Falling for a Phish: Even the ‘Experts’ Get Hacked, a Lesson for Cybersecurity Awareness Month

by in Security

“To acquire knowledge, one must study; but to acquire wisdom, one must observe.” – Marilyn vos Savant

 

In the early-to-mid 2000s, I was a journalist writing human interest stories. Honestly, cybersecurity wasn’t even on my radar back then. I was never a techie, nor did I pay the tech world much attention beyond whatever purpose it served me at the time. However, the 2008 recession sent my career in new directions. While my chosen industry was undergoing a major shift, the tech world was still booming, so I grabbed on for the ride. This new path led me to work for one of the largest cybersecurity companies in the world at that time.

Falling for a Phish Even the ‘Experts’ Get Hacked, a Lesson for Cybersecurity Awareness MonthIn early 2010s, cybercrime was an ever-booming business, so it stood to reason that cybersecurity was becoming top of mind for enterprises and consumers alike. My job? To understand as much as I could about the cybersecurity industry and develop a global resource center and newsroom, interviewing experts and telling stories of emerging technologies, best practices, and the latest threats to both enterprise and consumer audiences. It got pretty exciting, from breaking the midnight stories of huge Interpol cybercrime ring busts to working on in-depth documentaries that followed some of the most notorious cybercriminals and high-profile figures from around the world.

All of it, of course, was in service of cautionary tales, prevention. As an organization, we wanted to encourage our audience to be smarter, to slow down and take notice of the warning signs, the tell-tale marks of criminal behavior. With every new story, we’d reiterate the best practices, over and over, until I was nearly convinced that everyone in the world had heard each bit of advice about fifty times. How could anyone on the planet not know how to spot fraudulent activity or identify what a phishing email looked like? I’d written out the rules so many times, they were probably etched on the insides of my eyelids. There was no way anyone in our audience would be a victim of a scam, no way any employee of our company would be, and absolutely no way I would be.

The day I proved myself horribly wrong started out like any other day. Admittedly, I was a bit groggy at my desk from being up past my bedtime the night before, catching up with my best friend, whom I had not spoken to for several months. Life had gotten in the way and when we finally found the time to chat, it had taken a while to download the details of our lives. As my friend had a penchant for having wild adventures with interesting characters, she relayed one wacky story after the next until we were both yawning, and I looked at the clock and realized I had to wrap it up. We agreed to catch up again soon. So, it didn’t surprise me when I looked at my email the next day and saw a message from this exact friend.

The language was casual, but short. It encouraged me to “check out” this hilarious video. It was totally “on brand” for this friend of mine—which is why I didn’t hesitate, not even a little bit, to click on the link in the email. But as soon as I clicked, my eyes flitted to the email address. While the sender’s name was my friend’s name, the email address was NOT hers. The link sent me to some rudimentary looking website, with a form on it to collect more information. Uh-oh! What had I done? I quickly called my friend to ask her if she’d sent me a video link. Of course, she hadn’t. That’s when I knew that I’d fallen for a phish—hook, line, and sinker.

Luckily, I worked for a cybersecurity company, so my computer was quickly and thoroughly scanned and inspected for any malware or other nefarious activity. However, the shame of falling for a cybercriminal’s trick stuck with me. Had I followed my own advice to the letter? Absolutely not. If I had taken just an additional moment to scan the sender’s email address first, I would have recognized that it was not my friend’s email. I could have called and verified that it wasn’t her before I clicked. Instead, I trusted before verifying and almost had my own information compromised and possibly my company’s data as well. I could have put my entire company—and our customers—in jeopardy. That is heavy.

As some wise folks have said to me, once you know better, you do better. I absolutely learned my lesson here. Sometimes it takes a practical application of that lesson to really learn it.

Prevention is important, so once again, in the spirit of Cybersecurity Awareness Month week two, “Fight the Phish,” here’s a list of best practices from The National Cybersecurity Alliance to help you avoid being victimized by a phishing attack:

Tips for Avoiding Being a Victim

  • Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Before sending or entering sensitive information online, check the security of the website.
  • Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.
  • Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

Get involved for Cybersecurity Awareness month:  

There are many ways that individuals can get involved during Cyber Security Awareness Month, including:

Labels:

Security
Anonymous