It’s true I have a problem with wrapping

By k2 | August 20, 2020

At PhishCloud we believe that people are vital in helping prevent phishing. These are some of the reasons why we have a different approach.

wrapping
Reading Time: 4 minutes

Not just with wrapping presents!  But this new trend in cyber-security of wrapping links in an email is bothersome.  Cyber-security has come a long way over the years.  Most of the doors that hackers were able to walk into have been closed, if not locked, at this point.  The next logical step for hackers is to go towards the path of least resistance – people.  For many years when it comes to protecting people from phishing and other attacks, cyber-security has been waging a zero-sum war that has been failing.  By zero-sum war, I mean that if the sum of attacks that make it through the defense mechanism to the person isn’t zero, then it is a failure.  At PhishCloud we have worked with many companies that have done a great job configuring their gateway product to reduce the number of potentially malicious emails that get to the user from 15% to 7%.  In a traditional defect reduction scenario, that is a great accomplishment! In the zero-sum war that they are involved in it is still a defeat!

The next step is to train people.  This is an important part of cyber-security and will always be!  And, as a part of that training, along with looking for a lot of indicators that might tip people off that an email isn’t valid, we teach people how to hover over a link and look down at the right-side of the screen to see where that link is taking you.  If that isn’t going where you were expecting, don’t click on it and maybe even send it to the Security Teams for review!  Let’s not discuss shortened links, redirects, or security team staffing issues in this article!  It’s a great practice and even with our PhishCloud technology automatically highlighting links for me, I still use that trick out of habit.

And then comes the latest in the cyber-security protection plan – wrapping a link.  Now when a link is detected some products are putting a wrapper around the link.  The wrapper is attempting to do some good things, but I have three basic issues with it.  1) It is taking away that powerful tool the user has in hovering and seeing where that link is going!  Now when you hover over the link and look to the lower right you see:

Great!  If you’re a developer and you understand encoded links you probably can tell where that link is going to take you.  But what about the people you are trying to protect from a potential phishing attempt?  And then I am told – “if we think it’s bad, we take it to a separate page instead of taking the user to the destination.”  And there is objection 2), the zero-sum war is still raging, because as soon as the system doesn’t think that is a bad link when it really is, then the war is lost.  And, let’s be brutally honest here, if they knew that was a bad link they would have blocked it at the gateway or thrown it into SPAM already.  What is so magical about that short amount of time from the email gateway assessment to when a user clicks on it?

And that brings me to issue 3) with wrapping links – the false sense of security. We are telling people that we have built additional layers of security and protection around them when we really haven’t.  In that false bubble of feeling protected users are going to click on things that they might not have in the past.  And worse, in many cases the user will be the one blamed and held responsible for being a victim of phishing even though we have made it harder for them to be safe instead of enabling them to be successful.

At PhishCloud, we think there is a better way.  With that same link above, if you right-click on it from anywhere we will tell you exactly where the destination is for the link you’re about to click on.  Not only do we unwrap wrapped links, we also follow redirects to the destination, so even with shortened links a person can see where they are going.  We also look at a combination of information combined with our AI to tell you whether that site is known safe, malicious, or most importantly, somewhere in the middle.  And not just in email, but anywhere in your browser, as well!

That is one of our many features designed to live with a person as they interact with the internet!  If you’re interested in seeing cyber-security designed for people, check us out at https://www.phishcloud.com/ or give us a try for 14 days for free!

Try PhishCloud today and see the difference

  • Free 14-day trial
  • No credit card needed
  • Easy setup

Posted in Blogs, Link Wrapping and tagged