The Intern That Fell for the Phishing Scam

It was me. I am writing from the perspective of an intern who fell for a phishing scam, even though I had gone through copious amounts of cybersecurity training and was not totally unfamiliar with the subject. I will be sharing my thoughts and experiences on the timely issue in the hope that it will help deter you from making the same mistake.

What is Phishing?

Phishing is a method that hackers use to gather a person's personal information through deceptive emails and websites. To do this a hacker will send out an email and they will appear to be a user of a reputable company or a familiar contact. The email will usually contain a request or a link that the hacker has set to look like a legitimate website, so that they get you to click on it. The website will ask you to “log-in” or provide personal information. The login credentials and personal information are then captured, and the hacker can begin to use the information they gathered to gain access to your company servers, resources, applications, and more.

Phishing Emails are On the Rise

Phishing scams are becoming increasingly prevalent, especially during the Covid-19 pandemic. Attacks have significantly increased on devices as more people begin working remotely. Being a victim of a phishing attack is nothing to be embarrassed about. As technology becomes more advanced and hackers are getting more skilled at sending personalized emails, it is getting harder and harder to recognize. Even the most secure companies cannot block all phishing attempts without the risk of blocking real business emails. For this reason, it is important to spread awareness about different phishing experiences people have had, including my own. Before I get into my story, I would like to verify that I was trained to look for red flags of phishing attacks and how to avoid getting scammed in both past and in the onboarding of my internship. With that being said, I still seemed to find myself a predicament that so many had tried to help me avoid.

The Time I Fell for a Phishing Scam

Last summer while working as an intern, I had my first phishing scare. It was about one month in my internship, I went into the office, checked my computer, and saw an email from my company's CEO. This is not typical, so I should have been a little suspicious, but coincidentally I had just met the CEO for the first time the day before when he visited our Boston office. For this reason, I thought it made sense that he might be reaching out to ask me for a favor. In the email “Lou,” our CEO, asked me to purchase several gift cards that he would be surprising the sales team in the afternoon. He asked that I not tell anyone so that it could remain a surprise. As a college intern, I was not in the place to make this large purchase, but “Lou” informed me that after I bought the gift cards I would be fully reimbursed immediately. I still did not feel comfortable doing this, but “Lou” insisted and said I would be doing him a huge favor. He was putting me in a very tight spot which did not seem characteristic of him. Before heading out to secretly purchase them, I decided I should run it by one of my co-workers. He came over to my desk, to look at the email I had been sent, and he began laughing. I looked back at him, both confused and unamused. “What’s so funny!?” I said, to which he replied “Sarah, this is not Lou Usherwood- it’s a phishing scam.” I showed him the thread of messages and the signs of a phishing scam quickly began to reveal themselves. He pointed out that the email address did not match his usual company email address. That is when I realized I had fallen victim to my first phishing scam.

Lessons Learned

Although I was a victim of a phishing scam, the gift card scheme was both a minor incident and a thankfully unsuccessful attempt compared to what could have happened. Clicking on a link and beginning a ransomware attack or sending a wire fraud could have also easily been the outcome. It is extremely necessary to take precautions and become more educated in how to identify and avoid a phishing attack. Training your entire workforce, everyone from a summer intern to the lifelong CEO, is imperative to protect your business. It must be top of mind all the time when opening emails. I know that personally this will not be a mistake I will ever make again, and I hope my story will help you or someone you know prevent harm due to a phishing attack.

For more information on how Usherwood can help train your users in cybersecurity risks, reach out today!