undefined | Better HN

0 pointsthe84728mo ago0 comments

> which tells you not to click links in emails (which is good advice!).

Hardly. The company shouldn't have XSRF-vulnerable software, if your browser is vulnerable you have bigger problems and what you actually shouldn't do is enter your credentials or download stuff after clicking on that link.

But of course there's an internal "phising test" that penalizes you for clicking on links... links that have been obfuscated by some email-modifying link-tracking security software that makes it nearly impossible to figure out to which domain the link even goes.

0 comments

Hackbraten8mo ago

> what you actually shouldn't do is enter your credentials or download stuff after clicking on that link.

Then why even click on it in the first place (and risk your email address getting flagged as active in some illicit database?)

the8472OP8mo ago

Because the aforementioned built-in link obfuscation makes it hard to even tell if the link goes to one of our work domains. And pretty much all our stuff is behind SSO, so if something asks for creds that's an easier tell than hovering over the link and trying to figure out where it goes. And sometimes they introduce new tools on new domains that may be legit.

Generally clicking on the link is not what gets you compromised (except for some spearphishing involving zero-days...). It's actions following that which might. So they're barking up the wrong tree and penalize people for that. That's just chicanery.

j / k navigate · click thread line to collapse