@ ALL,
Getting Phished is to be expected.
As two sayings put it,
We are all human.
To err is human.
As I’ve said before, for most people, in most cases of attack, the only reasons it’s not yet happened to you are,
1, It’s a target rich environment.
2, Your number has not yet come up.
3, Or you are only slightly less ‘low hanging fruit’.
There is another reason that few consider,
4, You can not be reached by the phishers.
People for quite some time have wonder and indeed questioned why I do not do “social media” or “email” or a whole lot of other
“Un or insufficiently gated communications.”
Those old enough to remember the old security advice from back in the 1960’s if not a lot earlier (remember not all security advice is about computers 😉
“If they get to the front panel it’s game over.”
Which is why a heck of a lot of early “information security” was actually “physical security” re-worded so effectively “old wine in new bottles”.
The point is though as I point out from time to time,
“Mitigation by segregation”
Works, even with insecure systems.
But Troy points out three things of note,
1, The way he received the message lacked information.
2, The message was suitably worded.
3, His password manager failed unexpectedly.
So the first point to take real notice of,
Most electronic communications like Email, SMS, etc are
1, Not authenticated / authorized
2, Not source location verified.
Thus they are “NOT Gated”… Be it security or otherwise.
They are in short, a good deal “less reliable” than a hand written flyer pressed into your hand in the street by a wild eyed looking individual mumbling in a way that apparently lacks contact with reality.
But because it’s the age of Web 3.0… all “looky feely” with nothing taxing or alarming to be made available by “Marketing edict”…
Back with “old style” Email clients you could turn on “all headers” and other information. Whilst they can be faked they have the advantage with regular messages from the same organisation of “being consistent”.
Thus if they change in any way there has to be a reason, so cause for caution and checking.
But if you can not see any changes because they are kept out of sight…
Always looking, stopped me getting caught out more than a couple of times back when I still did “personal Email”. It was the fact that Email from people I’d had no contact with started rising be they “crooks, advertisers, or worse”… It made me stop “Personal Email”, it’s also yet another reason I don’t do “messaging apps” secure or otherwise[1].
And also why I don’t do “Walled Garden Apps” from the likes of Apple or Google, their argument of “It’s more secure for users” is an obvious nonsense due to the number of apps that “steal info or worse” they’ve made money from etc.
But onward,
The second notable point, that Troy has made is of the message,
“It created just the right amount of urgency without being over the top.”
Is an example of a fairly standard human failing, and employers are their own worst enemy because employees are almost always “under a clock”. Or some other “performance measure” to “Increase productivity” for those C-Corridor bonuses that come with increasing the perception of “Shareholder Value”…
As the old saying has it,
“Act in haste, repent at leisure”
The thing is it’s almost always the employee not the C-Suite that gets to do both with no choice.
But the third point is a doozy and one people should take to heart,
“His password manager failed unexpectedly.”
Actually it did not fail it acted on information that Troy did not see (see first point above).
There are two reasons why automatic systems fail,
1, Something has been changed and picked up.
2, The system is not implementing specification or the specification was deficient.
Sometimes it’s both, and people then seem to think it’s,
“A corner or edge case.”
Thus some how not just allowable but acceptable…
It’s not and importantly users should be informed in a meaningful way that they can understand easily if not intuitively.
The fact that Marketing types assume all their users will do a,
“Don’t Panic Mr Mannering”
Dance whilst waving their arms etc etc says more about Marketing types than is probably safe to know…
[1] A friend who tried getting me to use WhatsApp, because “it does great things and everybody uses it” has just found out that there are down sides to messaging apps. Some one they talked to via WhatsApp has been arrested and put in jail and they found out when “The boys in blue” came around and took computers etc “in for forensic evidence investigation”.
