I've been doing information security for more than a decade. I have trained people, written organization policies, built systems with security in mind.

Michał "rysiek" Woźniak · 🇺🇦

And yet a few days ago I almost lost money to a phishing campaign pretending to be my infrastructure provider asking me to "update my payment details."

I was tired. I clicked the link, followed the instructions.

What saved my bacon is that I opened the link in a private-mode browser window, where I was not logged into my provider's system.

Michał "rysiek" Woźniak · 🇺🇦

Point being: people make mistakes. Even people who really, truly should know better.

You might be tired.
You might be unwell.
You might be distracted.

You might click the link.

And so might people you're tasked with helping and protecting.

Keep that in mind. It's never just the person's fault.

Design systems and policies in a way that takes this into account, always. Add a little friction, it really helps.

Because… people make mistakes. Even people who really, truly should know better.

Michał "rysiek" Woźniak · 🇺🇦

The private browsing thing adds friction for me all the time. Is it a bit annoying to always have to sign-in explicitly to that provider's system? Sure.

But that friction turned a potentially really bad situation into a somewhat embarrassing, but otherwise harmless one.

Obviously be gentle and thoughtful with where you add such friction. It's not about torturing yourself or people you are trying to protect.

But don't discount the value of friction either.

Stay safe out there!

Mx Sadiq

@rysiek This. Phishing works because nobody can be eternally vigilant and the attacker only needs to "succeed" once to get you so they can endlessly keep trying until you bite bait.

Michał "rysiek" Woźniak · 🇺🇦

@packetcat plus, attackers have all the time and resources in the world to design and test a phishing campaign.

They are often professionals, doing this for a living, with loads of experience and whole teams available. Scamming people out of their money or information is their main focus.

Meanwhile, the mark who is being targeted is some random person trying to just go through their day and do whatever their actual main focus is.

Which most definitely is not "trying not to get phished today".

Michał "rysiek" Woźniak · 🇺🇦

If you happen not to be an infosec person, and would just like some advice on how to not get phished, here's one simple non-technical rule that will help:

If you got a message that demands immediate action of you and is making you feel stressed – take a short break.

Deep breaths, make some tea, take a short walk.

Whatever it is, it almost certainly can wait a few minutes. And a few minutes might just be what it takes for you to figure out it's a scam, or ask someone's opinion.

:blobcattea:

Tim Lavoie

@rysiek On the flip side, it is also important to welcome phone calls out of the blue from people whose Spidey-sense has tingled a bit, and who trust you enough to sanity check what they're looking at.

Gives me the warm fuzzies, every time.

Michał "rysiek" Woźniak · 🇺🇦

@tim_lavoie

In $OLDJOB where I was responsible for people at real risk, a person pinged me with "did you actually send that e-mail?"

It took *me* a couple of minutes to figure out it was a targeted attack. Coming from a very similar e-mail address to mine. Having *my actual e-mail signature*.

The attack got blown. Nobody got phished. Later I figured out the attack took 3 months of prep.

Asked the person how did they know.

"I didn't. It was a hunch. You told us to trust our hunches."

Riley S. Faelan

@rysiek It's, perhaps, underappreciated but phishing is a millennia-old art.

Mystics have for a very long time spent much of their time on placing calls to the offices of various angels and/or demons, and then tried to hoodwink them into performing some little harmless services that might be of great benefit to the mystic's well-paying customers. The various Merkabah (מרכבה) practices, which Dr Sledge describes in this lecture, are probably some of the forms with the most obvious parallels to the modern phishing practices, but their primitive yet recognisable predecessors go way back in Mesopotamia.

fanf42

@rysiek @inthehands we tell that to newcomers, it's amazing the stupid things we do under time pressure.
And "if possible, try to check back with a different (ideally private) channel".
The number of "hello, it's XXX [the correct manager or director], I need you to do that" we get on new hire is frightening.

Paul Cantrell

@fanf42 @rysiek
My department at the college long had a scammer who would regularly email all the faculty with an “oh no! I’m in a meeting! I need someone to buy an Amazon/Apple gift card for my niece’s birthday!” message. We took to calling them Fake Tom. Sometimes they’d go quiet for a while, and when they returned, there were excited emails: “Fake Tom is back! They’re OK!!” When the chair rotated, it was a real milestone we we got the first Fake Susan message.