A recent article from Naked Security said that people ignore legitimate security warnings on their computer a whopping 87% of the time. But on the flip side, I know from experience that a good percentage of people will fall for a pop-up of the fake tech support variety all too often. What is going on here?
What seems to be the consensus is that people are overwhelmed by the number of security warnings, and tend to tune them out. Also, many security warnings are a bit obscure, written in a technical style that is not really all that informative. Also, people are usually in the middle of doing something and the security warning is seen as a distraction, intrusion, or time sink.
The fake browser pop-ups supplied by purveyors of fake tech support on the other hand are usually pretty explicit and clear. You have a problem, please call this number for help. And they do seem to get people to drop everything and take immediate action.
What I often tell participants in the cybersecurity awareness training session that I teach is that one of the best thing you can do is Google for an answer. Got a confusing pop-up box, not sure what to do or whether it is important? Type the text into Google and see what comes back. This is an easy way to verify and understand the legitimate messages, and the fake pop-ups will be correctly identified as a scam. Give it a try the next time you get a confusing message from your computer.
And a word to our friends in software development. Take a look at the fake pop-ups provided by the cyber-scammers. This is how you write a message to be informative and compelling. Maybe if the alerts and warnings were more explicit and descriptive? “A programs wants to do blah blah.” What program? Is it a program I am using, or some piece of malware I just downloaded? Come guys and gals, time to step up and make these little jewels useful.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com