First and foremost, stop sending out click bait and phishing emails.
I am not silly enough to think that this would actually happen, companies will send out marketing emails, I may as well be King Cnut (Canute) with a request like that.
So let’s aim for something a bit more realistic.
Take care when communicating with consumers
So when I have been looking into cyber security and how I would hack or attack consumers, one recurring theme always comes up.
This is what I focus on, what are consumers conditioned to do that maybe they shouldn’t.
What you find here is that the methods the industry deploys often just contradict the consumer advice for cyber crime.
Consumer Advice tells customers not to click on link in an email and to type the address
This can come from legitimate companies, from government authorities, they tell us not to click on links in emails.
Well if we shouldn’t be clicking on links, why do companies send out links on emails?
Unless it is a marketing email, there is no real reason for this. If I am your customer, I know your website.
Business Solution 1 – Don’t put links in emails
Essentially, we condition users into behaviour that is not OK.
To give an example without naming and shaming
Company A recently praised for it’s efforts in cyber security, given recognition for its training centre for consumers and businesses in cyber security actually contradicts itself with its behaviour quite a lot and in many places. But today let’s stick with URLs.
They are not technical experts and they are not industry experts for technical elements, that is not their business, you can see this have a negative effect on consumers.
I see them often post things on Twitter and LinkedIn, they use short URLs.
They give phishing advice of “If you cannot see where the URL goes to you should not click it”
So they use methods of social media that condition users to click things that go against the advice given out for Phishing.
Short URL example
I am also a customer of Company A, they include links in important emails, so my insurance policy came through with a bunch of links.
The advice they give is “Don’t click links on emails from people you do not know”
Well, I don’t know them, it could be a real email, could be phishing email for all I know.
Either way though, Company A is recognised as an expert in Cyber Security, but they do not practice what they preach, in fact, they are very hypocritical in their approach, essentially conditioning people into clicking things that they themselves say is not OK to click.
That is problem one, problem 2 is more around not giving out generic advice.
Issues with Generic Advice
So an example of generic advice
Hover over a URL to see the destination
There are 3 issues here
- Title Hack
- Cyrillic Hack
- Short and Dynamic URLs
These are 3 occasions where you hover over URLs and they will not show the destination, but actually will actually make it look like you are going to the correct destination when you are not.
These work differently dependent on the services you use
- Title Hack and Cyrillic Hack are unlikely to work on Outlook or a local mail application
- They work well when emails are viewed via a browser
The Cyrillic Hack masks the URL in the bottom left of the screen, the title hack masks the URL that displays next to the link when you hover over it.
Short and Dynamic URLs can be tricked on everything, because they work as designed and essentially they will display in relation to their destination.
Goo.gl is a legitimate URL for Google, but it is a short URL, I can set up a goo.gl short URL that will link back to my website.
In short, hovering over a URL as generic advice, well it depends on what the URL is being viewed in, the version of the browser and the version of your operating system as to whether or not you can hover over a URL to see where it is going. Whether you check the URL that displays in the bottom left of the screen or not.
So the industry has two choices
- Provide advice that generically works, in this case, do not click links on emails
- Provide advice in relation to the consumers operating system, browser version and email service.
So easy generic advice that works or complicated situational advice.
What you can’t do is provide generic advice that doesn’t work.
Business Solution 2 – Don’t give out generic advice unless it is truly generic
For Good Business Practice
- Provide generic advice that works
- Don’t put links in emails.
- If I am a customer of a company then I would know the URL, I don’t need to see this on the email.
- If you do put your website address on an email, make sure you do it in a way that does not compromise the consumer on various different application and email services.
- Don’t use Short or Dynamic URLs in social media or at all (this includes your own 301 or 302 service)
- Don’t use no-reply addresses
- Don’t use complex domains
We have a guide that covers the URL issues for this on our practice what you preach pages.
We summarise on the next page