Plain-text emails. No clickables, no tracker images.
–
Honestly, while I agree that good training is a way forward, I gotta say the training at my workplace does NOT let you know how to check anything. It’s more of a “don’t open emails you don’t trust”, here are some nightmare scenarios. While, at the same time, we get actual mandatory training emails, that are flagged by both our internal mail system, and the pre-installed mail client as “DO NOT TRUST” that we are required to click through. My complaints to IT to at least fix the internal mail system flagging have been replied to with “User’s should expect these emails, so they should know to ignore all the warnings and click anyway.”
We are training people to ignore their training, so of course it’s not helping.
Also, even with SPF and DMARC and whatever other TXT records in place, it’s still possible to get a “spoofed” From address into a user’s inbox, so I find teaching people to use that header as an indicator of anything personally offensive to my technical knowledge.
Idk man, I feel like you’re striving for perfection in an imperfect world. I agree it would be nice for all email to be plain-text and with no clickables, but that’s not the world we live in, and getting companies to remove them from mandatory emails is an uphill battle.
While it’s true that there’s no way to completely eliminate spoofed “From” addresses, I think it’s fair to say it’s rare, and that checking the “From” address will conquer a significant chunk of phishing attempts. The training isn’t meant to 100% eliminate the effects of phishing attacks, it’s meant to reduce the number.
Plain-text emails. No clickables, no tracker images.
–
Honestly, while I agree that good training is a way forward, I gotta say the training at my workplace does NOT let you know how to check anything. It’s more of a “don’t open emails you don’t trust”, here are some nightmare scenarios. While, at the same time, we get actual mandatory training emails, that are flagged by both our internal mail system, and the pre-installed mail client as “DO NOT TRUST” that we are required to click through. My complaints to IT to at least fix the internal mail system flagging have been replied to with “User’s should expect these emails, so they should know to ignore all the warnings and click anyway.”
We are training people to ignore their training, so of course it’s not helping.
Also, even with SPF and DMARC and whatever other TXT records in place, it’s still possible to get a “spoofed” From address into a user’s inbox, so I find teaching people to use that header as an indicator of anything personally offensive to my technical knowledge.
Idk man, I feel like you’re striving for perfection in an imperfect world. I agree it would be nice for all email to be plain-text and with no clickables, but that’s not the world we live in, and getting companies to remove them from mandatory emails is an uphill battle.
While it’s true that there’s no way to completely eliminate spoofed “From” addresses, I think it’s fair to say it’s rare, and that checking the “From” address will conquer a significant chunk of phishing attempts. The training isn’t meant to 100% eliminate the effects of phishing attacks, it’s meant to reduce the number.