This week #phishing was in the headlines again as we learned over one million Gmail users had received a fraudulent Google docs sharing request: https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/ .
While #InfoSec professionals generally agree that employee training is one way to raise awareness of this type of attack, there is still a lot of room to learn with regard to phishing education best practices, with one EU based study asserting: “There is a lack of empirical data on the consequences of using deception in organizational phishing studies.”(https://ethicalencountershci.files.wordpress.com/2016/03/chi2016_workshop_ethicalphishing_cameraready_final.pdf )
We know that email users are sometimes tempted by the lure of easy money, as in the now ubiquitous “I’m a prince & I won the lottery!” type scams. Others may have their cognitive judgment impaired by the use of emotionally loaded words. Here is a link to a list of words that are considered to be emotionally persuasive: http://www.thepersuasionrevolution.com/380-high-emotion-persuasive-words/
Some legal professionals focus on bringing or defending suits for pecuniary losses associated with, for example, identity theft that sometimes follows from a data breach, or on complying with data protection regulations generally. There is implicit in these types of legal actions some type of culpability on the part of the hacked entity (“failure to exercise reasonable care in protecting… information”).
However, phishers often use well-known brand names without authorization. The perpetrator of the latest news grabbing phishing attack is unlikely to have a licensing agreement with the brand they are purporting to be. Phishing attacks, thus may also, at least tangentially, be diminishing the value of said brands with no fault at all attributable to the damaged brand.
What do you think is the best way to address a method of redress for the copyright and trademark holders who are harmed when the value of a global brand is affected by a criminal phishing spree?