- You don't need to really be "fooled" by phishing. Not in the real sense. You just need to be tired one morning and click without looking. Even if you know how to check for phishing, you might need to click on content from 10s to 100s of emails per day. Scale this out to 1 year, and even the most educated among us can fail due to an honest mistake which we otherwise could have prevented.
- Part of the problem is just that a normal workflow is: receive email --> click on URL --> enter credentials into 3rd party website. ie, this is intentional and valid behavior for most white collar workers on a daily basis. This behavioral pattern is why phishing works, and in reality, email should not be a vector for this path. Until companies and technologies stop assuming this makes sense, phishing will continue to be successful.Here's a crazy history of that happening...
I had a friend who was an employee of a Fortune 100 corporation. Part of employee training was not to click on links in emails. In the 1990s and the rise of the internet, they had an internal security "red team" periodically send a fake phishing emails to employees. If the employee mistakenly clicked on a link in that email, the red team would send a notice to the employee's manager. It worked well because employees would not want to be embarrassed by a manager having to review the security policy with them to get their access back.
When she retired, all that training became useless and she was phished by a fake AT&T email. Why? Because with the rise of smartphones, every _legitimate_ company started sending emails that had useful tappable links. With the touchscreen, you can't hover your finger over the link to see what the underlying url is. People just normalize pressing on links in transactional emails as a convenient thing to do. E.g. Amazon sends an email with a link to the order status. A legit bank will send an email with a link for "Please review your security setting."
Smartphones reversed 15 years of not clicking on email links.
We got hit with some Christmas virus. One of the devs was talking about how he had mistakenly clicked on the link, but nothing happened. We were at lunch and suddenly were all looking at each other like, "Dave, this isn't good!" told him to call support because we had all seen the emails from security to not click on any links in emails because so many of these were making the rounds.
They took his laptop, reimaged it and gave back to him. The funny part was the Outlook team disabled any links in any emails he got from then on. Not sure how they did it, but if you wanted to send him a link, you had to send it to his personal email or over one of his social media accounts. Any time he got a link, if it was for business, he would have to call support, open a ticket and then an hour later, they would send him the link to open.
It drove the guys nuts. He asked repeatedly to have them enable the links, but they basically told him once you were on the list, it was for good. He quit after four months and said one of the most infuriating things was security never allowing him to get off of the "naughty" list.
> if you wanted to send him a link
I guess this also begs the question why email clients don't have an option to dereference links or convert them to plain text? Like
Click here for your HN comment
|
v
[Click here for your HN comment](https://news.ycombinator.com/item?id=45532515)
[0] but this also mostly seems solvable if we are okay with redirects and temporary info being passed in the link. Redirects might be an issue, but at least getting redirected from an official site is better than getting redirected from some shortening service. Maybe a big part of the problem is how we've bundled in so much tracking info...[1]
[1] Which it's not like we haven't seen phishing links like https://ImALegitsite.conn.ImAnEvilSite.com
https://ImALegitsite.conn.ImAnEvilSite.comWe need SSO to stop being gated behind enterprise tiers. SSO tax is real, and can help solve this problem. I've moaned about this before as the leader of an IT team for a medium-sized company reliant on a lot of SaaS.
Enterprise plans are too much (both in terms of cost and features) for us, but we are smart enough to have security requirements and one of those is SSO & SCIM. Very few SaaS offers that on anything but the most expensive "call for quote" tiers. That's a huge problem.
That whole email invite->click link->enter credentials workflow is gone with proper SCIM provisioning and SSO. It's the bare minimum a SaaS product should offer and should be on the lowest available tier.
The other problem are services like DocuSign, which offer free trials that are abused to send out fake documents. User gets a legitimate email from DocuSign's domain, clicks on it, opens up a real document in the real DocuSign site, but the doc has a link to the phishing site.
All DocuSign needs to do is require a CC for the trial or contacting sales for a trial, problem solved. But they don't, so as far as I'm concerned they are complicit in enabling phishing.
It’s more secure this way.
The servers should scan emails for links and not allow them. If a link somehow slips through, the client should not render it as something you can click on and follow.
On work machines where everything is managed by IT, there shouldn’t be any need to send links around anyway. If anyone thinks they need to send a link around as an ongoing process, then that’s the sign that the process still needs to be designed.
Completely agreed, and I think it's telling that so few email clients or webmail services actually allow you to always render as plain text.
How would people interact with vendors and salespeople that send links to product specs, troubleshooting articles, etc?
I don’t think it is short sited. Actually, I think if it has a flaw it is the opposite one. Workflows that involve mailing around links are convenient for quick little in-the-moment thrown together actions. It’s liberating. I’ve done it too, sure. But, in the long run everything should be integrated somehow or another and sending links should not be necessary. One might say it is ridiculous to expect every process to reach that end state. Possibly true, but it is a good goal…
The local Blink (or WebKit) renderer should be for internal or white listed sites only.
Company: Stop clicking on links to third party sites.
Also Company: All of IT, HR, benefits, cloud storage, customer management, and employee portal is moving to its own third party platform!
Also Company: All of IT, HR, benefits, cloud storage, customer management, and employee portal is moving to its own third party platform!"
