Great.. good idea... lets walk through it.
what do you mean "utilizes the actual name"? Like the 3:00AM girl scout cookies at your door with the ski mask? They use the ACTUAL NAME... Girl Scouts. That's authentic. Girl Scouts are REAL. This would be called a Spear Phishing attempt. It's phishing, but highly targeted to the recipient (using an employee's name they pulled off of a Google search.. and then read their blog about the conference they attended... and then mention the conference in the email.)
That email simply directs the recipient to click on a link
Is that how your company manages HR communications.... "here - click this link", with no context whatsoever? No introduction as to what to expect. No proprietary information or context that is even vaguely familiar..no branding... no reference to a memo or a project... nothing... just a link, ey? Well that company is training employees to just blindly click shit, then... and they are creating / reinforcing idiot activity.
, clicking on that link launches an attack.
That would be the company failing to patch a vulnerability, or it's a zero day (previously unknown vulnerability). This is rare (like once a decade rare) and in neither case would be the employees fault beyond having clicked the link in the first place. More commonly, the link presents a form that is asking for a password, and that is all they want. If your company has horrible Identity and Access management where the employee has to remember 10 passwords that they have to enter all over different places all day, then, again, the company is creating idiot users. If descent, simple SSO is setup, like Active Directory affords, then users should see the form and just laugh at it (actually, they should never see the form because the phishing attack should (almost) never be successful).
Is that a phishing attack, or one of those problems that you claim was solved long ago? If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?
The "attack" is in two parts... the delivery mechanism, and the payload. The payload should never have a chance to deploy. and no... nothing was "fixed" a long time ago.
Maybe he is thinking of the Java sandbox that never fixed anything, but instead gave some people a false sense of security. Java is so insecure that after years and years of patching, it has simply been abandoned. The concept of a sandbox is good... but when you can only play in the sandbox, you only get sand. not good for an enterprise with complex integrations and collaboration tools that are needed to conduct business.
If you do one single thing to protect yourslef and your company... just one simple thing... then that thing should be to check the incoming email address of every single unsolicited email you receive. Just look at it. NOT the name. the address. Especially the part just to the left of the last dot...
APerson@google.hackersparadise.com <- this email came from "hackersparadise.com". They had their own private subdomain on their own network that they named google. It DID NOT come from google.com
I sound like "do this one thing every day to..."
but do that.