This Well-Trained User Caught a Phish

As security professionals, we often view our users as a potential liability. I have plenty of first-hand experience that confirms the trope myself. But what if users could become a strength instead of a chronic risk?

Meet Linda the human firewall.

Let me tell you about a PhishMe® customer. To preserve her anonymity, we’ll call her Linda. She works in her company’s accounting department.

Linda recently received an email which, at first glance, it didn’t look out of the ordinary.  Like many in financial positions, she gets lots of requests to sign documents.

Linda received this message and recognized the sender, who we’ll call Bob. Bob is the VP of Sales for a vendor Linda’s company works with.  She didn’t expect anything from Bob and had no reason to be suspicious. However, Linda was very cautious. In fact, not long before receiving this email, she had mistakenly clicked on a link in a simulated phishing email, part of her company’s ongoing training using PhishMe Simulator®.

These extra steps helped to prevent a breach.

She looked at the target of the hyperlink and noticed the domain in the URL was not the domain of the document signing service, or the sender.

Linda sent an email back to Bob asking him if he sent the message. Bob responded by urging her to open the link, but used poor grammar. Aha! Linda immediately recognized she wasn’t really speaking to Bob.  She hit the PhishMe Reporter® button on her email toolbar to send the emails to her company’s incident response team.

The link in the message came from an attacker and would have directed Linda to a phishing site designed to harvest her email credentials. If an attacker were to obtain these, he could execute further attacks masquerading as Linda. This is what is called a ‘Man-In-The-Mailbox’ attack—one that exploits the inherent trust between Linda and those people with whom she routinely does business.

Your users can be a source of strength.

Examining the proxy logs, the IT team was able to identify other users in the organization who had received the email and clicked on the link. Thus, the company was able to stop a potential breach before it happened, all because Linda chose to hit the Reporter button.  All of the security controls the company had in place meant nothing when the email came from a compromised, and trusted, vendor account.

This is a powerful example of how users not only pose a risk but can help to identify and contain breaches, before they actually happen. All it takes is ongoing training and a simple way to report phishing.

For more success stories, view PhishMe’s case studies.

PhishMe Clients Are Reporting Ransomware Emails. Are You?
PhishMe Simulator is Selected as a SC Media 2018 Professional Award Finalist for Best IT Security-related Training Program

Leave a Reply