Smart companies validate and tag those third party emails as "partner" or similar. That way the users are only using the extra scrutiny on the non-partner external emails.
There'll be a sign that says "Peanut free zone" and everyone will read it and respect it.
Then there'll be a sign that says "Please be sure to pick your kid up by x o'clock." And everyone will read it and respect it and silently stop looking at it cause they know.
And then there will be a sign that says "Please keep your child at home if you suspect they might be sick." And everyone will read it and be a little offended because why would they do that knowingly?
After a while the entrance will be plastered with notices and warnings that get put up and not taken down. And nobody reads them because they probably already know and it's not worth spending 20 minutes reading the entire wall.
I get the external/partner emails. And a notice that outlook removed extra line breaks from the message (whew). And a notice that if there are problems reading the email I can view it in a web browser. And a helpful suggestion that Copilot can give me the tldr.
Outlook is beginning to feel like daycare.
A couple of times, I got emails that seemed suspicious, but I figured I would click the link to investigate further. I was on high alert and would not have entered login credentials or opened an executable or anything like that, I just wanted to check it out and see.
Of course, it was a phishing audit and I failed. WTF?
Just getting server logs from an opened link lets them know their messages aren't being quarantined and their server is reachable through the target's firewall.
The user agent and how the links are accessed give info about who is opening them (A few every couple minutes == all good, 10 links sent to 10 different employees all opened within seconds with a non-standard user agent == you're being investigated and should burn the domain)
It's been a few years since I've done phishing engagements so details may vary with how things are done today. But the goal is to limit any information going to the bad guys. Let them think their messages are being blocked until they go elsewhere.
*edit: That being said, phishing at least one person at a large company is not particularly hard. There's too many companies using domains indistinguishable from shady links for one thing. Limiting engagement is good, but companies also need to be prepared for the eventuality that somebody will get fooled.
It's an impressive level of DGAF.
That advise would be fine (albeit maybe extreme) if it wasn't the case that for the last year I have been spammed by emails from said training company telling me to click on the included link to complete the next cybersecurity course. Even worse they use some nondescriptive weirdly named domain not their own to host the training courses. So if anything the courses are training people to click on phishing emails.
My suspicion is the training company realized no one was falling for the obvious bait anymore and they needed to gin up the numbers to keep the company convinced that paying for their services was worthwhile.
Meanwhile all corporate teams use the same VLAN and DHCP Address Pool. There is zero separation of departments on the network. A lot of companies get this precise situation backwards as we have.
IIUC, some of them will pre-load a page by opening it for you.
Users were randomly selected to get the test, and each phish was hand-crafted to trick people specifically at our company (but using only publicly available information). Anonymized results were posted quarterly, divided by department.
I only got fooled once, but man, it felt so bad to see Engineering show up on the dashboard with one hit that quarter.
(Sales was usually at the top of the list, which makes sense, since they interface with a lot of folks outside the org)
The actual response to phishing is to use authentication mechanisms that resist phishing.
It's hard to be resistant to phishing at that point and you have bigger problems.
What if Susan in HR falls victim to token theft (let's say conditional access/MDM policies don't catch it or aren't configured, which many businesses don't bother with). Her email account is now pwned, and the company gets an email from her, it passes all verification checks because it's actually from her account.
It's still phishing, but the users have no way to know that. They don't know Susan just got compromised and the email they got from her isn't real. If this is a human attacker and not just bots, they can really target the attack based on the info in her inbox/past emails and anything else she has access to.
So there's no way for the organization to be resistant at that point until IT/security can see thea account compromise and stop it. Ideally, it's real-time and there's an SOC ready to respond. In practice, most companies don't invest that much into security, or they are too small and don't have the budget for a huge security operation like that.
It's a really hard problem to solve
Somebody in every big company is compromised already.
One person actually did fall for it but decided to physically bring the cards to the CEOs office. Thankfully that exposed the attack and effectively halted any damage done.
These criminals are relatively clever.
When you propose a security solution, someone is going to say "oh my users are too smart to be phished, don't worry about this". Ive had this argument for rolling out mfa at nearly every company ive worked with.
Phishing tests give you the "well actually" data.
Corporations outsource almost every single tool used by their employees and train them to cough up their corporate credentials no matter what url the browser identifies. In essence, they phish their employees 100 times a day. Then they force employees to sit through training twice a year to identify phishing attacks. Every legitimate training will create cognitive dissonance with employees' every day work experiences.
No more logos, no more masked links (you have to acutally copy and paste the text, giving you a chance to review the URL), no more QR code phishing, no more realistic looking but fake DocuSigns. Get rid of attachments while we are at it, there are other, better ways to share files within an office environment (because ultimately, if we enforce text only, then all phishing would then arrive via attachment in the form of a PDF or rich word doc with the fake logos and a clickable link).
The only solution (which will solve the problem, as it is marketed as phising-resistant) is to remove passwords entirely and force everyone to use passkeys.
/s
It's no surprise people didn't engage with training material on the pretend phishing site!! At that stage, they're told it was a trap and they shouldn't even be there so of course they're going to get out asap.
