IT pros repeatedly tell end users never to click on suspicious links. And this is a warning that should always be heeded! Consider that:
- 90% of all data breaches are linked to phishing attacks.
- 95% of businesses that experienced a phishing-related breach in 2021 suffered losses between $250 and $984,855, and the median loss amount was $30,000 (i.e. half of all victims lost more than $30,000!).
- 65% of hacker groups use phishing as their primary infection vector.
In light of these alarming statistics, it is not surprising that the Devolutions State of Cybersecurity in SMBs in 2021-22 Survey revealed that phishing is among the top three cyberthreats that SMBs are most concerned about.
However, there is more to the story that is extremely relevant for IT pros who have lost count of how many end users they have warned to never to click on suspicious links: IT pros should never click on them, either!
The Hidden Dangers of Clicking Suspicious Links
When they come across a suspicious link (ideally because it was shared by an attentive and well-trained end user!) some IT pros will go ahead and click it. This is certainly NOT because they are careless or reckless. Rather, it is because they want to investigate and determine if the link is legitimate.
In theory, this practice makes sense. But in reality, some experts believe that this is a big mistake — because there are hidden dangers in clicking suspicious links that even some IT pros may not know about. These include:
-
If a vulnerability exists in a browser, then hackers may be able to execute all kinds of dangerous actions. In some cases, they can even obtain remote permanent access to an endpoint.
-
IT pros who click a suspicious link, but do not lose control of their browser, should not necessarily breathe a sign of relief. Limited control of a browser (or more technically, its contents) still vastly expands the attack surface, and give hackers many ways to obtain information. JavaScript pop-ups are a prime example.
-
Even if hackers fail to exploit known vulnerabilities in a browser, they can still capture information on the device model, OS, hardware, IP address, browser version, and certain cookies that are not protected by the same origin policy (this can be especially severe if there are sensitive cookies that are not secure). This provides hackers with valuable intelligence that can be used for future campaigns. For example, if they know what version of Chrome a victim is using, they can target zero-day exploits. Or they can exploit vulnerabilities in extensions. Keep in mind that an investigation by security firm Awake discovered more than 100 malicious and fake Google Chrome browser extensions that (before they were removed) were downloaded around 33 million times. And HowToGeek.com warns that “browser extensions are a privacy nightmare.”
And there is still more to the story: clicking a malicious link could lead to being tracked and profiled across the Internet. For example, hackers can mine Facebook, Instagram, LinkedIn, and other accounts to learn more about potential victims — including where they work and what they do. Potential victims may also start to receive text messages, private emails, and phone calls. This information could also be used for spear phishing campaigns that target specific individuals.
-
A common tactic that telemarketing scammers use is automatically dialing multiple numbers, and then disconnecting as soon as the call is picked up. The purpose is to confirm that a number is active and answered by a real person. Well, phishing hackers use the same playbook. The very act of clicking a link can confirm that a potential victim exists. This could open the floodgates to many more phishing attempts in the future — and not just against a particular individual, but against individuals throughout the organization.
-
Clicking a suspicious link can trigger an automatic download. Granted, as long as the file is not opened the risks are minimal — but they still exist!
-
Some IT pros may not worry too much about clicking a suspicious link, because they can easily spot a fake landing page. But… can they? Maybe not! Back in September 2019, we asked the IT pros in our community to describe the most realistic hacking attempt they ever experienced. Many shared that some phishing campaigns, particularly those involving well-known brands like Microsoft and Amazon, were remarkably authentic-looking.
-
Let us not forget about notorious drive-by-download attacks, which have been around for so many years for a simple reason: they work! Yes, in addition to clicking the link, it is also necessary to accept the SmartScreen (or similar) warning. But some IT pros who are tricked by very well-developed campaigns may bypass this warning.
Keep Your End Users Informed — and Safe
As an IT pro, you may be aware of these reasons for not clicking suspicious links. Even so, reflecting on the fundamentals never hurts. As author and leadership guru John Maxwell advises: “Reflective thinking turns experience into insight.” And when it comes to cybersecurity and IT security, the more insight the better!
In addition, we encourage all IT pros to share with their end users these seven reasons for not clicking suspicious links. Indeed, some end users — including those at the management level — still do not understand WHY clicking suspicious links is such as bad move. Once they are informed, then they can be part of the cybersecurity solution, instead of unintentionally contribute to the problem.
The Final Word
Steering clear of suspicious links will not 100 percent eliminate the threat of phishing — because unfortunately nothing can achieve that ideal. But it will shrink the size of the attack surface, and potentially reduce the frequency, size, and severity of cyberattacks. This is a critical objective, and one that IT pros can be proud of spearheading.
What’s Your Opinion?
We noted above that some experts think that IT pros should never click on suspicious links. But other experts believe that it is not necessarily ill-advised, provided that certain precautions are taken. There is considerable debate on this topic (including a very interesting and at times rather heated Slack conversation among IT pros that inspired this article!). Please share your opinion and advice. Where do you stand on this issue?