Behold, the spear phish that just might be good enough to hook you

It's mostly because there's a complete programming language and environment embedded in word. This seemed like a good idea in '95, well to some, because you could do REALLY cool things with it, and who was going to to embed a virus in the corporate network? No-one, that 's who. And look how Tim made this cool automatic link with the billing software, it fills in everything automatically, you only have to press print!

Also, people won't mail word documents solely containing cat gifs to random friends, that's crazy.

Applying the pressure of a threatened lawsuit is going to be hard to overcome with training.

I'd love to move everyone I provide tech support for over to Google Docs or iPads. Maybe both.

Eh. Speaking as someone who deals with angry customers seeking restitution on a somewhat regular basis, a person writing up a letter in Word, emailing it, and then calling to see if it's being addressed nearly immediately is not something that I would consider out of the ordinary. I've got a complaint on my desk right now that was filed with an agency that gave us 30 days to reply, with the person checking with that agency 3 days later, wondering why we hadn't responded yet.

Customers who feel like they've been wronged can be VERY tenacious, with very little regard to the idea that you've got other things to do besides dedicate all your attention to solving their issue immediately. This sort of thing very much taps into that social engineering nerve, relying on the idea that an employee is going to want to nip this issue in the bud, so they'll toss aside their normal suspicions in the name of getting this obnoxious person out of their hair.

The industry has been blaming users for its fragile security designs for decades. If this was going to work, we'd know by now.

Going through your advice point by point:
1. I first got a forged email using the address of someone I did know sometime in the mid-90s. This is easily bypassed by all but the laziest spammer unless you drop all emails without positive SPF/DKIM confirmation and are willing to live with the pain that causes. Maybe an antisocial hermit can do this but a lot of people have to get mail from vendors, clients, etc.
2. Antivirus is good for catching known attacks. Unfortunately an attacker can simply tweak their payload repeatedly until it no longer triggers and send that. It doesn't help if your AV signature updates 2 days after the exploit.
3. This is repeating #1: it only works when the attacker isn't trying.

None of what you said is exactly wrong, it's just not helpful for people in the real world faced with all but the laziest of attackers, not to mention the unrealistic time and skill requirements for a routine activity with a 99.99% rate of not being an attack.

In a spear phishing attack, someone's going to do things like check your org chart, LinkedIn, etc. and the email is going to pass all of your checks because they picked the assistant CFO and had someone fluent write the message telling you to check this year's expense policy - they might even find a real doc on your website and use that to look extra realistic. In that scenario AV is even less useful than normal because in addition to being able to confirm their ability to evade AV first, the attacker isn't sending millions of messages and might go awhile without an AV vendor getting a copy.

What does help is defense in depth: install updates promptly, use a least-privilege environment to reduce what a successful attack can access, disable things like Office macros even if you have to find an alternative for some internal users, have enough monitoring to catch an attack soon after it succeeds, deploy two-factor authentication, etc.

The problem is that this costs more money than most places are willing to spend and so we see a lot of attempts to dump responsibility off on people who aren't given the support they need to have a fighting chance, not unlike the way everyone love to tell us how to prevent identity theft because the alternative would be large companies having to pay for their negligent business practices.

Oh come on. You're totally overlooking the thousands of cases where someone DOES get sent an attachment of some kind and gets a phone call "following up". That's a normal thing in offices. Is it efficient? Is it safe? No. Is it easy to spearphish and abuse? Absolutely. But also, it's the norm. People email and open Word docs and other attachments constantly. The problem is shitty software like Word with tons of security holes.

It's mostly because there's a complete programming language and environment embedded in word. This seemed like a good idea in '95, well to some, because you could do REALLY cool things with it, and who was going to to embed a virus in the corporate network? No-one, that 's who. And look how Tim made this cool automatic link with the billing software, it fills in everything automatically, you only have to press print!

Also, people won't mail word documents solely containing cat gifs to random friends, that's crazy.

Applying the pressure of a threatened lawsuit is going to be hard to overcome with training.

I'd love to move everyone I provide tech support for over to Google Docs or iPads. Maybe both.

Eh. Speaking as someone who deals with angry customers seeking restitution on a somewhat regular basis, a person writing up a letter in Word, emailing it, and then calling to see if it's being addressed nearly immediately is not something that I would consider out of the ordinary. I've got a complaint on my desk right now that was filed with an agency that gave us 30 days to reply, with the person checking with that agency 3 days later, wondering why we hadn't responded yet.

Customers who feel like they've been wronged can be VERY tenacious, with very little regard to the idea that you've got other things to do besides dedicate all your attention to solving their issue immediately. This sort of thing very much taps into that social engineering nerve, relying on the idea that an employee is going to want to nip this issue in the bud, so they'll toss aside their normal suspicions in the name of getting this obnoxious person out of their hair.

The industry has been blaming users for its fragile security designs for decades. If this was going to work, we'd know by now.

Going through your advice point by point:
1. I first got a forged email using the address of someone I did know sometime in the mid-90s. This is easily bypassed by all but the laziest spammer unless you drop all emails without positive SPF/DKIM confirmation and are willing to live with the pain that causes. Maybe an antisocial hermit can do this but a lot of people have to get mail from vendors, clients, etc.
2. Antivirus is good for catching known attacks. Unfortunately an attacker can simply tweak their payload repeatedly until it no longer triggers and send that. It doesn't help if your AV signature updates 2 days after the exploit.
3. This is repeating #1: it only works when the attacker isn't trying.

None of what you said is exactly wrong, it's just not helpful for people in the real world faced with all but the laziest of attackers, not to mention the unrealistic time and skill requirements for a routine activity with a 99.99% rate of not being an attack.

In a spear phishing attack, someone's going to do things like check your org chart, LinkedIn, etc. and the email is going to pass all of your checks because they picked the assistant CFO and had someone fluent write the message telling you to check this year's expense policy - they might even find a real doc on your website and use that to look extra realistic. In that scenario AV is even less useful than normal because in addition to being able to confirm their ability to evade AV first, the attacker isn't sending millions of messages and might go awhile without an AV vendor getting a copy.

What does help is defense in depth: install updates promptly, use a least-privilege environment to reduce what a successful attack can access, disable things like Office macros even if you have to find an alternative for some internal users, have enough monitoring to catch an attack soon after it succeeds, deploy two-factor authentication, etc.

The problem is that this costs more money than most places are willing to spend and so we see a lot of attempts to dump responsibility off on people who aren't given the support they need to have a fighting chance, not unlike the way everyone love to tell us how to prevent identity theft because the alternative would be large companies having to pay for their negligent business practices.

Oh come on. You're totally overlooking the thousands of cases where someone DOES get sent an attachment of some kind and gets a phone call "following up". That's a normal thing in offices. Is it efficient? Is it safe? No. Is it easy to spearphish and abuse? Absolutely. But also, it's the norm. People email and open Word docs and other attachments constantly. The problem is shitty software like Word with tons of security holes.