This is a myth: "Just be smart and you are safe from malware"

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
This statement bothers me on several levels.

1. It is not true. There are infection vectors you cannot prevent at all.
E.g. supply chain attack --> your favorite trusted software receives an update --> your system is screwed

2. It is presumptuous and arrogant
People who say this are interested in tech and they assume everyone who does not have their knowledge level is stupid.
You cannot expect everyone to be into IT.
Nor does it have to do anything with being smart or stupid.

3. How do they know?
Most malware does not show signs of infection. How do people actually know their systems never got infected?
People who think they can outsmart malware, are often not using an AV that could alert them either.

4. Experts fall into traps
While knowledge about malware can reduce the likelyhood for certain infection vectors to succeed, it is still no 100% protection.
Every single person, no matter how much of an IT expert they are, can be tricked. How do I know? Our company conducted phishing tests.
We are all human and we fail sometimes.
 
F

ForgottenSeer 97327

Agree, completely. I have one experience which amazed me and (nearly) tricked me into entering my bank account and password.

1. I got an e- mail that I needed to confirm my details to get a new bank card

Because I had requested a new bank card (my contactless payment chip did not work any more) and the email looked authentic (it had my bank's e-mail sender address and was formated using my bank's corporate identity, colors, logo and layout) I clicked on the link. At that time to do payments, I needed that chip for an offline two factor authentication passkey calculator which generated a code which I had to enter to confirm a payment. Before my bank provided its users with a mobile app, it was still possible to login to your bank account with bank number and password for auto service (like requesting a new bank card) and secure communication with my bank.

2. When I clicked on the link, I was directed to a HTTP website which seemed like an exact copy of my bank's website.

When I was entering my bank account number, I noticed the padlock was missing (not a HTTPS website). Agitated I stopped entering my details (a confirmation screen) and made a print screen. With a sarcastic remark (regarding the fact it was a HTTP website) I send this screenprint to the general email address of my bank and continue working (at home). I did not enter my details, only the first half of my bank account number.

3. Two hours later (well after 18.00 hour) I was called by my wife (who was a bit angry) telling me our bank account was blocked (and se could not pay gasoline on a tankstation along the highway).

Luckily the tank stations have a fall back process to deal with that sort of situations, so my wife could get home. The next day I called my bank (as soon as they opened during office hours) and ask them why they had blocked our account. I got a service manager telling me they were afraid I had entered my details, because it was possible to change my e-mail address with the password only access to the website (and that were in the process of moving that functionality to more secure, two factor authentication).
 
Last edited by a moderator:

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,014
Some thoughts on this. I believe that is usually very hard to get infected if you keep Windows and vulnerable software updated and are always careful about what files you open. I base that on years of experience. An important point to make, is that I have never said that doing so will prevent infections, just that it will significantly reduce the likelihood of getting infected. On my own computers, the only times that I've got infected is when I've manually opened infected files and I've never got infected just from browsing the web. I make no effort to only visit known and trusted websites. But on an unpatched work computer, I once got infected just from visiting a compromised website.

In my opinion, I think it's much more important to be careful about what files you open, rather than obsessing about finding the best possible security solution.

I would never think that anyone is stupid for having less knowledge than me or for getting infected. I can understand why it's easy for many users to get infected, as they believe that their antivirus is going to keep them protected. For example, if someone opens an infected email attachment which contains ransomware, they are probably going to blame their antivirus for not protecting them, rather than stopping to think that if they hadn't open that file they wouldn't have got infected. Once again, I would never call anyone stupid for that.

Every time one my computers has been infected, I've discovered the infection. It's certainly very possible that a PC can infected and it goes undetected by their antivirus. It's also possible (although less likely) that second opinion scanners will fail to detect the infection too, even if multiple scanners are used. However, surely in time that infection will be detected. I typically go for years between doing clean installs. Surely if I was to get infected, even in the infection was not detected right away, it would get detected eventually.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Every single person, no matter how much of an IT expert they are, can be tricked. How do I know? Our company conducted phishing tests.
We are all human and we fail sometimes.
Agree and I do know that company tests can be specific created for a vendor/brand with pages/sites/links that is common seen and used in their environment. Makes it more tricky, but also more realistic. It's highly recommended and something well worth in education, but it should be done more then once as for example phishing has evolved extremely much.

Here's a generic test that can help show some of the issues with phishing :

Many people, even hardcore security geeks/nerds also ignore or forget the problem with phones. It's a huge difference being able to catch or prevent an attack on a phone compered with a PC/Mac. Phones are even for professionals re-searchers/analysts extra hard to catch a suspicious complete url, simply because the small screen on a phone. Try hover a link on a phone and be able know where it leads and if one can trust it. It's many times a major pain and very easy by accident click it. When attackers is able to abuse 100% legit services/platforms and infiltrate software/apps that works as intended, but suddenly later becomes malicious, it's not the fault of common users.

