This morning, I checked my email and immediately spotted something suspicious in my inbox. I easily identified this email as a phishing attempt. It contained sparse wording, a link to a file, and the implication that it was sent to me from a safe place “securefileshares.com” (sounds trustworthy to me!) that I had never heard of before. I immediately forwarded it to our InfoSec team.
But then … I had to resist the urge to poke, to ask what is the file they sent and where did it come from. I gave in a little and googled the domain name to see what came up. Nothing much did, and I went on with my day. Then, I came back to check my mail and was almost drawn in again.
Curiosity drives my career. I am here because I love to poke and prod and learn about things. We have all of this technology because ours is a curious species. And this is our Achilles heel. Even after I had identified the email as dangerous and notified IT, I still had the urge to mess with it.
Was it really something for me that I just didn’t know I was going to get today? Maybe I was missing a message telling me it was coming. Maybe that message just hadn’t gotten here yet. Maybe this was the notification of my missing lottery winnings or my status as an heir to Nigerian royalty. What could be in this Pandora’s box I had just received?
Then I got a note back from IT that the email was a “good guy” phishing email as part of our internal effort to educate our users and convince them not to click and, instead, to report. Yay, I passed the test. Except … I still wanted to click the link. It wasn’t an irresistible urge, and I can control myself, but in a nutshell, that is why phishing works.
Humans are curious, and we may very well ignore all of our experience, knowledge, and gut to find out more.
And that is what makes internal efforts that “train the human” so important. Humans are the weakest link, and even an experienced, security conscious and informed person like myself can fall prey to phishing (I have in the past). A program like this helps immunize the organization by building up good practices and awareness.
I was rewarded for reporting it, and that felt good. That positive reinforcement helps me become more resistant to my urges and helps protect the company.
And honestly, if I had a sandbox to play in, I would eagerly open that PDF to see what happens.