Just lately, we had a buyer attain out to ask if disabling clickable uniform useful resource locator (URL) hyperlinks in emails was sufficient safety by itself to probably not want worker safety consciousness coaching and simulated phishing.
We are able to perceive why this misperception may exist. Many anti-phishing academic classes talk about the necessity for individuals to guage all URL hyperlinks earlier than clicking on them. One among KnowBe4’s predominant messages has at all times been “Assume Earlier than You Click on!”
However no, disabling URL hyperlinks alone is just not sufficient. This text will talk about why.
Disabling all URL hyperlinks in all emails by default is an efficient method to lower cybersecurity threat. Primarily, what this management does is it removes the included “hyperlinking” property of the URL and renders the URL in plaintext in order that it can’t be clicked on by a mouse or simply chosen from the keyboard to routinely open in an Web browser on the supplied location tackle.
There are various organizations (together with the U.S. Division of Protection) and cybersecurity guides that advocate rendering all URLs as plaintext. For that purpose, Microsoft Outlook and lots of different electronic mail functions have had that choice for nicely over 20 years.
And, sure, disabling clickable URLs by default will lower cybersecurity threat. It makes it more durable for somebody to see a hyperlink, shortly click on on it, and launch the content material related to it. On the very least the person must manually copy the hyperlink and insert it right into a browser tackle bar. Requiring handbook motion to launch a hyperlink is confirmed to lower the share of people that will go to the URL. Phishers hate it.
After all, plaintext hyperlinks are an enormous inconvenience to everybody who merely desires to click on on a professional hyperlink and get taken instantly to the right place. If a lot of the emails ending up in somebody’s inbox should not malicious, then this implies it’s an enormous quantity of inconvenience for most individuals in most eventualities. This makes it much less probably that a corporation will implement it. However for individuals who do, and endure the inconvenient penalties, it does scale back cybersecurity threat from electronic mail social engineering.
However not all threat.
Folks Will Simply Copy The Hyperlinks
Folks appropriately motivated will merely copy the hyperlinks into their browser and go there anyway. Disabling hyperlinks does lower the possibility that somebody will click on on a specific hyperlink, however not everybody. Everyone knows the right way to copy and paste one thing. It’s going to gradual the typical person down by lower than 10 seconds.
It’s worthwhile to practice your customers in the right way to acknowledge rogue URLs. Right here’s a 1-hour webinar on the right way to spot rogue URLs.
We even not too long ago coated “clickjacking” in our weblog, during which a hacker goes past merely convincing a sufferer to kind in a URL however to run extra complicated instructions or PowerShell scripting on the person’s command line.
It Doesn’t Cease All Electronic mail-Based mostly Social Engineering
Most email-based social engineering does embody a URL hyperlink that the phisher is hoping the potential sufferer clicks on, however many don’t. Emails that embody a Fast Response (QR) code as an alternative of a hyperlink are on the rise. Callback phishing, which is a phishing electronic mail that induces potential victims to name a cellphone quantity, typically would not embody a URL hyperlink. Or the hyperlink is included as a part of a graphic that the person has to re-type anyway.
Electronic mail Isn’t The Solely Phishing Medium
Social engineering and phishing can happen throughout any communication medium, together with in particular person, cellphone, SMS message, social media, chat apps and channels, QR codes, and throughout the TV. For those who cease anti-social engineering coaching, you’re growing the chance that somebody shall be compromised on non-email channels.
It Doesn’t Cease Customers at Dwelling
Many customers are compromised at residence, on their residence units, the place URL blocking isn’t prone to be enabled. A personally-compromised worker (e.g., coping with a phishing assault, stolen cash, and many others.) is a much less productive worker. And lots of workers are compromised at residence, with the attacker utilizing the private compromise as a beginning off level to assault their employer.
Good Safety Consciousness Coaching
Good Safety Consciousness Coaching shouldn’t simply embody schooling on electronic mail phishing and simulated electronic mail phishing campaigns. It ought to embody coaching about all forms of phishing and the way they happen on all forms of units and mediums. You don’t need your worker being tricked by a cellphone name any greater than an electronic mail assault.
Your coaching and testing ought to embody all kinds of issues to enhance human threat administration, past merely phishing schooling and testing. For instance, you have to be together with schooling on quite a lot of subjects, together with compliance subjects, like password coverage, following firm insurance policies, securing firm units when touring or in your automobile, not leaving confidential data out within the open or discussing in public, and many others. It ought to embody movies, posters, video games and in-person conferences. And all of that’s improved and facilitated by safety consciousness coaching that’s hosted in electronic mail.
For those who’re doing it proper, you are making an attempt to vary the group’s tradition to be extra cybersecurity-aware, and if you happen to aren’t coaching and doing simulated phishing workout routines that mimic actual world occasions, you are not doing that as effectively as you may in any other case be doing it.
So, go forward and disable URL hyperlinks if that’s what you and administration need to do. However don’t cease coaching and simulated electronic mail phishing. There’s a complete lot extra concerned in creating an important cybersecurity tradition than simply hyperlinks and electronic mail.