I've been doing information security for more than a decade. I have trained people, written organization policies, built systems with security in mind.
And yet a few days ago I almost lost money to a phishing campaign pretending to be my infrastructure provider asking me to "update my payment details."
I was tired. I clicked the link, followed the instructions.
What saved my bacon is that I opened the link in a private-mode browser window, where I was not logged into my provider's system.
Point being: people make mistakes. Even people who really, truly should know better.
You might be tired.
You might be unwell.
You might be distracted.
You might click the link.
And so might people you're tasked with helping and protecting.
Keep that in mind. It's never just the person's fault.
Design systems and policies in a way that takes this into account, always. Add a little friction, it really helps.
Because… people make mistakes. Even people who really, truly should know better.
The private browsing thing adds friction for me all the time. Is it a bit annoying to always have to sign-in explicitly to that provider's system? Sure.
But that friction turned a potentially really bad situation into a somewhat embarrassing, but otherwise harmless one.
Obviously be gentle and thoughtful with where you add such friction. It's not about torturing yourself or people you are trying to protect.
But don't discount the value of friction either.
Stay safe out there!
If you happen not to be an infosec person, and would just like some advice on how to not get phished, here's one simple non-technical rule that will help:
Deep breaths, make some tea, take a short walk.
Whatever it is, it almost certainly can wait a few minutes. And a few minutes might just be what it takes for you to figure out it's a scam, or ask someone's opinion.
@rysiek this is great advice for avoiding all sorts of scams, really. "Police" need money to get your relative out of some foreign jail? Take a breath, say you'll call them back, and do it from a trusted source. Etc.
@tim @rysiek It's great advice for any possible situation in life, really.
"In the land of giraffes, there is no urgency."
(One of the foundational rules of nonviolent communication: Check in with yourself; when you feel pressured or stressed or time-bound, you are not in your nonviolent quality. Take a break. Do not act.)
“In order to show the differences between communication styles, Rosenberg started to use two animals. Violent communication was represented by the carnivorous Jackal as a symbol of aggression and dominance. The Giraffe was chosen as symbol for nonviolence, its long neck is supposed to show the clear-sighted speaker, being aware of his fellow speakers’ reactions; and because the Giraffe has a large heart, representing the compassionate side."
Cops and Zionists are the real untermenchen
@voxofgod @BetaCuck4Lyfe @tim @rysiek really? Placing the favorite word of nazis and a reference to a part of jews in the same sentence?
@peh @BetaCuck4Lyfe @tim @rysiek
Zionist is not Jewish, it's a political agenda
And you're either intentional or unintentional ABSOLUTE misrepresentation of the opposite is exactly how the world is being ruined right now.
One of the words I love to use because it's as accurate as can be
Was given to me by another non-Jewish semite: zionazi
The people murdering semites don't get to claim anti-Semitism because people are trying to stop their murders
@voxofgod You think you "have to" use a German word (actual Nazi term) to dehumanise people (like the Nazis did). That is antisemitism and hate speech, simples.
@frauxirah@chaos.social I'm not talking about Jews I'm talking about Zionists
Get it through your thick skull
And after that
Go
FUCK
Yourself
Especially when we consider that by sheer body count, you are the anti-semite
186,000 semites have been murdered by Zionists and the last year in Palestine and now they're doing the same in Lebanon
BUT GO AHEAD CLUTCH YOUR PEARLS ABOUT A FUCKING WORD I'M USING TO DESCRIBE BEHAVIOR NOT PEOPLE
You are normalizing genocide with this garbage
Again
FUCK
OFF
@voxofgod @peh @BetaCuck4Lyfe @tim @rysiek >> Zionist is not Jewish, it's a political agenda
Tell that to all the antisemites who were using it as a slur for decades.
It is really fun (NOT) to see the left eagerly adopt “Zionist” like a slur when y’all could just say “Israel,” “Israeli(s),” “settler-colonialism,” etc.
@voxofgod @peh @BetaCuck4Lyfe @tim @rysiek Like, the fact that you gotta jump on a thread for a totally unrelated subject to bark out “Zionist” like a right-wing chud who thinks he’s found an excuse to say the N-word really tells me all I need to know about the sense in which you are using it.
@rysiek On the flip side, it is also important to welcome phone calls out of the blue from people whose Spidey-sense has tingled a bit, and who trust you enough to sanity check what they're looking at.
Gives me the warm fuzzies, every time.
In $OLDJOB where I was responsible for people at real risk, a person pinged me with "did you actually send that e-mail?"
It took *me* a couple of minutes to figure out it was a targeted attack. Coming from a very similar e-mail address to mine. Having *my actual e-mail signature*.
The attack got blown. Nobody got phished. Later I figured out the attack took 3 months of prep.
Asked the person how did they know.
"I didn't. It was a hunch. You told us to trust our hunches."
@rysiek @tim_lavoie eMails asking me to "update" anything are 100% spam/scam.
@mirabilos @rysiek I did get a handful of legit ones lately, but they were expected. My old credit card expiry had passed, and these were services I'd given it to at one point. As a heuristic though, you're spot on.
@mirabilos @rysiek @tim_lavoie
I skip the email completely and login to the account I question to see if there is a notice there.
