Last week I received what appeared to be a legitimate email from a woman at LinkedIn who was inviting me to join ProFinder, a pilot program for freelance writers.
Here's the message I received:
It looks authentic, but I've had a lot of conversations with security professionals, so my guard is up. I'm suspicious, and I've learned to trust but validate. Before I clicked, I went to LinkedIn and searched the sender. She's real. Why didn't she contact me on LinkedIn? I thought.
Still not feeling certain that I could trust the sender, I did a search for ProFinder, and it is indeed a pilot program run by LinkedIn. But I didn't feel right. The fact that the message was delivered directly to my gmail account without having also gone through my LinkedIn mail was not sitting well with me.
So, I hovered my mouse over the link and noticed that rather than forwarding me to www.linkedin.com, there was a little letter 'e' added into the URL.
Ironically, I had just had a phone interview with Paul Carugati, information security professional, who spoke about his TED talk on Cyber Self Defense. One of the six strategies for cyber self defense that Paul teaches is "stop clicking."
Instead, I reported the message to LinkedIn as suspicious, and it turns out my gut was right. It took a couple days, but received this message in response to my concerns.
Carugati said, "It behooves us as an organization to make sure that our employees are trained at a proper level. It’s not just to provide for corporate but a personal benefit as well. Security follows them home and everywhere they go, from incident detection and response all the way to state sponsored espionage."
I have heard these cautionary words almost every day for the past year that I've worked for CSO. I was so proud of myself that I told my friend, who thought that I was being a little bit dramatic in my concerns. She brushed it off, until I received the message confirming that the email link contained malware. Then she was impressed.
I've eaten lunch in the cafeteria of my friend's work, and every table is decorated with a sign warning employees to be aware of phishing scams. This little 'e' didn't seem to alarm her, though.
"Employers should be continuing to advance their employees in cyber self defense and look for cyber security skill level as we bring them on," said Carugati. The signs on the lunch table don't mean much if I don't know or understand what a real threat looks like.
"I’m always going to invest more in the detection side than preventative—always," said Carugati. "No matter what level of diligence, there is always going to be something that gets through. Detect, respond, eradicate. Rely on employee base to identify as they are the first line of defense," he continued.
Like Carugati, I truly believe that teaching cyber self defense is a foundational pillar for a comprehensive cyber-security program at any organization. The tactics of criminals are far too sophisticated to rest on your laurels and posters. Training needs to be comprehensive, ongoing, and hands-on.
Trust but verify. Do not underestimate the power of your end users.
"We are always the first to shove off the effectiveness to do something good for the organization. As a security profession, technology is very good, process and policy is very good, but never underestimate the power and responsibilities your end users will be able to perform should you give them the resources they need. They will step up to protect the organization and will see the benefit of how these skills can transfer into their personal lives," said Carugati.
LinkedIn reached out to me after this blog went live to let me know that the message I received was a valid email and their trust and security team gave me incorrect information. A spokesperson wrote, “I apologize for the misunderstanding, but the ProFinder email your article details was, actually, sent from our ProFinder team and not, as you've posited, any type of phishing attempt…I apologize our Trust and Safety team incorrectly affirmed your concerns that this was spam. We have made sure that this type of mixup doesn't happen again and appreciate your feedback on the format of these emails.”
This article is published as part of the IDG Contributor Network. Want to Join?