Confessions of a Phish Victim
No surprises here. I operate in cyber security. And I’m pretty passionate about it. So much so that I spend a fair amount talking about it here and elsewhere.
I dutifully complete my assigned quarterly security awareness training (go KnowB4!!). I report suspicious emails. I watch the news and listen intently whenever there are reports of a breach. I’ve never fallen victim to one of my company’s savvy engineers’ phishing attempts (and oh boy, can they be creative!). We have a family password vault, a super locked down and secure home network, and I just walked my 75-year-old dad through the process of enabling MFA where ever possible on his phone (that was a fun exercise).
Up until this morning, I was feeling pretty great about doing my part. I’m a good soldier, darn it!
Until I wasn’t.
This morning, I opened, and then responded to (copying others) what appeared initially to me to be a legit email from a colleague with an HR-related question. I don’t do People and Culture any longer for S3, but was happy to get him in touch with someone who could help. Admittedly, I was in a rush. I’d just finished a workout, had about 10 minutes to shower and get prepped for a call, and wasn’t paying attention.
And, just like that, I became a victim.
Here’s the thing: you can be the most educated, most savvy, most careful cyber soldier, and you can still make a mistake.
Fortunately, my unintentional mischief is managed. I reported the incident immediately to our CTO, who investigated. The Phish contained no attachments, no links, no traces of anything harmful. It is now contained, causing no harm (except to my pride).
We’ve talked extensively about cybersecurity, about educating yourselves, about company’s responsibility to keep their people informed this month. The irony of me falling victim as we’re nearing the end of Cybersecurity Awareness month is not lost on me. Or my colleagues. They will definitely tease me about this for the foreseeable future. And I welcome the jabs…hopefully they’ll keep me from making the same mistake again when the stakes are higher.
This is my cautionary tale to you. Remember to think twice before clicking. Pay attention to the warning message that an email is from an external source. SLOW DOWN! So often we have good intentions, but in our rush to respond, we get sloppy. I did today. I’m just happy it did no harm.
Take it from this Self-Professed Cyber Nerd Turned Phish Victim, this feeling isn’t great. I’m choosing to channel it into increased caution and vigilance. Acting immediately to contain a mistake is crucial.
Companies, Organizations, People, Schools, Governments take note! The more we can do to remind people of their responsibility to be good cyber soldiers, the more enabled we are to prevent incidents.
Remember: it only takes being wrong once to cause big problems.
p.s. Thank you to @Paul Kohler, our CTO for being kind about my mistake and ensuring we were well-protected.