Telling users to ‘avoid clicking bad links’ still isn’t working, UK National Cyber Security Centre

by

Why “Just Don’t Click!” Doesn’t Cut It Anymore: The Struggle Against Phishing

According to the UK National Cyber Security Centre (NCSC), as of March 13, 2025, the simple advice to “avoid clicking bad links” still isn’t effectively stopping people from falling victim to phishing scams. This blog post delves into why this traditional approach isn’t working, and what needs to change to better protect ourselves from increasingly sophisticated cyberattacks.

The Problem: “Just Don’t Click” is Overly Simplistic

For years, cybersecurity awareness training has hammered home the message: “If a link looks suspicious, don’t click it!” While seemingly straightforward, this advice fails for several key reasons:

  • Sophisticated Phishing Tactics: Cybercriminals are constantly evolving their techniques. They create incredibly realistic emails, text messages, and social media posts that mimic legitimate organizations like banks, online retailers, or even your workplace. These messages are designed to prey on emotions like fear, urgency, or excitement, making it difficult to think rationally.

  • Cognitive Overload: We are bombarded with information daily. Trying to meticulously analyze every link we encounter is mentally exhausting and unsustainable. People simply can’t maintain a state of constant vigilance.

  • Human Error: Everyone makes mistakes. Even the most tech-savvy individual can have a lapse in judgment, especially when they’re stressed, tired, or distracted. Phishing exploits this very human vulnerability.

  • Mobile Device Challenges: Links on mobile devices are often shortened (using URL shorteners like Bitly) making it difficult to discern the actual destination before clicking. This hides the malicious intent.

  • Increasingly Personalized Attacks: Attackers are using more personalized information gleaned from social media or data breaches to craft highly believable phishing attempts. This makes it even harder to spot fake emails or messages.

Beyond “Don’t Click”: A Multi-Layered Approach

The NCSC recognizes that relying solely on users to identify and avoid malicious links is insufficient. A more comprehensive and multi-layered approach is needed:

  • Technology is Key:

    • Email Filtering: Robust email security solutions should be implemented to automatically detect and filter out phishing emails before they even reach users’ inboxes.
    • Link Analysis Tools: Tools that scan links in real-time, highlighting suspicious URLs or redirecting users to a warning page, can provide an extra layer of protection.
    • Multi-Factor Authentication (MFA): Even if a user accidentally clicks a phishing link and enters their password, MFA can prevent attackers from gaining access to their accounts.
    • Endpoint Detection and Response (EDR): Software that monitors endpoint devices (computers, laptops, mobile phones) for suspicious activity and can quickly respond to potential threats.

  • User Education, But with a Twist:

    • Focus on Identifying Phishing Tactics, Not Just Vague Warnings: Instead of simply telling people to “avoid suspicious links,” teach them specific techniques used in phishing attacks, such as:
      • Typos and Grammatical Errors: Legitimate organizations generally have impeccable grammar.
      • Suspicious Sender Addresses: Check the sender’s email address closely. Does it match the organization it claims to be from?
      • Requests for Sensitive Information: Be wary of unsolicited requests for passwords, credit card numbers, or other personal details.
      • Urgent or Threatening Language: Phishers often try to create a sense of urgency or fear to pressure victims into acting quickly.
      • Generic Greetings: Emails that start with “Dear Customer” or “Dear User” are often less personalized and potentially suspicious.
    • Regular Security Awareness Training: Ongoing training helps keep security top-of-mind and ensures users are aware of the latest phishing threats. Make it interactive and engaging, not just a boring lecture.
    • Phishing Simulations: Conducting simulated phishing attacks (with permission, of course) allows users to practice identifying and reporting suspicious emails in a safe environment.

  • Creating a Culture of Security:

    • Encourage Reporting: Foster an environment where employees feel comfortable reporting suspicious emails or links without fear of reprimand.
    • Promote Collaboration: Encourage employees to discuss security concerns and share tips with each other.
    • Leadership Buy-In: Leaders should champion security awareness and set a good example by following security best practices.

Moving Forward: A Collaborative Approach

Combating phishing is an ongoing battle that requires a collaborative effort between technology providers, cybersecurity professionals, and end-users. We need to move beyond simplistic advice like “just don’t click” and embrace a multi-layered approach that combines robust technology with effective user education and a strong security culture. By working together, we can better protect ourselves from the ever-evolving threat of phishing attacks.

Telling users to ‘avoid clicking bad links’ still isn’t working

The AI has delivered the news.

The following question was used to generate the response from Google Gemini:

At 2025-03-13 11:22, ‘Telling users to ‘avoid clicking bad links’ still isn’t working’ was published according to UK National Cyber Security Centre. Please write a detailed article with related information in an easy-to-understand manner.


40

Post Views: 15

Leave a Comment