The Intern That Fell for the Phishing Scam
It was me. I am writing from the perspective of an intern who fell for a phishing scam, which is a type of social engineering attack, despite having gone through copious amounts of cybersecurity training.
I will be sharing my thoughts and experiences on the timely issue in the hope that it will help deter you from making the same mistake.
What is Phishing?
Phishing, also called credential phishing, is a method that hackers use to gather a person's personal information through deceptive emails and websites. To do this a hacker will send out an email and they will appear to be a user of a reputable company or a familiar contact.
The email will usually contain a request or a link that the hacker has set to look like a legitimate website, so that they get you to click on it. The website will ask you to “log-in” or provide personal information.
The login credentials and personal information are then captured, and the hacker can begin to use the information they gathered to gain access to your company servers, resources, applications, and more.
Phishing Emails are On the Rise
Phishing scams are becoming increasingly prevalent, especially during the Covid-19 pandemic. Attacks have significantly increased on devices as more people begin working remotely. Being a victim of a phishing attack is nothing to be embarrassed about.
As technology becomes more advanced and hackers are getting more skilled at sending personalized emails, it is getting harder and harder to recognize. Even the most secure companies cannot block all phishing attempts without the risk of blocking real business emails.
For this reason, it is important to spread awareness about different phishing experiences people have had, including my own.
Before I get into my story, I will point out that I was trained to look for red flags of phishing attacks and how to avoid getting scammed in both the past and during my internship onboarding. With that being said, I still seemed to find myself a predicament that so many had tried to help me avoid.
The Time I Fell for a Phishing Scam
Last summer while working as an intern, I had my first phishing scare. It was about one month in my internship, I went into the office, checked my computer, and saw an email from my company's CEO.
This is not typical, so I should have been a little suspicious, but coincidentally I had just met the CEO for the first time the day before when he visited our Boston office. For this reason, I thought it made sense that he might be reaching out to ask me for a favor.
In the email “Lou,” our CEO, asked me to purchase several gift cards that he would be surprising the sales team in the afternoon. He asked that I not tell anyone so that it could remain a surprise. As a college intern, I was not in the place to make this large purchase, but “Lou” informed me that after I bought the gift cards I would be fully reimbursed immediately.
I still did not feel comfortable doing this, but “Lou” insisted and said I would be doing him a huge favor. He was putting me in a very tight spot which did not seem characteristic of him. Before heading out to secretly purchase them, I decided I should run it by one of my co-workers.
He came over to my desk, to look at the email I had been sent, and he began laughing. I looked back at him, both confused and unamused. “What’s so funny!?” I said, to which he replied “Sarah, this is not Lou Usherwood- it’s a phishing scam.” I showed him the thread of messages and the signs of a phishing scam quickly began to reveal themselves.
He pointed out that the email address did not match his usual company email address. That is when I realized I had fallen victim to my first phishing scam.
Lessons Learned
Although I was a victim of a phishing scam, the gift card scheme was both a minor incident and a thankfully unsuccessful attempt compared to what could have happened.
Clicking on a link and beginning a ransomware attack or sending a wire fraud could have also easily been the outcome. It is extremely necessary to take precautions and become more educated in how to identify and avoid a phishing attack.
Training your entire workforce using professionally developed phishing awareness courses will be crucial to your cybersecurity strategy. Everyone from a summer intern to the lifelong CEO should be required to take these phish trainings, as anyone can become a victim.
Risk and mitigation of phishing attacks must be top of mind all the time when employees open emails. I hope my story will help you or someone you know prevent harm due to a phishing attack.
How to Implement Phishing Tests for Employees
Outsourced IT services are great resources that will offer recommended controls/protocols for phishing attacks. Some of the biggest red flags to look for included in the acronym S.L.A.M. or Sender, Links, Attachments, and Message. Read more about these signs in our blog: SLAM Dunk Your Email Security with These 4 Rules to Live By.
Updated training modules, tests, and other phishing attack tools can help prevent phishing attacks from becoming successful. Phishing prevention starts at the top, so make sure to educate your leadership on types of attacks targeting high-ranking personnel (whaling attacks or spear phishing). Awareness and education are your first line of defense against cyber attackers.
If you're interested in stepping up your cybersecurity game with an experienced security team, click the button below to explore the possibilities.