Tag: phishing

How Security Awareness Has Undermined Real Email Communication

February 4, 2026 /

Phishing emails are everywhere. You are far more likely to receive phishing and spam messages than legitimate ones. Over the years, I have written about this problem using a term I still find useful: email hygiene. By that, I did not just mean inbox cleanup or filtering rules, but the cognitive-behavioral conditions under which email is trusted, read, and acted upon.

Years of security awareness training have taught users to be vigilant and skeptical. People are trained to scan emails for cues of danger, to hesitate, to doubt intent. That vigilance has helped reduce some attacks, but it has also produced an unintended effect.

Security awareness has trained people to distrust email, including legitimate internal communications.

This is not accidental. Repeated exposure to phishing simulations, warnings, and post-failure messaging conditions people to associate email with risk. Suspicion becomes reflexive. Negative framing of mistakes, public reminders of failure, and constant emphasis on threat prime users to fear getting email wrong. Over time, email itself becomes a stressor rather than a channel for communication.

As a result, success in email communication is no longer about delivery alone. It is about whether the message is received, trusted, and internalized. The goal is not simply to land in the inbox, but to get through.

This is where email hygiene needs to be rethought.

Email hygiene is often framed narrowly as avoiding phishing. Do not click suspicious links. Block malicious senders. Improve filtering. Add banners. But email hygiene is not just about avoiding phishing. It is also about avoiding looking like phishing. Internal communications that trigger the same cues users have been trained to fear are likely to be ignored, delayed, or questioned, regardless of their legitimacy.

Much of the guidance in this space misses this point. It focuses on user behavior, on technical controls, or on generic communication advice that is disconnected from how security training has reshaped user perception. What is often overlooked is that internal communicators themselves can unintentionally reproduce the very signals people have been trained to distrust.

The first point of failure is often the sender and subject line. Emails from generic inboxes that users do not recognize are immediately suspect, especially in large organizations. Messages are more likely to be trusted when they come from a real, credible individual. When a generic inbox must be used, familiarity matters. Prior exposure through other channels helps establish legitimacy before the email ever arrives.

Subject lines require particular care. Users have learned to associate urgency, warnings, rewards, threats, and artificial deadlines with phishing. Even small cues, such as typos or misleading reply markers, can undermine trust. Organizations benefit from consistent conventions that allow users to recognize legitimate internal messages without having to guess.

The body of the email matters just as much. Messages should feel human and intentional, not templated or rushed. Errors in opening or closing lines are especially damaging, as they signal inattention or automation. Before asking for action, emails should first establish credibility and context. Only then should they clearly state what is being asked, why it matters, and what happens if no action is taken.

Verification also plays an important role. Emails should be signed by a real person, even when sent from shared inboxes. Providing non-email contact paths allows recipients to verify authenticity without replying to the message itself. Logos and branding can help, but they are no longer sufficient on their own. These cues are frequently reused by attackers and even in internal phishing simulations, which further trains users to distrust them. Cross-posting important messages on internal sites gives users a way to confirm legitimacy outside the email channel.

Finally, when messages are broadcast widely, it helps to test them with a small audience first. Even limited pre-testing can surface unintended phishing cues before they reach thousands of inboxes.

Email is a flexible medium, and there is real craft involved in using it well. No set of rules can guarantee success. But good email hygiene reduces confusion, avoids triggering conditioned suspicion, and increases the likelihood that legitimate internal communications are not just delivered, but believed and acted upon.

Stopping Russian Cyberattacks at Their Source [Published in Dark Reading]

March 28, 2022 /

Photo by Markus Spiske on Unsplash

In 2016, Lazarus, a notorious hacking group, aimed to steal a billion dollars through the SWIFT interbank communication system. How did the group do it? Social engineering.

Using an innocuous email purporting to be from a job applicant, the hackers gained entry into Bangladesh’s central bank system almost a year earlier. Once in, they learned how SWIFT (the Society for Worldwide Interbank Financial Telecommunication) worked and began to transfer a billion dollars from the Federal Reserve Bank of New York. The heist was accidentally discovered when a staffer at the bank staffer rebooted a hacked printer, which spit out the New York Fed’s confirmation messages in its queue. This stalled that hack, but not before $81 million was stolen.

