We’ve previously reported on how, due to the rise in phishing attempts leveraging SSL certificates, the icon in your web browser gives your users a false sense of security. The threat, however, doesn’t end with your web browser.
Although first observed as early as 2016, PhishLabs analysts have observed a dramatic uptick in the imitation of flags, banners, and other markup used by applications to show messages as trusted, safe, and/or urgent.
Let’s look at an example:
That trusted sender flag in the email above? Fake. Note the bad grammar of the text and the fact that the flag appears under other markup we use internally. At first glance, however, it can be convincing enough that a user conditioned to ‘look for the green bar’ when determining whether an email is legitimate would be fooled, especially if they hadn’t had their morning coffee or are multitasking during a meeting.
This brings me to an important point. In the battle against social engineering, positive indicators are not an effective defense. The reason is simple: social engineering takes advantage of our natural tendency to short-circuit our own decision-making process in order to save time and mental energy. When you rely on positive indicators to train your users, you’ll stop some attacks, sure. But, at the same time, you are introducing a pattern of behavior that can be abused.
Training end users to alter their behavior is hard enough; don’t introduce new vulnerabilities while you’re doing it.