One wrong click and you lose...

What an unfair game that is!! The title is probably the worst possible advertisement for a game. You never want to play this game anyway, so why would you want to know the name. Unfortunately, you already know its name and play it daily: spot the phishing.

Victim blaming

The reaction of third parties when you clicked a wrong link just once is typically: how stupid can you be? As long as we do this victim-blaming, we help the criminals. Why? Because the logical human reaction to avoid being blamed is to sweep the mistake under the carpet. This concealment can worsen the impact of the attack. Detection will happen later, the source must be traced, and tracing the progress of the attack is more complex.

There is little stupidity about a wrong click. Anyone can fall victim to deception, regardless of how much awareness training has been followed. You are not talking about deception by amateurs here, but attacks by professional organizations. The technical and psychological techniques used are constantly improving and the "profits" for the perpetrators remain more than high enough to continue investing in them.

If you are asked to do something very urgently, or at an unusual time, or if it is an unusual request, or if you are threatened, then step back from your keyboard and think! The less time you have to lose, the better you should spend it.

Assessing and managing the impact

What can be the impact of that one click? It is possible that that click will lead you to a website that looks very familiar to your bank or web shop, but is not that one. Many things can be set in motion with giving a single permission by one click. For instance malicious software can be installed. The criminal's intention is to earn money through fraud or extortion. That wrong click is an important first step towards that goal.

Major websites realize that there is a real risk that passwords will be stolen via phishing and are increasingly using 2-factor login, even though that solution is more complicated and expensive. The extra step to log in may also serve as an alarm bell to carefully examine at the situation. Furthermore, the use of the 2nd factor typically follows a known scenario with known steps on a known site, or on another and trusted device. This familiarity makes control by the user easier.

Caution remains the message. The more systems that use the authenticator solution, the more often you will log in with it and the lower the threshold to start doing this routinely. It is also possible that there are so many eggs in that one basket so it becomes a high risk. Losing access will be awkward, someone else gaining access to it, a nightmare.

Brittle systems

We as security guards need to ask ourselves why that one wrong click can have such an impact. Most of the somewhat dangerous things we use have safety systems that require more than one action to activate them. Think of a hedge trimmer for example: you need both hands in specific places, and there is a quick-stop system if one of them fails. Others measures raise the threshold for vulnerable users (for example children). Think of the closure of bottles with dangerous substances, or child-safe power sockets.

What about the security of software systems? Do we also have multiple protections against dangerous use? Everyone will have received a message at some point that asks for a decision: 'You are going to do "gnirb flesuoy ni regnad", are you sure, yes or no?'. The decision is left to you whereas you lack the data and the knowledge to make an informed decision. What you do know is that, if you click "yes" you can do what you wanted to do… The important security question is: will clicking "yes" really do what you wanted, and only that? In other words: is that link trustworthy, how did you get it? Those questions are only slightly easier than the previous ones, and still put the entire burden of decision on you. Click "yes" or "no", you have no joker.

The main instrument for phishing attacks is email. A lot has been done at the infrastructure level, but there is certainly still work to be done to improve secure email. Too often, normal, benign emails are sent via third parties or in ways that make it difficult to verify their authenticity. It remains a mystery why messages are not provided with a signature before they are sent to thousands of users: you only have to create that signature once.

Conclusion

Let me be clear: falling into a phishing ambush is not a disgrace, but it is absolutely to be avoided. The impact is potentially very large, and the security messages that should limit major damage are often unclear to the average person. You should report the error as soon as possible and consider what you can still do safely, like blocking your account, the safest but most impactful action, or checking transactions on your account on another device, or contact the service provider to check your account. Overcome your embarrassment, time is money.