Telling users to ‘avoid clicking bad links’ still isn’t working, UK National Cyber Security Centre

by

The Clickbait Conundrum: Why “Don’t Click Bad Links” is Failing Us (Even in 2025!)

You’ve heard it a million times: “Don’t click suspicious links!” It’s cyber security 101, drilled into us by IT departments, news articles, and well-meaning family members. Yet, according to a blog post published by the UK’s National Cyber Security Centre (NCSC) on March 13, 2025, this simple advice still isn’t working.

Why? Because the reality of online threats is far more nuanced than just spotting an obvious scam. Let’s break down why “avoid clicking bad links” is failing and what we need to do instead.

The Problem: Oversimplification and Evolving Threats

The core issue is that “don’t click bad links” is an oversimplification. It assumes users can reliably identify malicious links at a glance, which is increasingly unrealistic due to:

  • Sophisticated Phishing Techniques: Cybercriminals have become masters of disguise. Their emails and websites look incredibly authentic, often mimicking legitimate brands and organizations we trust. They use personalized information, compelling narratives, and a sense of urgency to trick us into clicking.
  • Emotional Manipulation: Phishing attacks often play on our emotions: fear, curiosity, greed, or a desire to help. These emotions can cloud our judgment and make us more likely to click without thinking. Imagine an email claiming your bank account is compromised or offering a “once-in-a-lifetime” deal.
  • Link Shorteners and Obfuscation: Attackers use URL shorteners (like Bitly) to hide the true destination of a link. It’s impossible to tell where you’re going just by looking at the shortened URL. They also use techniques to make malicious URLs look innocent.
  • Mobile Vulnerabilities: Clicking on links on mobile devices is even riskier. Smaller screens make it harder to inspect URLs, and mobile apps often have security vulnerabilities that can be exploited through malicious links.
  • Human Nature: We are inherently trusting and often in a rush. We don’t always have the time or inclination to carefully scrutinize every link we encounter.

Why “Don’t Click” Isn’t Enough

Here’s why simply telling users to avoid clicking bad links is like telling them to “just be good at math”:

  • It places the entire burden on the end-user: It assumes everyone has the time, knowledge, and attention to constantly analyze every link they encounter.
  • It doesn’t address the root cause: It focuses on symptom management (avoiding clicks) rather than addressing the underlying problem of sophisticated phishing campaigns.
  • It’s based on outdated assumptions: The online threat landscape is constantly evolving, while the “don’t click” mantra remains static.

So, What Should We Do? A Multi-Layered Approach

Instead of relying solely on user awareness, we need a more comprehensive, multi-layered approach to combat phishing and malicious links:

  1. Stronger Technical Defenses:

    • Advanced Email Filtering: Implementing more sophisticated email filters that can detect and block phishing attempts before they reach users’ inboxes. This includes analyzing email content, sender reputation, and link behavior.
    • Website Reputation Services: Using services that automatically check the reputation of websites before allowing users to visit them, blocking access to known malicious sites.
    • Multi-Factor Authentication (MFA): Requiring users to provide multiple forms of verification (e.g., password and code from a mobile app) makes it harder for attackers to access accounts even if they steal credentials.
    • Security Software: Employing robust antivirus and anti-malware software to detect and remove malicious files that may be downloaded after clicking a compromised link.
    • Endpoint Detection and Response (EDR): Implementing EDR solutions to monitor devices for suspicious activity and quickly respond to potential threats.

  2. Improved User Education (But with a Twist):

    • Focus on Actionable Advice: Instead of just saying “don’t click,” teach users specific things to look for, such as:
      • Check the sender’s email address: Does it match the claimed sender’s organization? Be wary of slight misspellings or unusual domain names.
      • Hover over links: Before clicking, hover your mouse over the link to see the full URL. Does it look legitimate?
      • Be wary of urgency and emotional appeals: Scammers often try to create a sense of urgency or play on your emotions to trick you into acting quickly.
      • Don’t trust generic greetings: Be suspicious of emails that start with “Dear Customer” instead of your name.
      • Verify requests through alternative channels: If you receive a suspicious email from your bank or another organization, contact them directly through a known phone number or website.
    • Regular Phishing Simulations: Conducting regular phishing simulations to test employees’ awareness and identify areas where training is needed.
    • Promote a Culture of Reporting: Encourage users to report suspicious emails and links to IT security teams.

  3. Focus on the “Why”:

    • Explain the potential consequences: Don’t just say “don’t click.” Explain the potential damage of a successful phishing attack, such as data breaches, financial loss, and identity theft.
    • Show real-world examples: Use real-world examples of phishing attacks to illustrate how they work and how to avoid them.

  4. Collaboration and Information Sharing:

    • Sharing threat intelligence: Sharing information about emerging phishing threats with other organizations and security vendors.
    • Collaborating on research: Collaborating on research to better understand the psychology of phishing and develop more effective countermeasures.

Conclusion

The NCSC’s 2025 report highlights a crucial point: the “don’t click bad links” advice is outdated and insufficient in the face of today’s sophisticated cyber threats. We need to move beyond simplistic warnings and embrace a multi-layered approach that combines stronger technical defenses, improved user education, and a focus on the underlying motivations of attackers. Only then can we truly protect ourselves from the clickbait conundrum.

Telling users to ‘avoid clicking bad links’ still isn’t working

The AI has delivered the news.

The following question was used to generate the response from Google Gemini:

At 2025-03-13 11:22, ‘Telling users to ‘avoid clicking bad links’ still isn’t working’ was published according to UK National Cyber Security Centre. Please write a detailed article with related information in an easy-to-understand manner.


91

Post Views: 36

Leave a Comment