Why does phishing work?
The thing that never seems to get mentioned when discussing these so-called fixes is why phishing is so easy.
Internal corporate comms to employees is appallingly bad.
- HR contacting you from 17 different email addresses, some of which are personal.
- "Important" messages from the CxO that could be your pay review or that the company has won an award.
- Messages from third parties like your pension provider that come from random domains that don't look anything like a company that you recognise and have password protected pdfs.
- Newsletters from external domains because the marketing department are using some random tool that looks pretty.
- Surveys on forms.office.com or a shared google doc that could be from goddamned anyone and 50% of the time you'll eventually get nagged about filling it in because the management team want "engagement".
- I could go on...
As much as I hate to say it, the banks are getting fairly good at including "here's how you know it's from us" in their messaging. I want similar cues at work. I want mechanisms to be able to verify that it really is important and genuine:-
- HR messages could be duplicated in the HR system. Email notifications just a courtesy.
- The CxO could have a blog only visible internally - sure, send me email notifications if you like.
- Companies could force trusted third parties to improve their comms. An internal message with an ID that the third party will/has used to back it up.
- I don't think that anyone who has ever been auto-subscribed to a newsletter ever has cared about the prettiness.
- If surveys are _that_ important, then they should be hosted on domains that _you_ control. And no, I absolutely don't mean "yourcompanyname.somerandomthirdparty.com", I mean "somerandomthirdparty.your.domain". It needs to be nigh on impossible that some rando has set it up.
Fix all that and phishing becomes orders of magnitude harder. It's all very well having fire drills to improve the current "fear all burny stuff" approach, but eliminating the combustible material is far more important.
Not only that, but you can then add in extra stuff on the mail servers to do things like blocking "HR" or "CxO" messages that don't meet the standard. If it really is an internal person trying to send the message, train them about the ban hammer and why it's important.