Phishing

This week, we look at cybersecurity issues that technology alone cannot solve.

For this week, we are going to start by talking about the problem of phishing: fraudulent communications (like email or text messages) that pretend to be something they are not, trying to get the recipient to take some action (like click on a link, give away their password, install malware on their device, or transfer money) that they normally wouldn’t be willing to do.

Start by reading this paper (which is summarized in this brief news article) about how experts detect phishing, and this academic paper about ho non-experts detect phishing. They are about how IT experts detect phishing emails in their own inboxes. All of the examples in that paper are about successful detection of phishing, thus stopping the attacks. However, phishing is still a big problem in the world. This about this: is this how you notice bad emails in your inbox? Do you think you could do the same things as these experts? What would you need to know?

By far, the most common way to deal with phishing is to do “fake phishing” training where the company sends you a fake phishing email and scolds you if you click on the link in the email. One example of that kind of training is here (Optional). Do you think this is a good strategy? A counter-proposal is that this is actually a bad idea, and that fake phishing training does more harm than good. (Notice: both the example and the counter-argument were written by the same person…)

What do you think? For this week’s summary, think about what you know about phishing and these fake phishing training emails. It is certainly a “best practice” to do these. Do you think it is a good policy?