[nykolasz]

And no amount of phishing training will solve it - I don't think. People will still click on links, they will click on buttons and do what they think it is expected for them to do.

On the bright side, Google Safe Browsing is pretty good at catching new untargetted phishing campaigns, so most people get a good level of protection from that. I am also a big proponent of using a DNS firewall* layer to help minimize the exposure to phishing domains.

*I blogged about it here, comparing a few free DNS resolvers, if anyone is interested:

https://medium.com/@nykolas.z/phishing-protection-comparing-...

[marmot777]

This looks like a good idea for everyone, though from your blog post, it’s clear that there’s a massive gap between the DNS firewalls that work and those that don’t, assuming the numbers you cite are accurate and I believe they are.

[_8j50]

Training helps a lot,but they typically treat users like toddlers and punish or reward them for getting it right. Training is also either too targeted or too untargeted compared to IRL phish

[marmot777]

Treating users like toddlers is a techie attitude that drives me crazy. Most people have their own profession and responsibilities to think about. We'd appear to have toddler level sophistication to, say, an accountant, electrician, or doctor, and we'd rightly expect to be treated like an adult discussing things about which we know almost nothing.

What do you mean by too targeted or too untargeted? Either focused on a specific threat (tree) or too general to be useful (all forest no trees)?

[_8j50]

Too targeted would for example be something too relevant to their job. They'd know what the typical emails and logins are so they won't fall for it easily. If the training is for spearphishing, it should contain extensive detail about the user. I mean really, you can't train someone who combats phishing as their day job against spearphishing.

The only real threat training combats against is untargeted dragnet attacks which typically use generic content or attacks that target organizions(not individuals).

In other words,you want them to be trained for the technology threat not the content threat. You want them know the difference between mail.company.com and mail.company.com.seemslegit.site . Currently,training seems to focus on "email looks suspiciois,why did you click on the link" not "what about the link made you think it was legitimate? and this is why you were wrong."

Also,training is done as a campaign at most places.a few users fall for it and suddenly everyone knows about it before opening their inbox. Mostly theatrics. It shouldn't be "send phishme emails to a 1000 users today",it should be more like "pick 50 users out of 1000 at random and send them a new campaign everyday for the next 20 business days quarterly"

[marmot777]

This idea of targeted phishing drills sounds cool. And I’m guesssing at least most users kind of dig the game?

[marmot777]

It does help though. It's like any sort of safety training. Someone is still gonna walk off the cliff.