Yet another good idea in theory ruined by the human condition. Train people to think emails may be dangerous? Instead of critically examining each one they just ignore them to minimize risk by default. No amount of training will beat the cognative skills required for competent spam identification into most heads. Even if it could, some phising is so sophisticated in the social engineering it even tricks up cybersecurity types who should know better. Damned if you do, damned if you don’t from a company perspective.
But the truth is emails may be dangerous, and the trainings exist to show people how to tell the difference. What reasonable alternative is there? Your argument is effectively “People will never learn how to use a fire extinguisher so why bother doing fire safety training. Some fires are so bad that a fire extinguisher will do nothing.” We don’t control the danger, but we can manage and minimize the risk through training.
Plain-text emails. No clickables, no tracker images.
–
Honestly, while I agree that good training is a way forward, I gotta say the training at my workplace does NOT let you know how to check anything. It’s more of a “don’t open emails you don’t trust”, here are some nightmare scenarios. While, at the same time, we get actual mandatory training emails, that are flagged by both our internal mail system, and the pre-installed mail client as “DO NOT TRUST” that we are required to click through. My complaints to IT to at least fix the internal mail system flagging have been replied to with “User’s should expect these emails, so they should know to ignore all the warnings and click anyway.”
We are training people to ignore their training, so of course it’s not helping.
Also, even with SPF and DMARC and whatever other TXT records in place, it’s still possible to get a “spoofed” From address into a user’s inbox, so I find teaching people to use that header as an indicator of anything personally offensive to my technical knowledge.
Idk man, I feel like you’re striving for perfection in an imperfect world. I agree it would be nice for all email to be plain-text and with no clickables, but that’s not the world we live in, and getting companies to remove them from mandatory emails is an uphill battle.
While it’s true that there’s no way to completely eliminate spoofed “From” addresses, I think it’s fair to say it’s rare, and that checking the “From” address will conquer a significant chunk of phishing attempts. The training isn’t meant to 100% eliminate the effects of phishing attacks, it’s meant to reduce the number.
Yet another good idea in theory ruined by the human condition. Train people to think emails may be dangerous? Instead of critically examining each one they just ignore them to minimize risk by default. No amount of training will beat the cognative skills required for competent spam identification into most heads. Even if it could, some phising is so sophisticated in the social engineering it even tricks up cybersecurity types who should know better. Damned if you do, damned if you don’t from a company perspective.
But the truth is emails may be dangerous, and the trainings exist to show people how to tell the difference. What reasonable alternative is there? Your argument is effectively “People will never learn how to use a fire extinguisher so why bother doing fire safety training. Some fires are so bad that a fire extinguisher will do nothing.” We don’t control the danger, but we can manage and minimize the risk through training.
Plain-text emails. No clickables, no tracker images.
–
Honestly, while I agree that good training is a way forward, I gotta say the training at my workplace does NOT let you know how to check anything. It’s more of a “don’t open emails you don’t trust”, here are some nightmare scenarios. While, at the same time, we get actual mandatory training emails, that are flagged by both our internal mail system, and the pre-installed mail client as “DO NOT TRUST” that we are required to click through. My complaints to IT to at least fix the internal mail system flagging have been replied to with “User’s should expect these emails, so they should know to ignore all the warnings and click anyway.”
We are training people to ignore their training, so of course it’s not helping.
Also, even with SPF and DMARC and whatever other TXT records in place, it’s still possible to get a “spoofed” From address into a user’s inbox, so I find teaching people to use that header as an indicator of anything personally offensive to my technical knowledge.
Idk man, I feel like you’re striving for perfection in an imperfect world. I agree it would be nice for all email to be plain-text and with no clickables, but that’s not the world we live in, and getting companies to remove them from mandatory emails is an uphill battle.
While it’s true that there’s no way to completely eliminate spoofed “From” addresses, I think it’s fair to say it’s rare, and that checking the “From” address will conquer a significant chunk of phishing attempts. The training isn’t meant to 100% eliminate the effects of phishing attacks, it’s meant to reduce the number.