Why “Don’t Click Suspicious Links” Just Isn’t Cutting It Anymore (and What To Do Instead)
As the UK’s National Cyber Security Centre (NCSC) highlighted in a blog post on March 13, 2025, (titled “Telling users to ‘avoid clicking bad links’ still isn’t working”), simply warning people to steer clear of dodgy links isn’t a sufficient cybersecurity strategy. While well-intentioned, this advice is often too vague and relies heavily on the user’s ability to identify sophisticated phishing attempts, which is becoming increasingly difficult.
The Problem: The Bad Guys Are Getting Too Good
For years, cybersecurity training has drilled the “don’t click” mantra. We’ve been taught to look for telltale signs: misspelled words, suspicious sender addresses, and a sense of urgency. But here’s the harsh reality:
- Phishing emails are becoming incredibly convincing: Cybercriminals are employing advanced techniques like:
- Spear Phishing: Tailoring emails to individual targets with personal information scraped from social media and other online sources. This makes the email seem legitimate and trustworthy.
- Brand Impersonation: Perfectly mimicking the look and feel of legitimate companies and services (e.g., banks, popular online stores, social media platforms).
- Using Sophisticated Language Models: Eliminating grammatical errors and crafting emails that read naturally and persuasively.
- Technical tricks are bypassing traditional defenses: Attackers are finding new ways to deliver malicious links:
- QR Code Phishing (Quishing): Embedding malicious links in QR codes, which are easily scanned with smartphones.
- Compromised Websites: Injecting malicious code into legitimate websites that users already trust.
- Social Media Scams: Spreading links through fake profiles and misleading posts on social media platforms.
- Humans are inherently fallible: Even with the best training, people make mistakes. They might be distracted, stressed, or simply not paying enough attention when they click a link. This is especially true in the age of information overload.
Why “Don’t Click” Fails:
- It’s too passive: It puts the entire burden on the user to detect and avoid threats.
- It’s based on an assumption that everyone is equally vigilant and knowledgeable: This simply isn’t true.
- It doesn’t account for the evolving threat landscape: Cybercriminals are constantly adapting their tactics.
- It’s fear-based: While fear can be a motivator, it can also lead to anxiety and ultimately be ineffective.
A Better Approach: A Layered Defense
Instead of relying solely on the “don’t click” mantra, a more comprehensive and proactive approach is needed. This involves creating a layered defense that combines technology, training, and a strong security culture.
1. Technical Solutions:
- Robust Email Security: Implement advanced email filtering and security solutions that can detect and block phishing emails before they reach users’ inboxes. Look for features like:
- Advanced Threat Protection (ATP): Scans attachments and links in real-time for malicious content.
- Anti-Phishing Policies: Configured to identify and flag suspicious emails based on various criteria.
- Spoofing Protection (DMARC, SPF, DKIM): Verifies the authenticity of email senders to prevent spoofing attacks.
- Web Filtering: Block access to known malicious websites and categorize websites to restrict access to potentially risky content.
- Multi-Factor Authentication (MFA): Requires users to verify their identity using multiple authentication factors (e.g., password, one-time code) to prevent unauthorized access even if their credentials are compromised.
- Endpoint Detection and Response (EDR): Continuously monitors endpoints (computers, laptops, smartphones) for suspicious activity and provides rapid response capabilities in case of a breach.
- URL Sandboxing: Automatically detonates links in a safe, isolated environment to analyze their behavior before allowing users to access them.
2. Enhanced Training and Awareness:
- Interactive Training Programs: Go beyond passive lectures and presentations. Use interactive simulations, gamification, and real-world scenarios to engage users and test their knowledge.
- Phishing Simulations (with a twist): Regularly send simulated phishing emails to employees to assess their vulnerability and identify areas for improvement. However, instead of simply punishing those who click, use it as a learning opportunity to provide immediate feedback and guidance.
- Focus on Positive Reinforcement: Celebrate and reward users who correctly identify and report suspicious emails. This creates a positive security culture and encourages vigilance.
- Micro-Learning Modules: Deliver bite-sized training modules on specific topics (e.g., password security, social engineering, mobile security) that are easy to digest and retain.
- Explain Why, Not Just What: Help users understand the motivation and tactics of cybercriminals. This empowers them to make more informed decisions and recognize potential threats.
3. Strong Security Culture:
- Open Communication: Encourage employees to report suspicious emails or links without fear of reprisal. Create a culture where security is everyone’s responsibility.
- Leadership Buy-In: Demonstrate that security is a priority from the top down. Leaders should actively participate in security awareness training and promote secure behaviors.
- Regular Security Updates: Keep users informed about the latest threats and best practices through regular security updates, newsletters, and internal communications.
- Incident Response Plan: Have a well-defined incident response plan in place to handle security breaches effectively. This plan should outline the roles and responsibilities of different teams and individuals.
- Promote a “Verify First” Mentality: Encourage users to independently verify the authenticity of requests or links, especially those involving sensitive information or financial transactions. This can involve contacting the sender through a known legitimate channel or verifying the website URL.
In conclusion, while telling users to “avoid clicking bad links” is a good starting point, it’s no longer enough to protect against the increasingly sophisticated cyber threats of today. By implementing a layered defense that combines robust technical solutions, enhanced training, and a strong security culture, organizations can significantly reduce their risk of falling victim to phishing attacks and other cybercrimes. The key is to move beyond passive warnings and empower users with the knowledge, tools, and support they need to stay safe online.
Telling users to ‘avoid clicking bad links’ still isn’t working
The AI has delivered the news.
The following question was used to generate the response from Google Gemini:
At 2025-03-13 11:22, ‘Telling users to ‘avoid clicking bad links’ still isn’t working’ was published according to UK National Cyber Security Centre. Please write a detailed article with related information in an easy-to-understand manner.
36