The one constant about user awareness training is that the awareness part is supposed to stick with you. Learning how to spot one type of phishing email is only good for that particular email, thus the concept of awareness is learning to trust your gut when something looks suspicious.
On Tuesday, the CSO editorial team was once again reminded of why awareness training works. Last month, we explored a Phishing campaign aimed at the CSO editorial team, but our most recent encounter targeted IDG as a whole. Today, we're going to examine this latest attempt, as there are some valuable lessons to be learned.
Phishing is a psychological attack. The criminals behind such initiatives want you, the victim, to do something. This 'something' can be a number of things, but common requests include following links or opening attachments, because the action is simple, takes little time, and it's something everyone online does daily.
The trick though, is actually getting you to do the 'something' without asking too many questions. This is achieved by focusing on the psychological aspect of the attack. Those behind a phishing campaign will use fear, emotional pulls (e.g., asking for assistance or help), or a pretext of authority (which in itself can be a type of fear, if the pretext is law enforcement of management) to coerce the victim to do their bidding.
The phishing campaign used as an example for this article, circulated on the IDG Corporate network on October 8, 2013. Not everyone got it (including myself), but many people working with CSO and IDG as a whole did. The exact count isn't important, but suffice to say, the issue was large enough for IT to send a company wide warning about the emails.
The tone of the message leveraged fear, and did so by presenting the pretext of someone in authority. In our case, the email's message carried the air of coming from Human Resources -- and it's never wise to cross them or refuse a request.
Unlike the other phishing campaign, which focused on CSO alone under the guise of a news release, this one cast a wide net, but it was flagged almost immediately by many of the employees who received it, for several reasons.
SUBJECT: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
The subject of the email references a form of some kind, which authorizes the addressee to use their personal vehicle while on state business. While most of us here at IDG are sure that such a form may exist, and perhaps is required in some cases, we don't work for the state.
This is a red flag in and of itself, but in addition to not working for the state, it's common knowledge from employee training that the company allows us to use our own vehicles while traveling for business. But still, like most large companies, we're encouraged to use air travel and rental agencies when we have to travel for a story.
Sign up for CIO Asia eNewsletters.