Bad Cybersecurity Advice

Don't scan QR codes! Use an email to log in! Look for misspellings in emails! Just stop, please?

Bad Cybersecurity Advice
Image by Gerd Altmann from Pixabay

As an industry, we're still training end users at kindergarten levels of cybersecurity advice:

  • Never scan a QR code!
  • Don't click on links in email!
  • Look for bad spelling and grammar to identify phishing attempts!

Everyone of these is great advice. But then each and every company that trains their employees with this advice then goes ahead and:

  • Puts QR codes on their promotional materials.
  • Uses email links for password reset processes, or as part of outreach to both employees and customers.
  • Lets people send email on the company's behalf that has spelling, grammar, and punctuation errors in it.

This is the cybersecurity equivalent of telling your grade school child not to run with scissors while you're carrying that carving knife back and forth across your kitchen even though the roast is still in the oven. We need to do a better job of modeling the behavior we're proposing, adjust our behavior when we create content on behalf of the company, or recognize that our training has to be significantly more nuanced than this.

The best place to start is with an examination of some of the Sith-like1 absolute statements we make as cybersecurity trainers, and better options for training adults who, at this point, have lived their entire professional lives - if not their entire lives - with computers and the Internet.

Absolutes To Move Past

Never Scan a QR Code

The impious behind this advice is easy to understand. QR codes can't be easily decoded with the untrained eye, and can contain anything a variety of contents including a vcard, plain text, a wifi network login, a URL, and several more things. Of course, anybody who went out to a restaurant in the wake of COVID was compelled to scan a QR code in order to see the menu, and anybody who has been to a convention in the past five years has gotten a badge with a QR code on it for all the vendors to scan.

The reality is, scanning QR codes is relatively safe. Both Apple and Android do a nice job of helping preview the content of the code before you choose to actually follow the URL or accept the vcard, etc.

Of course there are some risks. Ignoring the information your phone provides about the QR code and just clicking "open" is a bad plan. Scanning a QR code that looks like it was placed to cover up a legitimate QR code is more likely to get you a malicious URL to go to. But I think the utility of QR codes outstrips the danger they introduce.

Let's just do a quick audience participation exercise. Please, open up your email application. Please just look through the most recent 20 emails you got from commercial senders - including from your coworkers if they were business related. How many of that 20 have zero links in the body of the email? My bet is the count is less than 2, given that most corporate email systems put a company signature block at the bottom that includes at least a "mailto:" link (which is why your email address in your signature block looks blue and is underlined).

OK, so clearly we can't tell users to not click links - it turns out that online commerce wouldn't work without them. (How odd that an entire online system predicated on linking from one site to another wouldn't work efficiently without links...) Yet that's still the base level of advice. I think we can do better with more nuanced recommendations and more consistent behavior, don't you?

Misspellings and Bad Grammar Are Phishing Tip-Offs

We're in a period in history where "k" is an accepted response to a text message. Where new slang words are being made up every day. And where, at least in this country, we communicate in what is objectively one of the least logical languages and syntax in the world: English.

Anybody who has read any of my posts - this one probably included - will recognize some bad grammar and some transposed words (which vs. witch, that sort of thing) because spell-check is currently better than grammar check in browser-based editing. Likewise, I've sent some fantastically poorly proofread emails in my time, and I'm not done writing emails by any means.

How many legitimate marketing emails have you gotten where you were misgendered because somebody's mail merge didn't work right? Or you were addressed as a variable like $recipient_name? These things happen all the time, but we are suggesting that somehow these items are signs that the email may be malicious?

On the other side of the coin, aren't we giving people a false sense of security that a well written email is likely safe? (Of course, if we're not clicking links anyway, perhaps this is a moot2 point?)

This same attitude is beginning to permeate AI generated video and audio scams - we're telling people that these technologies are flawed and there are obvious tells - profile views don't work in video, audio has noises in it and choppy speech patterns, etc. What happens when the tech for these is as flawless as Hollywood makes it already seem?

Don't Write Down Your Passwords

Image by Gerd Altmann from Pixabay

I'm willing to bet you're rage reading this section. "Of course you shouldn't write down passwords! What kind of moron are you?" I will take someone writing down their complex, unique, passwords for every system they interact with any day vs. reusing a weak password because it is easier to remember. Yes, I mean that. Of course, I'd much rather you use a quality password manager, but if you have a good place in your home, like a safe, to put these passwords in, that's a compromise I'm happy to accept. This is about the lesser of several risks, and hands down the risk of password reuse outweighs the risk of a list of passwords.

Password length requirements go up every few years. In my ~20 years in this field we've gone from recommending 8 character passwords to 12, and I fully expect us to add an additional character at a faster rate than 1 every 5 years in the next few years - until and unless we can retire passwords.

And Many More

Is it really important to encrypt your personal laptop's drive? Is your data at risk every time you plug into an airport or hotel USB charger? Is your keyless entry system going to get used to steal your car while your sleep? Do you need to have an RFID blocker wallet to keep your credit card from getting cloned?

There are more out there. There's plenty of FUD and bad advice to go around. So what should we do instead?

Moving Forward

Let's stop insulting our peers intelligence. These are complicated topics, and blanket "don't touch the stove, it is hot" guidance is not appropriate. It never was, but as an industry we're all maturing together.

But most importantly we need to remember this: even the most vigilant among us, the most security literate, and the most wary are going to make a mistake, be inattentive, or get taken in and compromise security somewhere along the way. As cybersecurity professionals, as an industry, we have to have controls in place to prevent that "oops" from turning into a front-page "oh crap" story.

Food for thought as you're preparing that Cybersecurity Awareness Month curriculum - and the rest of the year too.


1 A wise Jedi states in one of the Star Wars movies that "only a Sith deals in absolutes." Besides the obvious logical fallacy there, we can recognize that absolutes are not as helpful as we might hope.

2 Contrary to Joey Tribiani's belief, this is not a "moo" point.