Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Once a target, always a target: A second look at awareness training in action

Steve Ragan | Oct. 10, 2013
The one constant about user awareness training is that the awareness part is supposed to stick with you. Learning how to spot one type of phishing email is only good for that particular email, thus the concept of awareness is learning to trust your gut when something looks suspicious.

FROM: Joan Leblanc (Joan [at]

If the subject line wasn't enough to prove that the email was suspicious, or at least completely unrelated to our jobs, the email address of the person who sent it raised a second red flag.

While is a legitimate address, after all it is our corporate domain; the email address itself wasn't formatted properly. Our email addresses, as shown on our author profile pages, use something completely different. Like the previous phishing attack, a quick search of the company directory confirmed that Joan Leblanc isn't a real employee.


The last time CSO had to deal with a malicious email, it was addressed to fake employees, and the editorial team. In addition, the message was also addressed to two aliases that simply didn't exist. This time however, the aliases were valid, increasing the number of people who received the message.

Some common email aliases, such as support or sales, are fine for organizations of any size. However, aliases that are easily guessed that include a large number of employees should be considered during the risk assessment process for implementing email security.

"All of us do a little risk calculation whenever something comes into our inboxes...and it's a subconscious thing," explained Trevor Hawthorn, the CTO of ThreatSim, a company that focuses on spear phishing and awareness training.

"When something comes into something like an alias, I would speculate that most of the users &mdash when something comes into that email address, the little voice in their head probably said, 'this is probably okay, because it's only internal people that ever send to this list'," he added.

In this example, the attackers managed to guess the name of an email address used by a business unit within IDG. However, it is still entirely possible that those targeted by this latest scam had their addresses harvested, as many of them are publically available. Still, the lesson here is that just because an email is addressed to a known internal alias, doesn't instantly grant it immunity.


While the other red flags are more than enough to discount this message as a scam, the body is still worth examining. The tone presented by the message is one of fear, as it says that unless the form is completed and submitted, then reimbursement could be delayed. In essence, " as we say, or you won't be paid."

Again, "Joan Leblanc" is supposed to be someone with authority. Thus, the tone of this email and the subject line are the psychological aspect to the campaign.

All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.