If you received an email from a sender called BrokPro2 and the subject line was eight seemingly random digits, would you click to read it or consign it to the spam folder? (Asking for a friend.)
To anyone who guessed answer number two, congratulations on your high levels of vigilance. Obviously you were paying attention during phishing awareness training. However, the bad news is that you would have had to scramble to recover the message from your junk folder. It turns out the message was genuine.
That email is a real-life example from a large insurance company. Despite the presumed resources at its disposal, this company apparently didn’t think it was important to use an email address resembling one that belongs to a human being. Nor did it take the time to compose an intelligible subject line. (It turns out the string of numbers referred to a policy number. I would love to know what type of customer goes to the trouble of memorising their insurance information and would recognise it in an email. More importantly, why not provide some, you know, other words to give the eight-digit number some context? Such a flimsy subject line practically begged to be treated as spam.)
Sincere or spam?
The email marketing industry produces reams of articles and infographics about developing memorable content and enticing readers to click through. Some companies still don’t seem to have got the message. When we see the kind of example like the one above, I would argue it’s a very tough call for even the most security-aware individual to distinguish the sincere message from the scam.
It’s a classic example of business functions putting all of the responsibility on the end user to make the right decisions. Email remains one of the most effective tools in an attacker’s armoury. It’s a way to infect a victim with ransomware or steal their login credentials . But users are in a tough spot because they often face poor email practices or security that asks too much of them.
The security researcher Claudio Guarnieri summed up the problem in a well received Twitter thread which you can follow from here:
Blaming users is dumb. Attachments are meant to be open, links are meant to be clicked, and login forms meant to be filled.
— nex (@botherder) July 22, 2017
His point is that it takes a kind of cognitive dissonance to understand that we can browse the web thanks to a framework of interconnected pages, yet we must be constantly on the lookout for suspicious links. We spend our working lives sharing documents with colleagues via email, but we must also be wary of attachments. This mental gymnastics asks a lot of most regular people. We shouldn’t be surprised if they occasionally get it wrong.
In that context, credit to Google for helping to take end users out of the firing line. Last week, the company launched an extra anti-phishing measure for its Gmail app on the iPhone. If a user clicks on a link that Google has flagged as suspicious, a warning appears on their smartphone. A known malicious link will generate a more strongly worded warning. Android users have had this feature since May.
Some security commentators think the industry could do more to insulate users from decisions they lack the knowledge to make. Will Google’s move point the way for other technology companies to follow suit?