Your UPS delivery was missed… The IRS says you owe them thousands of dollars… You’ve reached your computer disk storage limit… Your Apple account information has been updated… and on and on.
There are now dozens of common scenarios used by attackers to try to get people to click on links and attachments in email messages. And many of them work very well in terms of getting people to click. So, what is it that makes people so gullible?
Our Hot Buttons
What attackers have learned is that “everybody has a hot button”, and some topics are emotionally sensitive to many people. In other words, you can almost always find some situation that will cause people to react emotionally, without thinking. That’s what attackers are counting on.
Think of any emotion you can experience, and then try to see how easy it can be to come up with a scenario that could leverage this emotion to get people to take action. Whether it’s greed, laziness, fear of executives, fear of the government, curiosity, helpfulness, or any other emotional trigger, “there’s a scam for that!”
For example, in one “spear-phishing” test I ran for a client, I described an offer for employees to reserve parking spaces in the employer’s new office building. You might be surprised to learn how many people get quite excited about getting a better parking space!
Anticipating and simulating situations attackers may use against your team
The scenario allowed me to capture user names and passwords for a number of employee’s network accounts, which demonstrated that employees could be fooled by phishing messages from anyone who had a little knowledge of current events at the organization. This was a useful scenario that we eventually employed as an case study within the employee security awareness training program.
If you know of certain situations that you think could cause your employees to become vulnerable to being tricked, or that may be good training topics for your staff, please let me know, and we can discuss the risks, as well as what approaches to security awareness training could be most effective.
Individuals at home: When you receive an email that causes an instant emotional reaction, try to catch yourself. Teach yourself not to immediately respond in any way, other than to reflect on whether it’s an authentic situation.
Employees: The same as for personal emails, take a moment to reflect on any message you get that causes you to feel angry, sad, hopeful, etc. If it’s possible that it could be a fake, take the time to check it out with a phone call or a text message. It can save you time, money and frustration.
Managers: Think of scenarios that have been the cause of phishing incidents in your organization in the past, or incidents at other organizations. Then try to educate staff on how they could be used to trick employees into clicking on things they shouldn’t.