people need to learn from them. If they don't learn, then they need to face reality.
Another thing is that there are some websites that you visit and all the informations or keys you imputed may be collected and also used against you later. This has happened to so many people here and it resulted in loss of funds
One of my minor niggles with my current email client is that unlike my previous one I can't see the full headers if I need to. I haven't needed it recently because the sketchy looking things are kind of blatantly obvious now (I guess if you have some idea what you're looking for?) and my rules and junk filters are pretty good XD
Are the people complaining it was too far ones that would have "failed"?
Nothing should ever need the owner key for any reason. If it had another use aside from changing keys I can't remember what it is x_x
I'm of the same opinion with bleeding in a safe space which is generally why my kids learned a lot with school of hard knocks (we were always there just in case but they always had to at least attempt).
I don't think I've fallen for a scam yet purely because I'm both paranoid and so incredibly boring I don't do much of anything.
Gamified processes are great ways to go about training XD
You have been in crypto for awhile - scam stands out! :D
Not sure in this case. But, no one likes to feel like an idiot.
And they were homeschooled!! :D
I kind of part-learned from being on the internet and having an email address (though I don't think any of us responded to the pleas for help from the Nigerian prince or the ambassador to help move a large sum of money or got back to the lawyer about the hitherto unknown relative that had died leaving a large sum of money and we were apparently somehow the closest relative discovered) and at the time very incorrectly assumed everyone would figure it out. When I was late teens to early 20s I remember a bunch of us openly mocking anyone stupid enough to fall for those types of scams in our little irc room because it all seemed so blindingly obvious and we were too stupid at the time to realise we were close minded and stupid.
Homeschooling is the school of hard knocks! XD
At least the way we do it.
Luckily I have not been phished before, but sadly my mom fell victim to a phishing attack a few months ago. They spoofed the same phone number that appeared on the back of her credit card, so when they called her from that number she immediately trusted them to be from her bank and didn't think twice about the shady stuff they were asking her to do on her banking account. So frustrating!
This is really dodgy that it is allowed to happen. This is in the design of the systems so multiple people can call from the one number, but it is obviously also a security risk. Hope she didn't lose too much.