this post was submitted on 02 Nov 2025
174 points (97.3% liked)
cybersecurity
5120 readers
21 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I would be more interested in a study of people entering credentials or taking other risky actions after clicking.
Yes, people whose job includes lots of link clicking are going to click links.
And one obvious but good conclusion: invest in mandating MFA for sensitive actions.
Totally agreed, I get it's easier to consider it a fail if you open the link, and that simply opening a random link has some inherent risk, but there should at least be a fake page to enter credentials and evaluate how many people actually go through with that, and break that out as a CRITICAL where the other clicks are HIGH or MEDIUM status, to classify the risk.
Also, this is just an anecdote, but in a similar phishing simulation i helped with, we had to bypass filters for rejecting emails with links for websites registered in the last 60 days. Obviously this isn't a foolproof way to prevent phishing attempts, but it does cut out a lot of junk, and we've indirectly been training employees to not deal with that.
mfa is not going to help when people will literally transfer their money to a scammer, because the scammers convinced them that said money are in danger and only way to protect them is to transfer them to "secure account". you can't fix stupid with technical limitations.