What if they click the link, run the downloaded invoice.EXE, and enter their password when prompted? At a certain point, the user needs to be educated enough to avoid this.
Because when your run content in executables, in the case of Ransomware its usually Word macros or js files, those programs run with your user rights, which have read/write permissions for your files. Now you lose your files and you expect the IT department to fix everything for you, instead of doing what the IT department says or using common sense.
Funny how that works. You want all the power but none of the responsibility. This is like saying "Why can't I drink bleach, stop criticizing me doctors!"
>It's a friggin email and data transfer
and guns are just tubes which throw lead around, but I certainly don't want to be on the receiving end of one. What's your point? Its incredible to me how many people refuse to believe we live in a world of risk when it comes to information technology and its not all fun and games.
Word disabled macros by default. You can set JS and MHT files to open with something harmless (like notepad) instead of being executed too. We don't have to let "executable" files execute if we don't want them to. There's no reason to take the decision away from the user by default.
Agreed. We took the name "e-mail" from regular mail. There has only been one case in history of everyone being told to be careful about opening their mail: the anthrax threat. Still remember a bunch of mail arriving with very brittle paper and burnt edges...
So, the big mistake was to use a real world analog in naming e-mail. We should have called it:
"Russian roulette with packages* anonymously tossed by strangers in your direction".
The analogy is broken and creates cognitive dissonance in users.
* Re: data vs. executable: the analogy could be for letter vs. package. A box is big enough to contain a mechanism for action unlike most letters.
One of the things that I personally think is "data" is "software", and I believe that all data should be something that is able to be transferred via e-mail. A sufficient set of random clicks from an e-mail currently can--and in my world view absolutely should be able to--lead to arbitrary code execution without any form of security vulnerability.
The sets Arbitrary code execution and Security vulnerability have a significant overlap; and much of the decision "do I want the program to do what it's about to do?" is in the eye of the user (e.g. the excellent tools by Nir Sofer could be used for Good or for Evil: "Does the user actually want to list their WiFi network passwords, or is this an evil code the user was tricked into running?" The code has no way of deciding.).
However, I see some hope in https://www.qubes-os.org/ - alas, setting it up is not quite as convenient as "meh, open everything everywhere to everyone."
Being aware that both are high risk activities is the point, methinks.