I’m tired of the don’t click links posters. We’ve had them for 20 years and we’re still getting wrecked. Last week, our smartest developer got taken for $5k because a client sent a fake invoice that looked slightly urgent.
Is it just that we’re all suckers? Or are we just too tired to care anymore? I feel like we’re fighting an uphill battle against our own brains.
11 Views
It’s not stupidity, @mees. It’s social proof.
If I send you an email that says You have a virus, you ignore it. But if I send an email from IT that says, “Hey, 40 of your coworkers already updated their security portal, you’re the last one“, you’re going to click. We’re wired to follow the pack. Hackers aren’t hacking the computer; they’re hacking the fact that you don’t want to be the problem employee. It’s a dirty trick, and it works because we’re social animals.
And they hit you when you’re in System 1 thinking.
That’s a fancy way of saying autopilot. You’re clearing your inbox, drinking coffee, and you see a notification that says Unauthorized login. Your brain goes into panic mode. You stop thinking logically and start reacting.
From my side, the knowledge people need isn’t ‘what is phishing.’ It’s ‘how to breathe for 5 seconds before hitting Enter.’ If you can’t slow down a human, you can’t protect them. No firewall in the world can stop a person who is in a rush.
Can we talk about how boring training is?
We give people 30-minute videos of a guy in a suit talking about best practices. No wonder they tune out. If you want people to learn, show them the actual damage. Show them the transcript of a Vishing call where a hacker makes a receptionist cry while stealing her login.
The real knowledge is realizing that social engineering is a performance. It’s theater. These guys are actors, and we’re the unwilling audience. Until you realize you’re being performed to, you’re always going to be the mark.
Don't have an account? Sign up