Lazarus Group members were from North Korea. Its hackers, given the limited access to computing, aren’t the best. Russia’s are. They have developed some of the most potent malware we have seen yet. And if China were to team up with Russia, and there is evidence it is likely to, then we are in for some increasingly brazen attacks.

For context, every major hack in the past decade has origins in one of these nations. Russian hackers slipped malicious code into SolarWinds’ Orion program and got access to the Pentagon and the Cybersecurity and Infrastructure Security Agency (CISA), the DHS office responsible for protecting federal networks. Most ransomware also has roots in Russia. Estimates are that one in three organizations globally is a victim of these attacks, and they are enormously lucrative for hackers. Last year, the meat packer JBS paid $11 million in ransom; Colonial Pipeline paid $5 million. Some of it was recovered, but all of us paid through increased prices. And almost all of this involved social engineering.

Add to this the hacking prowess of China. Data stolen from sources as varied as from the Office of Personnel Management (OPM) to every major retailer can be traced to China. According to reports, sophisticated mining operations there are helping Russians craft highly persuasive social engineering attacks.

Growing Russian Hacker Threat
Once isolated and removed from banking systems such as SWIFT, it’s a question of time until Russia turns more sharply toward hacking. And if the country’s currency implodes further and it no longer cares about the rules-based global economy, there will be no way to hold it to account and disruptions will increase. We will end up paying through ransom payments, supply shortages, and higher prices. We have to stop this at its source by protecting users — all of us — the primary conduit through which malware gets into organizations.

While at long last two major cybersecurity bills mandating ransomware reporting are being considered by Congress, the defense of users is still being ignored. That’s because our cybersecurity defense relies on technology vendors. The tech sector’s motivation is to develop more technology. We today have more proprietary technology, with more licenses being sold, than ever before. Bank of America, which a decade ago was spending $400 million on cybersecurity, is now spending a billion dollars. And after all that, thousands of the bank’s California customers’ were still hacked last year.

How Do We Prevent Cyberattacks?
We need to change this paradigm. We need to invest in open source tools that are developed through private-public partnerships and make licenses available free of charge for at least the first five years to all organizations. This way, they can be applied widely, openly tested, and their value in organizational security can be ascertained.

The same extends to user training — one of the most widely applied, proactive cybersecurity solutions against spear-phishing. Almost all training today left to vendors, which offer many fee-based training programs. But how good is any of this? There is little data from cybersecurity firms on their effectiveness. The withholding of data has covered inefficiencies in training, which research studies repeatedly point out, and is extremely dangerous because the training programs give organizations a false sense of readiness.

Audits Are Needed
We need audits of organizational training, conducted by independent groups that aren’t motivated by the possibility of selling something more. CISA could set up such a team in the federal government that demonstrates how this can be accomplished. This can serve as a blueprint for IT managers in organizations, who are naturally risk-averse and less inclined to allow anyone to peer into their performance.

Finally, we need to get our netizens prepared for what’s coming. Like the civil defense drills we performed in the 1970s, we need to have cybersecurity drills that make everyone adept at dealing with social engineering. Everyone should have access to free security training and open source backup and threat-detection tools. Organizations should make multifactor authentication the default on all online services. The same goes for credit and identity protection. All of our credit should be locked by default, and credit monitoring, which is a fee-based service, should be free.

Stopping cyberattacks is no longer an option. It is an existential requirement. We may not be able to put our boots on the ground to fight the Russians, but we must ensure that neither our data nor our money help fund their war efforts.

 

*A version of this post was published in Dark Reading

Mobile telephony is dying [Published in iPswitch]

October 1, 2020 /

Photo by Marten Bjork

Verizon, AT&T, T-Mobile–I hope you are reading this. Mobile telephony, your primary business model of enabling phone calls and text messaging, is dying.

Your internal data likely says otherwise. Growth just appears to be everywhere: 5G’s enhanced mobile broadband speeds are coming alive, more people are subscribing with more gadgets, and some 60% of Americans are in mobile-only households–phenomena that were inconceivable two decades ago. Not to mention, the surge in network use due to the pandemic.

With this kind of growth, why would I say mobile telephony is dying? There are a few good reasons.

Text Messaging and Messaging Apps Reign Supreme

For one, people have stopped calling each other on their phones and are instead messaging. Note that I said messaging, which uses the Internet, and not texting that needs your network.

