Teach Users to Fish (so They Don’t Get Phished)
I was watching a wonderful webcast by Marie Forleo that was part of her “Copy Cure” course. If you are unfamiliar with Marie and her work, take the time to explore some of her wisdom. Her webcasts are gems, particularly if you work in the consulting space.
During the webcast, she mentioned a phrase that should be at the top of mind for every infosec professional: “If you confuse them, you lose them.”
Think about the last meeting you had, or the last message you wrote. Was it truly as clear as it could be for its intended audience?
Think of the following example:
An executive received the following e-mail:
Take a moment and think about how you would respond to the executive who sends this message to you and asks, “Is this real or a scam?”
Most infosec professionals would probably chuckle that the executive didn’t immediately recognize this as a scam, but that is the first failing of our approach.
When I see this, I assume that the exec recognizes that something is not quite right, and is sending it to the subject matter experts for advice. This is definitely better than if the exec just clicked the link and then proceeded with the frantic, “Oops! I messed up!” phone call or, worse, if the exec didn’t report the error to anyone, hoping that no one would notice.
Here is where we infosec professionals often make the mistake that creates the confuse-and-lose problem.
Many people would simply reply, “It’s a scam. Delete it.” That certainly gets the message across, and it allows you move on with your day. But does it help the exec? Does it teach anything, or does it add to the confusion, making the person no richer than when he or she contacted you?
Think of when you go to the dentist because of a pain, and the dentist responds with,“It’s nothing.” Do you feel any better knowing that the pain will not progress into the full agony stage, or would you like to know more? Just as I would ask my dentist, “How do you know it’s nothing?” the executive to whom you just said “It’s a scam. Delete it.” will probably have the same type of question: How do you know it’s a scam?
Imagine, however, if you sent the following response:
Dear [Insert Executive’s Name Here],
This is what is known as a credential-theft scam. If you followed that link and filled in the information, your username and password would have been stolen.
I know this because the phone number is a non-working number, and the link attempts to connect to a .do domain (which is located in the Dominican Republic, not a Microsoft site).
Please delete it.
Thanks for checking with us.
Here is a sample of the fake site:
In this hypersensitive cyber security environment, even the busiest executive will appreciate the explanation and enjoy a better understanding of what we do to protect the company. This eliminates the confusion, and it also provides a real-world example of the lessons we teach in the security awareness campaigns that are required by many companies.
Wouldn’t it be great to know that you are providing the valuable service of not only protecting your organization, but also communicating in a way that reduces confusion and eases the perceived pain of cyber security? So, maybe the phrase shouldn’t be, “If you confuse them, you lose them.” Perhaps we can turn it around to, “If you teach them, you reach them.”
Bob Covello (@BobCovello) is a 20-year technology veteran and infosec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.
This guest blog is part of a Channel Futures sponsorship.