Konubinix' opinionated web of thoughts

Are IT Guys the One That Undergo Phishing?


Someone told me that in companies, the IT guys were the one most likely to undergo phishing attacks. In my humble opinion, the implicit message is that “even the geek tech savvy guys fall into such traps” or “if the IT guys did their job well, this would never happen”.

I would like to mitigate those interpretations.

First, IT guys are not necessarily geeks or tech savvy. So the epistemic jump from IT guys to geek tech savvy seems doubtful to me.

In addition, whatever their skills, they are very likely to be given not sensible orders from their bosses in a daily basis. To me, being used like an simple interface to the authorization server reinforces the habit of simply doing whatever the mail says. Likely in big companies the IT guys did not even see the guy issuing orders.

I don’t doubt that a lot of tech savvy guys working in IT are aware of the web of trust and would gladly use automatic ways of assessing the identify of the one giving order. It could be using some 2fa mechanisms, or even simple cryptographic proof.

But, for some reasons, those ways to increase security in human exchanges are not really used by the ones giving orders. That means that assessing the identify of the one giving order not only would need much energy, but would also result in being seen negatively as a nerd without any social skill. Add to that the fact that people don’t like at all to wait to get those orders obeyed and the time taken to increase epistemic evidences of their identity would only result in increasing the feeling of incompetence in most cases.

Therefore, the tech savvy IT guys are likely to eventually fall into learned helplessness and simply follow those orders without even checking its validity, resulting in a good opportunity for phishing.

My point here is not to defend IT guys, but to mitigate the possible interpretation that IT guys would have fallen naively into seemingly obvious traps like those, all things being equal.

As a conclusion, I would argue against the assessment that IT guys are undergoing phishing that, to me, suggest we could fix the IT guys. I would rather tell that the companies are undergoing phishing and the IT guys are just the interface of this, but the whole company state of mind is likely to need fixing to avoid such issue.