[creaghpatr]

I think the press should do a better job distinguishing between hacking attempts and phishing attempts. Phishing attempts are largely avoidable and it would serve not just the politicians but the public to be educated on best practices to avoid being phished.

At my previous company we were tested once a month to learn how to identify suspicious landing pages or links/domains.

[tptacek]

I don't know anybody who specializes professionally in phishing that believes this. What I hear from those kinds of people, and many others, is the opposite: that especially when you're trying to secure an organization, the one attack you feel helpless to prevent is targeted phishing. Technologists in particular are apparently easy to victimize; they underestimate how malleable the medium is, and how well sophisticated attackers understand the cues we all rely on to evaluate the legitimacy of messages and gate the shortcuts most of us take.

My suspicion is that anyone who downplays phishing attacks is betraying a lack of understanding of how scarily effective targeted phishing attacks are.

[shados]

That's so true. Our IT dep runs "fake" fishing attacks regularly and last time they did it I totally got caught.

They happened to send a fake error report email (which had all of the "red flags" you should catch before clicking a link in an email) on the day I started an oncall rotation that had me receive similar emails. I was wary of missing one, so when I saw it coming, :click:.

I was greeted with a nice message to educate me about what I had just done and how to avoid it. I knew all of this of course (Ive worked in security!), but it just shows how no one is foolproof.

[lhuser123]

If it’s that easy to fool a trained professional, imagine the rest of the people out there. I sometimes which never have learned about this stuff. It’s difficult to watch so many people clicking on fake pages or potentially dangerous links because they can’t (or care to) differentiate between ads and google results. Maybe I’m wrong but I think it should be regulated.

[creaghpatr]

Right, which is why the press should specify phishing here, and boost awareness for this particular threat, rather than ambiguous 'hacking'.

[tptacek]

Awareness is good, but I object to the notion that it is "largely avoidable", and that all we're lacking is some awareness training.

[threeseed]

> Phishing attempts are largely avoidable

Couldn't disagree more. Generic phishing attempts are. Specific others aren't.

I used to get regularly tested at previous companies and failed a number of them where they were highly contextual e.g. emails were spoofed from real, internal emails asking you to check if a website was available e.g. JIRA, Confluence which have roughly standard website subdomains.