As a “human security” expert, I used to take a lot of pride in my well-honed security hygiene. Yeah… that all ended back in early 2017 when I joined KnowBe4. You see, up until that time, I’d received a number of simulated phishing, attempted real phish, and I’d even run my own simulated phishing programs and done extensive research on how cybercriminals trick us into clicking.
So, there I was feeling pretty confident in my own abilities when the unthinkable happened. I clicked. And it wasn’t just a one time thing. I clicked on three simulated phishes over a two month timeframe. I remember the feeling that came over me when I clicked the phish and got the big “Oops” page. I couldn’t believe it. I tried to rationalize and make excuses for myself. I was embarrassed and questioned everything I thought I knew about my so-called expertise.
Let me back-up for a second. Here is one critical piece of information: each of these clicking events was on my mobile device: my phone. On my laptop/desktop, I still managed to ferret-out any simulated phish sent my way — I had great habits that I’d honed over nearly two decades of everyday email use. But I had to face the fact that my mobile mindset and hygiene was lacking. In each of the three scenarios, I was in a hurry, between errands, and traveling. And, each time, the phish’s pretext felt plausible: a message about an issue with my benefits (remember I was a new employee), a missed call/voicemail notification while traveling, and a fake Google Calendar invite.
After that humbling series of wake-up calls, I decided that I needed to make some drastic changes. I realized that the nature of mobile is inherently difficult. I needed to be much slower and more intentional to check links AND I needed to create a habit for myself to never react to a link in an email on my mobile if there is an app that will allow me to perform that same action (e.g. Ring Central, Google Calendar, LinkedIn,Twitter, etc.). And also, if I’m ever in doubt about an email, I wait until I get to a desktop/laptop before making a judgement as to if the message is safe or is a threat. This also helps to put me into a different frame of mind and removes a bit of the reactiveness/urgency.
Those new habits have helped me remain “click free” ever since (over 2.5 years so far!). So, here are the simple changes I made to clean-up my mobile hygiene.
- Slow down. Stop, look, and think before you click on anything.
- Whenever possible, don’t use your mobile device to check email while on-the-go or when you are stressed and rushed. Wait until you are less likely to have any knee-jerk reactions.
- If in doubt about an email, wait until you get to a traditional computer so that you can properly evaluate the message using more refined desktop email habits.
- Use dedicated apps where possible. For example, if you get an email saying that you have a LinkedIn message, then open the dedicated app instead of clicking on the link in your email. If you can’t find the message using the app, then there is a good chance that you just avoided being phished!
- If you *must* interact with mobile email, then slow down and think through how to transfer your desktop behaviors to mobile. Long-press on links to see where these links really go. (Note: Unfortunately, Apple recently made this habit harder by now incorporating an “auto open” preview of the page. The good news is that you can disable the preview by previewing a known safe link and then clicking “hide previews” at the top right.)
“Experts” are humans, too. Phishing works because it takes advantage of our natural tendencies to be rushed, distracted, and to take short cuts. But we can each find ways like security awareness training to make ourselves harder targets.