Gone Phishing

You’re Being Baited–Are You Protected?

It’s a regular morning. You walk in the door to the usual pile of unread emails and scan them for “important names” to ensure you keep in the good books (we all do it, don’t worry). You notice you’ve got a meeting invite from your boss titled “Annual Review” – now, I’m guessing you’ll be thinking one of two things:

1. Sweet, it’s about time. Let’s do this! You click the accept button multiple times just in case; or…

2. Damn it, my lazy butt has finally been caught up with! You hover over the accept button for a while and then begrudgingly click.

You carry on with your day, the usual coffee trips, keep yourself up to date with the latest news stories online, process some ECAs, complete some analytics, pay the forgotten vet’s bill, arrange a few meetings, continually retype your username and password into the multitude of applications for 50th time that day (damn that auto-lock!), and so on.

Later that day, you bump into the boss: “Hey Boss, nice to see you. Looking forward to the annual review. I really do appreciate the opportunity to discuss my performance.” The boss looks confused.

“Wait, what review?”

“The annual review you are doing with all the staff, we’re all super excited,” …and then the realization sets in. You run back to your desk or to the IT department as if you’re in some race against time, knowing someone else won this race.

The chances are you’ve just been “phished.” The list of things the bad guys can do once you’ve clicked is very long and very scary!

I’m not here to tell you all the gory details, the hundreds of different “phishing techniques,” or tell you how to fix everything. However, it is my opportunity to get your attention and ensure you know that you can win this fight yourself. Yes, your IT or Information Security departments, those email filtering systems, etc., will all help, but they cannot and will not be able to protect you 100% from the variety of phishing techniques being used out there.

Use whatever superhero name you wish, wear whatever cape you want, the only thing you need to justify these choices is training and education. If your company is not already affording you with this necessary training, (84% of all email traffic in April 2019 was spam!) then do it yourself. Don’t be the person who clicks the link that kills your business.

We work in one of the most targeted industries in the world; this will never change. It’s the nature of the business and as the threats to our industry change, we must be ready!

There is plenty of content available out there which provides free education and training videos to teach you about all known phishing techniques. It would be unfair of me to recommend anything directly as I haven’t tried them all, but if you aren’t already doing this, please do.

Learn more about Matt Kingdon, Information Security Director at Oasis.

Learn more about Oasis’ latest Security Certification, ISO 27017.