Smart, is always the main responsibility of the developer, but even they are people and doing it easy with lazy copy/paste and take shortcuts that easier creates bugs/vulnerabilities.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The statement "Just be smart and you are safe from malware."
is as true as the statement
"You are safe on the road if you are a racing driver." :)

But it is true that if one is security oriented and careful, then the chances of infection can significantly decrease. This is probably just as important as adding more security layers.

There is no evidence that being smart is an advantage in security matters, because many smart people overestimate their abilities and become less careful.:(
 

poopdookie

Level 2
Feb 11, 2021
88
This resonates with me. I had an awful manager years ago who had gotten the first MacOS virus that I had ever heard of at the time. They insisted it couldn't be a virus because all they did was shop/web browse. They let this persist for a week or two. I laughed because every time I walked by their office, weird music was playing from the machine, until they gave up and asked me to look at it.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
The problem these days is that the attackers are well-funded, well-resourced and very professional. Back in the day all you had to worry about the hacker in his basement (Kevin Mitnick) and they were driven by curiosity, adventure and getting a few laughs. Not sure if you are old enough but the internet back in the early/mid/late nineties was a very different landscape which has now evolved into some unrecognizable monster.

There now so many people out there in the industry writing and deploying exploits that it's basically game over. It's no longer the realm of criminals and black hats or security nerds and white hat hackers. Now it's professional hackers (white and black), nation states with hacking crews and surveillance capabilities, criminal groups and hacking tool sellers, and then there are hacking for hire and exploit development and buying companies.

It's the most dangerous time I've seen in 30 years, every app you download, website you visit, security update you download, or every OS update you have to think "Did I just get owned?". I'm not sure even a layered security approach helps these days, it feels like we have lost the battle and the war.

I'm not sure how it ends but it doesn't look positive.
 

Malleable

Level 1
Mar 2, 2021
45
The statement "Just be smart and you are safe from malware."
is as true as the statement
"You are safe on the road if you are a racing driver." :)

But it is true that if one is security oriented and careful, then the chances of infection can significantly decrease. This is probably just as important as adding more security layers.

There is no evidence that being smart is an advantage in security matters, because many smart people overestimate their abilities and become less careful.:(
This. In today's world I find myself amazed I come across people that don't realize you can just hover your mouse over a link and see where it's really sending you. The simplest of first steps. Of course there are means to circumvent this but those come into play only if the link appears legitimate. It's no different than working on a car that won't start. You do the simplest things first: check the plug wires for spark, make sure there's gas in the car and that it's actually getting to the cylinders, and so forth. Only after that do you throw your tools against the wall and pull the motor apart.
 
Last edited:

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
This. In today's world I find myself amazed I come across people that don't realize you can just hover your mouse over a link and see where it's really sending you. The simplest of first steps.
This is not simple for many people. They might be able to hover over something but then still have no idea what constitutes a legitimate link. We must take those people into account. With security, with software design, with everything we build. There are young children using the Internet unsupervised, there are people with mental disabilities, there are some older people who despise technology but feel forced to use it nowadays. They all might not be able to do what we consider simple even if we train them.
 

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
544
Fast all of my relatives and friends still hardly use in private life laptops or pc's. On their phones and tablets works mostly Android. I've never heard someone about a malware infection. It doesn't mean that they aren't at risk. E.g. they could be victim of a phishing site. Is it a bold assumption that the kind of OS is a relevant factor in internet security?
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
struppigel is 100% correct. The whole IT/security industry will continue to fail miserably if we do not include the non-technical or non tech savvy/security minded folks in the solution to malware infections or hacking attempts and attacks. Not everyone has the education, time, money for protection or skills to spot a malware infection, even for us folks who are technically skilled (I don't classify myself as highly skilled) it can sometime be difficult to impossible to know your infected.

On their phones and tablets works mostly Android. I've never heard someone about a malware infection. It doesn't mean that they aren't at risk.

@ The recent Pwn2Own there were zero exploits for Apple and Google phones submitted even though huge prizes were offered. The true story is off course there are exploits for Apple and Google phones, but they are just worth so much on the open market to exploit brokers and governments that they choose not to submit any bugs.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
never heard someone about a malware infection.
3. How do they know?
Most malware does not show signs of infection. How do people actually know their systems never got infected?
People who think they can outsmart malware, are often not using an AV that could alert them either.

Another reason why many don't admit they got infected or hit by an attack, is simply because they are embarrassed and ashamed, and when ridiculed and laughed at it's even worse. That's a major error security geek/nerds do. Pointing fingers and constant name calling 24/7 is not going to help, but much rather risk push people away that needs help. When possible, try to reach out and help instead and if one can't or is unsure how to, at least point them in the right direction.

One of those options:
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Recently, I was in a hurry to test a piece of software and since it was a prev. trusted application, I rapidly clicked thru the installer dialog without reading it. Next thing I know, Google Chrome is snug and warm on my desktop--yikes! Not malware but not a wanted software either. Just one example.

Carelessness, ignorance, curiosity, naivete, absent mindedness, distractions, thinking software never changes its installation parameters--what else? You'd think a brush with malware would teach you a lesson but I've seen companies get hit multiple times. All you can do is do you.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top