This content was originally posted as a Twitter Thread. Copied here for archive purposes. Please, forgive potential typos and the succinct writing style.
Unpopular opinion of the day: #phishing awareness campaigns and teaching your users to stay frosty is a close to useless endeavour. A waste of resources. Read on to see my point (1/n) /cc @troyhunt @randomdross @sirdarckcat— Martín Obiols (@olemoudi) November 12, 2018
I know anti-phishing is a business that feeds a lot of people but the way this war is fought today just seems off to me.
First, I differentiate targeted phishing campaigns (usually APTs) from massive or moderately massive phishing. I don’t think I need to point out why you can’t fight the former with awareness.
Massive phishing is like mail spam: Cheap, risk-free and thrives under big numbers. 1 victim for each 100 targets might seem a low turnover but if you have 100k targets from the same bank figures suddenly get grimmer, while staying cheap for the phisher. But 1% is sooo distant from real world figures for phishing click-through from regular users. In one of my past gigs we conducted regular internal phishing on employees massively. Click-through never went below 10%.
Awareness campaigns ensued to deliver guidance to people to look out for unexpected emails, not opening attachments or clicking on links. Results still randomly ranged between 10% and 20% regularly. It was common to hear victims state how coincidental it was that Rachel, the phisher, shared first name with some other Rachel who regularly emailed them. I don’t blame them.
The message will happen to be believable enough to someone, somewhere. It just happens.
I am an engineer working for an anti-phishing security company and I confess I have had some -majorly- close calls from our training simulations. Everyone gets tired, distracted, or careless, not just unsophisticated people.— Nathaniel Jones (@thenthj) September 5, 2018
And we are just getting started on the “don’t click on unknown links” silly security adagio you still often get from awareness campaigns.
Yeah right, as if in 2018 you could know where the hundreds of links you click every day take you: link shorteners, open redirects from trusted domains, no status bar preview on touchscreens, TOCTOU, tabnabbing…
If you still believe you can prevent users from brainlessly clicking on links, consider also there are links that do not look like links at all.
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh— Tom Scott (@tomscott) December 23, 2016
How to make paranoid targets click on email link: send a short newsletter about upcoming training courses with small unsubscribe link— Martín Obiols (@olemoudi) May 6, 2015
OK, people brainlessly click through. But at least we can teach them not to put their credentials on untrusted sites right? Well just before you start with the awareness there is some prep work you need to do.
For your awareness campaign to be remotely successful, you need to keep your login pages (that is, the forms where your users put credentials) consistent.
Consistent means you cannot have a myriad of places (URLs, frames, apps) where your users can login (and all with a different UI or CSS). Multiple logins, on different sites, UI dialogs, CSS… it’s just bad security urbanism
You can only have your users putting credentials on a single place. If they are not gonna check the URL properly (or they actually can’t, more on that later) at least give them a fixed familiar form to mentally refer to when things get ugly. e.g. https://accounts.google.com
That helps them build mentally a model of “how does it look when this company asks for credentials”. Sending them email messages telling them that they won’t be asked for a password via email or phone won’t help. Also, by doing that you retain control and can properly notify users of upcoming changes so they actually expect them
But even if you do that, you still need to give users a way of actually checking whether it is you or some phisher the one asking for the credentials. It turns out there is only one way to do that: The Almighty Browser Address Bar.
So let’s say after your awareness campaign your users actually glance at the address bar (which is assuming a lot). First, are they able to do that? There is a ton of situations where you are just out of luck with no clear indicator of who is actually receiving your credentials
In some other cases, you are being deceived by UI bugs:
Even the size of your screen matters:
And… it’s not enough to only check the address bar only once, heh, what were you thinking?
Lastly, have you considered Mobile UI design principles? Real state is pricy so the address bar is just not there sometimes:
I could go on but you get the point. How do we effectively fix this in a sustainable manner? Not by focusing on awareness that’s for sure. Cheers