The File Everyone Clicks

Written By The Secret Developer

I don’t know what to say really.

This week I’ve been running a fever, and when my machine needed to restart for an “essential” update during the working day I couldn’t cope. Do I really need to update now in the middle of a meeting because Apple’s security update is so completely essential that it’s more important than my work?

I guess our crack security team have made the decision that they needed to “check” that security update for a week (instead of deploying it immediately) and then decided that 10am on Wednesday is the optimum time for an enforced upgrade. I guess that makes sense?

Well, they’ve been looking at knocking my efficiency again, this time by failing to follow their own advice.

Zero-day stupidity

If you wish to break into the high-security world of tech you won’t need sophisticated malware, zero-day exploits, or nation-state backing. You simply need a good name, an attack vector that will ensure the recipient cannot resist a double-click and a permissions share.

The grift is simple. Created. File with a good name.

  • Something believable

  • Something desirable

  • Something people want to be true

Software developers like to believe that they are above all of that, but

And in software development, we like to think we’re above that.

We’re not. We’re so not above that. The developer isn’t a rational beast at all, not when faced with some juicy gossip in the office.

Incentives Beat Intelligence Every Time

You don’t need to trick someone with complexity.

You just need to align with their incentives.

Want someone to open a file?

  • Make it urgent → “Action Required”

  • Make it important → “Company Policy Update”

  • Make it personal → “Payroll Adjustment”

Better yet, combine all three.

The problem isn’t that people are careless.

The problem is that people are predictable.

And companies are built on predictable behavior.

If you wish someone would open your dodgy script you can simply exploit their greedy behavior. It isn’t all that difficult.

Security Training AKA The Annual Checkbox Exercise

Most companies will respond to incidents like this by doing what they always do

  • Mandatory security training

  • A 30-minute video nobody watches

  • A quiz you can pass by guessing

Then everyone gets a badge saying they’re “security aware”, which means problem solved. Right? Right?

Not really.

Because security training assumes that in the moment, people will:

1. Stop

2. Think

3. Analyze

But that’s not how work happens.

Work happens like this:

  • You’re juggling tickets

  • Your manager wants updates

  • You’ve got two meetings overlapping

  • Someone pinged you “quick question” (it isn’t quick)

Then something lands in your inbox that looks important.

You don’t analyze it.

You react.

Context switching (and this is being tacitly encouraged with the use of AI, and our human vulnerabilities are made all the worse for having to go from one task to another like this). Because humans value their concentration, and then when it’s interrupted we might make poor judgements instead of good.

Which is exactly what hackers, script kiddies and those wiling to exploit the work of others want to do.

Even the Experts Get It Wrong

There’s an uncomfortable truth in security. The people responsible for preventing problems are still human.

They have the same

  • Deadlines

  • Distractions

  • Biases

And perhaps most shockingly they have the same hopes, and you can’t train that out of people.

You can’t write a policy that overrides human nature.

So you should understand that security staff are also likely to have their day features by a spam email or attack themselves.

The real issue

Every company believes that “this would never happen here”. Every company is wrong.

We all know why this is. Companies optimist for speed, delivery and output.

They don’t think about verification and deep thought.

When those priorities clash, speed wins every time.

There is no such things as

“Move fast, but be careful”

There is a real expectation at play. It’s the one you actually know. That’s.

“Move fast”

So What Actually Works?

If the solution isn’t “train people better”, then what is it?

A few uncomfortable answers:

Assume People Will Click

Design systems as if:

• Someone will open the file

• Someone will click the link

• Someone will make the mistake

Because they will.

Reduce Blast Radius

If one mistake compromises everything, that’s not a user problem.

That’s a system design problem.

Stop Pretending Awareness Is Enough

Awareness doesn’t beat:

• Curiosity

• Incentives

• Fatigue

It never has.

Fix the Culture

If your company:

  • Overloads employees

  • Rewards speed over caution

  • Treats security as an afterthought

Then this outcome is inevitable.

Conclusion

The most dangerous attack isn’t the one nobody understands.

It’s the one everyone understands…and still falls for.

Because at the end of the day, the most reliable exploit in any system isn’t in your codebase.

It’s in your people.

About The Author

Professional Software Developer “The Secret Developer” can be found on Twitter @TheSDeveloper and regularly publishes articles through Medium.com

The Secret Developer once opened a file they definitely shouldn’t have. Speculate in the comments what that might have been.

The Secret Developer
Next

The Easter Lie (Not That One)