[tptacek]

I don't know anybody who specializes professionally in phishing that believes this. What I hear from those kinds of people, and many others, is the opposite: that especially when you're trying to secure an organization, the one attack you feel helpless to prevent is targeted phishing. Technologists in particular are apparently easy to victimize; they underestimate how malleable the medium is, and how well sophisticated attackers understand the cues we all rely on to evaluate the legitimacy of messages and gate the shortcuts most of us take.

My suspicion is that anyone who downplays phishing attacks is betraying a lack of understanding of how scarily effective targeted phishing attacks are.

[shados]

That's so true. Our IT dep runs "fake" fishing attacks regularly and last time they did it I totally got caught.

They happened to send a fake error report email (which had all of the "red flags" you should catch before clicking a link in an email) on the day I started an oncall rotation that had me receive similar emails. I was wary of missing one, so when I saw it coming, :click:.

I was greeted with a nice message to educate me about what I had just done and how to avoid it. I knew all of this of course (Ive worked in security!), but it just shows how no one is foolproof.

[lhuser123]

If it’s that easy to fool a trained professional, imagine the rest of the people out there. I sometimes which never have learned about this stuff. It’s difficult to watch so many people clicking on fake pages or potentially dangerous links because they can’t (or care to) differentiate between ads and google results. Maybe I’m wrong but I think it should be regulated.

[creaghpatr]

Right, which is why the press should specify phishing here, and boost awareness for this particular threat, rather than ambiguous 'hacking'.

[tptacek]

Awareness is good, but I object to the notion that it is "largely avoidable", and that all we're lacking is some awareness training.