The majority of successful attacks are business email compromise. In that context take9 makes sense in my mind because there _is_ responsibility for users to be mindful of clicks.
Not every phishing email can be caught before it reaches users and campaigns to raise user awareness I think are important.
beardedwizard · 16h ago
I think you are drawing the wrong conclusion - users cannot be mindful of clicks, we should live in a world where click is assumed and go from there.
we've been trying "dear user: caveat emptor, every email you get has eg a 0.01% chance of being a security hole" for 30+ years and it's resulted in comprehensive failure.
See also the campaign to make users competent sysadmins of their own devices.
Hell, I almost got got because the morons running our cell networks let anyone text and claim they're fedex. No reason to authenticate a thing like that. I was waiting for a delayed / lost package so it wasn't crazy that fedex would be texting me. If they'd used a better link forwarder domain I probably would have clicked.
kemotep · 18h ago
Good Cybersecurity is a lot like Ogres. It needs to be made up of layers. And like slices of swiss cheese, not each layer is perfect.
End user awareness training is still important. At one point in time everyone didn’t know how to type, let alone read and write. So education, and continuing education will always be important.
An IT department should be able to make it so even if a user clicks a link, gives away their password, and downloads something, the impact should be as minimal as possible. Maybe the user is locked out for half a day and needs to be issued a new computer before they can get back to work. But that is still less disruptive to automate locking them down and requiring manual intervention to unlock than a ransomware event.
fuddy · 11h ago
Good IT security is different than what you describe. You are describing give up the house and hope you can get it back again with probabilistic scanners security. It makes your security team look important because they are incapable of their job.
kemotep · 9h ago
So what is better security? How would a better security team operate?
password4321 · 17h ago
> Good Cybersecurity is a lot like Ogres. It needs to be made up of layers.
I'm going to take a wild guess hoping you meant onions.
Ah well pardon my ignorance then, thanks for filling me in -- I was afraid of something like that.
Shrek is long forgotten for me though I remember the web-based soundtrack player worked for quite a while longer than I expected after the movie website lost any real purpose. Many times it seemed scenes were written to tie in the popular music of the day, or maybe they just had a big licensing budget.
moomin · 17h ago
I’ve come to the conclusion that campaigns like that aren’t intended to improve Cybersecurity, they’re there to deflect responsibility.
HenryBemis · 17h ago
Yes, correct. (try to) Move some of the accountability and guilt to the user.
Also, someone got to shake hands of members of parliament, ministers, senators, governors, mayors, etc. took selfies with Gates, Malala, et al, and created 'content' for their LI profile, and are dubbed 'an influencer of security', and made it to some "30 under 30" list.
Not every phishing email can be caught before it reaches users and campaigns to raise user awareness I think are important.
Why not?
https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-u...
Because deception is easy
See also the campaign to make users competent sysadmins of their own devices.
Hell, I almost got got because the morons running our cell networks let anyone text and claim they're fedex. No reason to authenticate a thing like that. I was waiting for a delayed / lost package so it wasn't crazy that fedex would be texting me. If they'd used a better link forwarder domain I probably would have clicked.
End user awareness training is still important. At one point in time everyone didn’t know how to type, let alone read and write. So education, and continuing education will always be important.
An IT department should be able to make it so even if a user clicks a link, gives away their password, and downloads something, the impact should be as minimal as possible. Maybe the user is locked out for half a day and needs to be issued a new computer before they can get back to work. But that is still less disruptive to automate locking them down and requiring manual intervention to unlock than a ransomware event.
I'm going to take a wild guess hoping you meant onions.
https://www.youtube.com/watch?v=aJQmVZSAqlc
Shrek is long forgotten for me though I remember the web-based soundtrack player worked for quite a while longer than I expected after the movie website lost any real purpose. Many times it seemed scenes were written to tie in the popular music of the day, or maybe they just had a big licensing budget.
Also, someone got to shake hands of members of parliament, ministers, senators, governors, mayors, etc. took selfies with Gates, Malala, et al, and created 'content' for their LI profile, and are dubbed 'an influencer of security', and made it to some "30 under 30" list.
So yes.. :) a proper PR effort.