Messaging is increasingly popular, even preferred. You can be just as professional on it as you can be informal, and express your personality more richly, using emoticons, emojis, memojis, tapbacks, and more. And unlike phone calls, you don’t need to ask about the weather; nor do you need salutations, signatures, or statutory valedictions, as we do with email.

Messaging can be short, unintrusive, and direct. So, it works just as well for messaging colleagues down the hallway, family members in the other room, and friends in faraway places. For the security-minded, leading services are end-to-end encrypted, something that neither traditional texting nor its newer RCS incarceration in Google Messages supports.

Photo by G-R Mottez on Unsplash

Because of this, mobile messaging has been growing exponentially and, following email, accounts for roughly half of all mobile Internet usage. More importantly, 81–80 percent of millennials–the generation that came to age with social media and iDevices–use messaging apps like Facebook Messenger on mobile devices.

People Prefer Video Calls Instead of Phone Calls

Secondly, when people do call, they increasingly use video rather than voice, especially for making group calls. Video calling showed an estimate 175 percent increase in usage in the last 3 years, with one in four millennials using it on a daily basis. And this was before the pandemic made it a necessity and ushered in newer, arguably easy to use, apps such as Zoom, and made group calls for work, school, even television interviews, mainstream. While group video calls can be made on mobile devices, they are better on larger-screened laptops and tablets, which is bad news if you are a cellular provider–because none of these, again, require your service.

Not so long ago, the cellular providers dictated what people could use on their network. Today, the power has shifted to the gadget makers who provide the cameras, the noise-canceling earphones, the ability to seamless switch between devices when making video calls–and shape the experience. Because of this, the mobile phone number is becoming less important, while the device and how well it can sync-up with other devices owned by the user, is central to the user’s quality of experience.

Finally making things worse is that cellular networks have not been able to stem abuse on their network. Already in 2020, 58 billion robocalls were made to American residents’ mobile phone, for an average 80.6 calls per person — and this was a 22 percent increase over the previous year. Many are phishing calls and texts that appear to come from local area codes and are attempts at deceiving users into paying fraudulent IRS dues, threatening various dire legal actions, or luring users into opening malicious hyperlinks in text messages.

Phishing And Robocalls Deteriorates Trust In Cellular-Based Calling

Phishing is made possible by Internet-based telephony, which makes it possible for attacks to be fomented from anywhere in the world and avoid prosecution. Also enabling them is our caller-ID system, which was originally developed for the home phone network when there were few providers who could all be trusted. Caller-ID’s thus assumed all callers were honest and displayed whatever number was programmed in by them. Today, this makes it possible for anyone using computerized phone-dialers to obfuscate the true source of phone calls and fake the phone numbers that show up on our caller IDs.

The phone carriers, however, don’t recognize the nuisance these calls cause. So, even though they have developed apps to block such calls, they charge an additional fee for them. But consumers, long sold on different cellular networks’ delivery quality with “Can you hear me now?” promises, are unwilling to pay for something they believe should be dealt with by the carriers. Thus, rather than pay for the app, users keep their mobile devices on silent-mode, ignoring incoming calls and texts. For many millennials, this likely furthers their shift to messaging and video calling.

The risk of being silenced, especially by this important consumer psychographic, could have a profound impact on the future of the cellular network. In the past, consumers in similar age cohorts have shown to be relatively quick in moving away from services that didn’t consider their interests ahead of the organization’s bottom-line.

Much like cellular networks today, back in the 1990s, the home phone networks reigned supreme. Their primary business was long distance, for which they kept charging exorbitantly. In 1997, long-distance rates at 12–25 cents per minute, up 25 percent since 1992. The future looked so bright that the former head of AT&T’s long-distance, Joseph P. Nacchio, remarked: “Long distance is still the most profitable business in America, next to importing illegal cocaine.

At the time, there were just 50 million mobile subscribers, all of who also had a home phone. Within a few years, that generation of 22–40-year old’s quickly adopted Internet and mobile telephony, which all but killed the traditional phone business.

Today’s millennials are not only in the same age cohort but they are also now the majority of American residents. They have already dropped their home phones for mobile, and their cable subscriptions for streaming video. Their cellular phone plans may well be next.

 

*A version of this post appeared here: https://blog.ipswitch.com/mobile-telephony-is-dying-heres-why

**Follow this link for source of photographs