Caught by the phishing scam AGAIN!!
Last week, I returned to work after a refreshing holiday. I’m contracting for an organisation that has a few hundred employees all over the country. Due to the nature of the work, I’ve been issued my own laptop and access to their network – something I take very seriously, as a considerable amount of trust goes into providing this kind of access to a contractor.
So I log back in on my first day back from holiday, ready to clear an inbox of what I’m hoping is a summer full of emails I won’t need. Company updates, mostly, and a few ‘reply all’ email chains, are irrelevant to me. With my finger on the archive button, I get the dopamine from clearing all my unread emails.
Red alert
Until I strike one from the New Zealand Police. My instant reaction: ‘This must be spam’. But I hesitate. The subject line reads ‘Confirmation of complaint received.’
My phishing training jumps into action. I check the URL – it looks legit, the attachment looks like a document file, I can see no spelling mistakes, and the tone and words used all seem legitimate.
But … I haven’t misbehaved this summer nor have I complained to the police. Is it a phishing email, or has someone stolen my identity while I was relaxing in the sun?
What to do?
Immediately, my anxiety levels increase. I reread the email, careful not to open or touch it. I decide it is a phishing email and try to report it but can’t find the ‘report’ button on my unfamiliar email inbox.
But I’m also hesitant about deleting it. I don’t know why, but maybe the police have sent me an email. Maybe I should check what it says? I decide to leave it in my inbox for the time being: maybe I can ask someone about it next time I’m in the office.
That night, in bed, that email takes up space in my head for longer than it should. Have I made a complaint in the busyness of last year that I can’t recall? Has someone assumed my identity and is now making bogus complaints to the police in some elaborate scam? I resolve to recheck the email in the morning and sort it out so I don’t have to worry about it any longer and can get some sleep.
The next day …
The following morning, I reread the email and go through the basics of checking for scams.
Is the email address ‘Phish-y’?
No. I even look up the Police website to check their domain name.
Are they using correct spelling and grammar?
Yes, as far as I can tell.
Is there a sense of urgency or threats?
Well, kind of, but it is just a complaint receipt. It’s not telling me I need to pay or contact them immediately.
Too good to be true?
Not too good but yeah, now I think about it – highly unlikely to be true.
Dodgy attachment?
I don’t think so. It looks like a legitimate document file.
With hindsight, all that checking was futile. I’m a terrible speller and struggle with attention to detail. I always fail the ‘Is it a scam?’ training activities because of it. I don’t notice when two letters are the wrong way around in a word. It’s a real blind spot for me.
So I open it.
Gotcha!
And of course, it’s one of those emails – a simulated scam designed to catch me out. “You’ve been caught opening a suspicious email. Please complete these compulsory Elearnings…”
It might as well have said, “You’re an idiot with an overactive imagination; here’s your punishment.” That’s how I was feeling.
I was also really annoyed at myself and the team who tricked me. Not the frame of mind for a learning moment, although I do get where they’re coming from. It’s clear that the responsibility can’t fall solely on the shoulders of employees alone. We must all stay vigilant, constantly updating our internal spam filters with the latest phishing education.
But surely it’s just as crucial for organisations to build a culture of security that goes beyond the occasional shock-and-awe training session. Instead of relying on the digital equivalent of a “Gotcha!” moment, why not foster an environment where learning from our mistakes is encouraged and expected?
An alternative response
Imagine a scenario where clicking on a simulated phishing email leads to an immediate, informative session on how to spot similar attempts in the future and what to do if you are unsure about an email. This would shift the focus from punishment to empowerment and enable everyone to become better at identifying threats without the fear of reprimand hanging over their heads.
Plus, if we keep our training for email security fresh and ongoing, we’ll have more chance of keeping those nasty cyber-threats at bay. By integrating the latest updates, examples from real life and some interactive learning modules, businesses can make sure their teams are well-equipped to stop cyber-threats in their tracks. All of this not only boosts our security but also makes everyone feel like they’re part of a team that’s got each other’s backs when it comes to looking after our online assets.
As the types of cyber-nasties keep changing, the way we learn to deal with them has to adapt too. We can build a stronger, smarter bunch of workers by ditching the scare tactics and going for a training style that’s all about support and proper education. At the end of the day, the main game isn’t just to dodge those dodgy phishing traps; it’s to build a culture where digital literacy and cyber security is a shared responsibility.
Responses