The secure thing to do is: Read mail that tells you to click link to whatever online tool you work with. Then instead of clicking link in mail you open a browser and manually visit the site the link was pointing to. If there is a message, notification, or something else that the emails wants you to look at, then it will also be there when you login “directly”.
Is there a good way (right now) to defend against this? I'm willing to live with a browser that only accepts ASCII in the address bar, and disables Unicode in email (replaced with �?)
I always circumvent it by just never clicking links sent to me (mail, sms, WhatsApp, etc). If I get a mail from, for example, Netflix that says there is a problem with my billing or whatever. I open a browser myself, go to Netflix’s site and login. If there really is a billing issue then I can see it after logging in. The links are actually never needed if you think about it.
Other than that use MFA (multi factor) everywhere you can. It doesn’t defeat phishing attack completely, but it is good protection. (Hackers can buy tools that provides them with a UI to build and execute phishing campaigns, even ones that include handling MFA)
I've reported it multiple times over the last few years but our IT security team blows off the concern, insists that I follow the link, and changes nothing. And no, it isn't just them testing people to see if they will fall for it. I am also in a position to see the tracking reports and be in meetings where expectations are discussed.
Our program is explicitly training people to get phished.
Then Microsoft sends out e-mail advertisements with fucking QR codes in them to everybody to get people to install software without IT department's knowledge. So you not only can't see the link, you can't even de-obfuscate it by hovering over it.
There's a really easy fix for this. It's so fucking easy it hurts my brain.
Disable HTML e-mails. Disable hyperlinks. Feel free to send URLs, but make people copy and paste the link. This way they have to at least select the link. When they get a 6000 character link and can't copy paste it? That's good! Because they have no idea what the link actually is.
Nobody will do it, and I don't get why not. Do you really need to market to your internal employees so badly with images and links? That's what a portal is for. Post updates on your portal and stop bombarding my goddamn email box.
Corporate recently told me I'm specifically not allowed to unsubscribe from newsletters (probably for this reason), so now I have set up mutt to open links in a containerized browser, but that's as far as I'll go.
Here's what I do now. If I don't remember ever subscribing to something, I look for the Unsubscribe button in the email client, which is part of the headers. It feels a little less "phishy" than the link in the email. It uses the message’s hidden “List-Unsubscribe” header, thus no tracking.
Notice: I'm a virtual CISO at CyberHoot (and co-founder here) providing security program development and Incident Response services.
To call this "training" is highly misleading.
It's no surprise that the mere existence of training materials does not help if nobody reads and studies the training materials.
They should preface the training materials with "$100,000 USD will be transferred to your bank account if you read this and successfully answer the questions at the end."
If there's trust and respect, they'll reach out without fear of reprisal and inform right away when there's a problem.
If there's a culture of punishment, they'll fear the IT gestapo and try to cover up mistakes that could cost them their job.
It really is that simple.
I don't think that's right, at least not from a phishing point of view. From a 0-day point of view, yes.
But because we get flooded by emails it's easy to miss something in an email, only for it to be apparent on the page itself. Primarily because the URL will be off, or that my password manager doesn't autofill stuff.
And the flood of emails got worse when people started sending emails to group addresses in BCC instead of in To. At least in Exchange you have no idea whether the sender put your email in BCC or the group in BCC (VERY low priority).
At least I found out that the phishing emails have a recognizable header in the email, allowing me to automatically filter those.
Because you cannot fix humans, technology is the most effective approach.
I take a page from Jayson E. Street's DefCon talk from a few years ago with my students: promote "Security Awareness", not Security Training. Get people to think about what is being asked of them and the consequences of said actions. People tend to take "Security Training" as "I need to remember A, B, C, etc." Humans are bad at this sort of thing, typically.
I admit that "Security Awareness" isn't all that easy, but clearly our current approaches leave much to be desired.
The first week there is a bit of noise while we whitelisted the common domains used by the users. After that it really puts you back on alert when you clicked on a email that takes you to new domains - that could be used for phishing.
This doesn't concern amazon, google, or banks, probably
So many "offers" and "promotions" to throw around with convenient links
Edit: "Go to our website and find more information under your account about lorem ipsum... "
And then put fucking mimecast infront of everything so I legit can't do what they are training me to do...
So yeah, the training is worthless and just there to tick a box.
Kurt Got Got - https://news.ycombinator.com/item?id=45520615 - Oct 2025 (216 comments)
In my previous company they literally had an X-PHISHING-ID header.
In my current company the phishing emails don’t have a single Received header.
For example, this week I helped someone set up an account on an online library platform we use. I had to tell them multiple times not to tap the buttons in the email, website, or app right away, but to read them first. They were clearly nervous, and you could tell they just wanted to finish as quickly as possible and get out of “that very techie situation” to simply use the apps.
I mean, yeah, I get it. Technology isn’t for everyone. But the (sad) fact is that we live in a world largely dominated by it. And although it has created many problems we now need to solve with even more technology, it also helps us solve many of the problems we had before.
My hope is that AI will evolve to the point where it can become a kind of companion for those people, guiding them through situations involving technology that they find difficult or intimidating.