How to wake employees up to phishing attacks

  • Security and usability are often at a crossroads.

  • Users can be easily tricked into giving out information.

  • AT&T Security Consulting can help you avoid user interface confusion.

Recently, AT&T Consulting Solutions was asked to perform a social engineering assessment designed to find out if employees could distinguish between legitimate and phishing emails.

The organization we were working with told us they used HTTP proxies, whereby all the Web traffic passes through a server, and employees are only shown content if it is permitted by the organization’s security policies. Quite often such proxies require the users to first authenticate. But how would a user distinguish between a proxy authentication prompt and a “rogue” authentication prompt from an attacker’s site? Just as a cybercriminal might do, “tricked” the employees into submitting credentials; they thought they were authenticating to the proxy, when in fact, they were authenticating to our phishing site!

There’s a lesson to be learned here

When directing employees, always try to help them differentiate between the prompts, and never prompt them unnecessarily. If they get used to too many prompts, they will be inclined to not read them, just assuming all prompts are legitimate.

Also, if there’s an option, strive to use explicit HTTP forms to perform web authentication using SSL certificates. The use of basic authentication or NTLM authentication may possibly confuse users, because the authentication prompts may have no perceptible difference between them.

Have you noticed other such contradictions between security and usability? Are your applications and infrastructure protected against such user interface confusion attacks? Reach out to the experts at AT&T Security Consulting. We’re here to help.

The Networking Exchange Blog Team About NEB Team