@mirabilos @rysiek @tim_lavoie This is why I hate "update your W-9" (no nothing changed, I would have told you if it did!), "update your domain contact information", etc. mails. They train ppl to get phished.
@tim_lavoie @dalias @rysiek I have no idea what W-9 is. My domains etc. usually ask to check if my info is still correct, not request to update them, and in general don’t read like these scam. So at least some have more sense.
It also helps to not live in an english-speaking country. While a good part of my correspondence is still in English, most of the rest is in German, so scammers would have to guess which. It’s also usually written by native speakers while most German-language scam is visibly machine-translated, though AI crap might lose me that advantage when multinational companies use that to translate later. (And, of course, people not taking care to be sensible to this still fall for it.)
@rysiek @tim_lavoie @http_error_418
And good on ya for building that kind of rapport with your team.
@tek @tim_lavoie @http_error_418 thank you. It was one of the proudest moments of my career so far.
It wasn't even my team, per se – it was a non-technical administrative person working for the organization. But we had a policy that all staff get the same infosec trainings, as everyone can get attacked and used as an entry point.
That policy was 100% on-point. Most targeted attacks I've seen there went after administrative staff first, not the really juicy targets like journalists.
@rysiek @tek @tim_lavoie justifiably so. I have been in teams that have attempted to do the same but not been as clearly successful, partly due to senior management wanting a more punitive approach. Glad you had a culture that supported this kind of effort instead of suppressing it
@http_error_418 @tek @tim_lavoie it's always a struggle
What I found very helpful was never wasting a good crisis. Somebody got phished? Clean up, write a post-mortem, and then use that to push to finally enforce 2FA across the org, for example.
And I had an amazing team to work with. Got really lucky there.
@rysiek
When I had staff, I insisted that everyone on the network attend infosec training. And agreed, most of the incoming attacks were aimed at two places: c-suite and admin. C-suite, bless their hearts...never learned. The admins were always on point.
@rysiek @tim_lavoie
Wow. Three months? I'm blown away: one person's spidey sense stopped it, that's inspiring!
And that's great training: trust your hunches. I wish lots of places built that into their infosec training.
@Giselle @tim_lavoie yeah.
The attack used a lookalike domain, I checked when was it created and when was the certificate issued.
I also had one of the attacker's VM's IP address, where the phishing site was hosted.
That allowed me to check the logs and see if it pops up earlier. And lo and behold, there it was, quite a lot at some point. Probably when they were building the phishing site and pulling our resources for it.
It was very satisfying to see all this prep work go down the drain.
@rysiek @tim_lavoie
That's great work to figure this out. I'm still gobsmacked that one person double checking on a hunch made the whole thing implode. Fantastic job on your parts all round!
@rysiek @tim_lavoie I'd love to see this vignette posted in response to this https://www.linkedin.com/feed/update/urn:li:activity:7246927141089525762/
@rysiek Yesterday I made a big purchase at an online shop that was new for me. The next bank account phishing came late at night and I was still brooding over that expense.
I have trained myself to change my online bank password every time a phishing message is unusually scary.
Don't click on their link.
Don't call their phone number.
Use your own favorites and phone book to call the person or company.
.
My mother got an urgent email from a friend, stuck in a foreign country, needing money. I said it's a scam. She didn't believe me.
So I say you know her well; what's her phone number?
She looks it up and I call. It's a land line, and the friend answers. (So, of course they're not trapped overseas.)
@rysiek act in haste, repent at leisure...
@rysiek
My goto is to open up my account website and see if there is a problem. If not, report them and delete.
@rysiek This is the same advice I also use for those wanting to repost posts they see on the 'net. The advice I have always given STOP sit on hands. Give yourself a day, then react.
See https://guides.lib.uchicago.edu/c.php?g=1241077&p=9082322
@rysiek
It worked for my mom.
My mom is not someone to take being rushed gracefully. She told the phisher she was not going to do what they said immediately, they went bananas, and she hung up.
We re-installed her computer from scratch as a precaution.
@rysiek Also she doesn't do financial transactions on-line as a matter of policy (and security).
@rysiek ...and anyone who demands you stay on the phone with them and *not* take a short break or contact anyone else?
Absolutely, 100%, always a scammer.
Time pressure (and timing) is one principle used in many social engineering attacks. It reduces your cognitive ability and coaxes you into reacting automatically with System 1.
Frank Stajano and Paul Wilson wrote a paper on it and other common principles.
https://infosec.exchange/@realn2s/112672044348533664
Regarding System 1 and System 2 Thinking see "Thinking, Fast and Slow" by Daniel Kahneman
https://bookwyrm.social/book/271430/s/thinking-fast-and-slow
@rysiek @inthehands we tell that to newcomers, it's amazing the stupid things we do under time pressure.
And "if possible, try to check back with a different (ideally private) channel".
The number of "hello, it's XXX [the correct manager or director], I need you to do that" we get on new hire is frightening.
@fanf42 @rysiek
My department at the college long had a scammer who would regularly email all the faculty with an “oh no! I’m in a meeting! I need someone to buy an Amazon/Apple gift card for my niece’s birthday!” message. We took to calling them Fake Tom. Sometimes they’d go quiet for a while, and when they returned, there were excited emails: “Fake Tom is back! They’re OK!!” When the chair rotated, it was a real milestone we we got the first Fake Susan message.
@rysiek I've learned it the hard way!