Click Confessions of a Security Expert

As a “human security” expert, I used to take a lot of pride in my well-honed security hygiene. Yeah… that all ended back in early 2017 when I joined KnowBe4. You see, up until that time, I’d received a number of simulated phishing, attempted real phish, and I’d even run my own simulated phishing programs and done extensive research on how cybercriminals trick us into clicking. 

hand holding a mouseSo, there I was feeling pretty confident in my own abilities when the unthinkable happened. I clicked. And it wasn’t just a one time thing. I clicked on three simulated phishes over a two month timeframe. I remember the feeling that came over me when I clicked the phish and got the big “Oops” page. I couldn’t believe it. I tried to rationalize and make excuses for myself. I was embarrassed and questioned everything I thought I knew about my so-called expertise.

Let me back-up for a second. Here is one critical piece of information: each of these clicking events was on my mobile device: my phone. On my laptop/desktop, I still managed to ferret-out any simulated phish sent my way — I had great habits that I’d honed over nearly two decades of everyday email use. But I had to face the fact that my mobile mindset and hygiene was lacking. In each of the three scenarios, I was in a hurry, between errands, and traveling. And, each time, the phish’s pretext felt plausible: a message about an issue with my benefits (remember I was a new employee), a missed call/voicemail notification while traveling, and a fake Google Calendar invite.

After that humbling series of wake-up calls, I decided that I needed to make some drastic changes. I realized that the nature of mobile is inherently difficult. I needed to be much slower and more intentional to check links AND I needed to create a habit for myself to never react to a link in an email on my mobile if there is an app that will allow me to perform that same action (e.g. Ring Central, Google Calendar, LinkedIn,Twitter, etc.). And also, if I’m ever in doubt about an email, I wait until I get to a desktop/laptop before making a judgement as to if the message is safe or is a threat. This also helps to put me into a different frame of mind and removes a bit of the reactiveness/urgency. 

Those new habits have helped me remain “click free” ever since (over 2.5 years so far!). So, here are the simple changes I made to clean-up my mobile hygiene.

  1. Slow down. Stop, look, and think before you click on anything.
  2. Whenever possible, don’t use your mobile device to check email while on-the-go or when you are stressed and rushed. Wait until you are less likely to have any knee-jerk reactions.
  3. If in doubt about an email, wait until you get to a traditional computer so that you can properly evaluate the message using more refined desktop email habits.
  4. Use dedicated apps where possible. For example, if you get an email saying that you have a LinkedIn message, then open the dedicated app instead of clicking on the link in your email. If you can’t find the message using the app, then there is a good chance that you just avoided being phished!
  5. If you *must* interact with mobile email, then slow down and think through how to transfer your desktop behaviors to mobile. Long-press on links to see where these links really go.  (Note: Unfortunately, Apple recently made this habit harder by now incorporating an “auto open” preview of the page. The good news is that you can disable the preview by previewing a known safe link and then clicking “hide previews” at the top right.)

“Experts” are humans, too. Phishing works because it takes advantage of our natural tendencies to be rushed, distracted, and to take short cuts. But we can each find ways like security awareness training to make ourselves harder targets.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews