Comment by ipdashc

> Don't click on links in email.

Not saying you're wrong per se, but isn't it more so summarized with "don't fall for a 'CAPTCHA' that requires you to paste code into the window labeled 'This will run with administrative privileges'?"

This is more so a grumble than a serious comment on security, but agh, it's always bugged me that the metric for failing phishing tests is "clicked on any link in the email" and not, you know, entered credentials into the phish site, or downloaded and opened a file. Like, I get it, it's much easier to teach nontechnical users to simply not click bad links than that other stuff - and browser vulns do exist - but it still vaguely annoys me.

I feel like I've seen countless posts like this one that end in the user entering creds, giving the browser some weird permission, downloading some file (sometimes straight-up an executable), or in this case, running a command. I don't know if I've seen a single one that ends in "and then they clicked the link and it popped a browser 0-day and that was the end of that".

Web browsers are a wide attack surface, yes, but they're also... intended for browsing the Internet. Most people click through links pretty haphazardly as they're doing work or researching a topic. Defense in depth and all, but I feel like a security policy that holds "don't visit any evil websites ever" as a core tenet is pretty flawed.