June 2, 2022

Stop Giving Impossible Advice: Telling People to Watch Out for SUSPICIOUS EMAILS is Nonsense.

Note: Verizon Media is now known as Yahoo.

A drawing of a megaphone that says "impossible advice" broadcasting "stop clicking links" with a circle crossing it out, implying "stop giving impossible advice."

It’s time to admit the long list of security advice our industry has accumulated over the past several decades is real short on why anyone — outside of our profession! — would want to adopt it. 

Telling folks to look for a dark green 🔒 at the top of a browser is useless when crooks can acquire TLS certificates. Asking people to NOT ‘click on suspicious links in emails’ when clicking on links is the way the internet works doesn’t make much sense and frankly weakens your credibility as a trusted advisor. 

Nerd-ALERT! Not everyone loves getting into the technical details of how a URL is constructed as much as you. 

Inside the Paranoids, we call this impossible advice.

Impossible advice is often composed of three primary components: 

  • It contains incomplete information — not giving folks enough context to make a real change. 
  • It asks people to do something unnatural, such as (and I’ll say it again) not clicking on links.  
  • And, most importantly, it relies on people to use their judgment of the suspicious or untrustworthy. 

Advice like this is useless because it is either meaningless — think, “secure your wifi” — or truly impossible, “always be alert."

Actionable Advice 

Defining actionable advice is much simpler. It’s predicated on a single principle: Stopping an observable attack that would otherwise be successful. 

Take phishing. We can think of three primary types.

  • Action-based, such as Business Email Compromise. 
  • Exploit-based, which includes malware delivered through, say, an emailed attachment. 
  • Credential capture-based that delivers a victim a hyperlink to a fake log-in page. 

That last method is, in the Paranoids’ experience, the most effective in modern cloud-based environments. That’s the attack we want people to stop. 

An ensuing piece of actionable advice, which is rooted in a concrete action that makes that attack have a smaller chance of succeeding without relying on the user’s judgment: use a password manager to autofill your credentials!

The reason. Auto-filling credentials on login pages removes the burden people face when judging the trustworthiness of a URL! When credentials don’t autofill, our automatic behavior of typing credentials is disrupted and the success rate of credential capture attacks goes down as a result.

Now, my advice to you — dear cybersecurity awareness impresario —  default to always providing actionable advice, the stuff that stops actual attacks. Guidance that attempts to work in the limitless amount of potential scenarios is often too generic to have an impact. Get granular, get specific, and stay targeted to a specific attack you want to stop. 

And for the sake of our industry, let’s put an end to telling people “don’t click links”. 

About the Author

Josh Schwartz is a Senior Director of Technical Security for the Paranoids, the information security team at Yahoo. He oversees an organization focused on offensive security assessments; red team methodology; building products that support security culture; and behavioral change initiatives.