A firsthand look at why user awareness training works
CSO was targeted by a phishing attempt late last week, but proper awareness training kept the site from falling victim to the attack
By Steve Ragan , Staff Writer
September 09, 2013 —
The editorial team at CSO recently had an unexpected lesson in Phishing attacks on Friday. We were fortunate however, that our user awareness training paid off. Thus, we were spared the pain of dealing with a malware outbreak. Since there is a lesson to learn by sharing, here's an after action report on the entire incident, including how our awareness training worked.
Part I: The Email
Fridays at the office are often somewhat slow. At CSO, most of the team spends Friday working on pre-planned news and research, or we're in briefings with vendors. Last week though, Friday was different, because a Phishing email hit the inboxes of the CSO editorial team.
The CSO editorial staff (including Joan Goodchild, Grant Hatchimonji, and myself) received what appeared to be, at first glance anyway, a poorly written news pitch focused on a secure email.
"Protecting the privacy and security of client, company, and employee information is one of our highest priorities. That is why Fiserv has introduced the Fiserv Secure E-mail Message Center - a protected e-mail environment designed to keep sensitive and confidential information safe. In this new environment, Fiserv will be able to send e-mail messages that you retrieve on a secured encrypted file," the Phishing email stated.
It's important to note that such a pitch isn't abnormal. We get news pitches from contacts we know, and some we don't know, hourly. Also, a fair number of them contain obvious grammatical errors and mistakes, so the normal Phishing training doesn't kick in on these, because we're used to this, and usually just delete them.
However, this email stood out for a few reasons. For one, the tone was overly formal, and a pitch addressed to "Dear Business Associate:" is going to either be deleted or treated with skepticism. Another questionable aspect to the email were the addressees themselves.
The TO: field included the CSO editorial team and two other employees. One of them had an IDG email address and the other had a CXO address, which in itself isn't all that common. However, of those two additional employees, one had left their position in July, and the other never existed. The email was also addressed to three other CXO addresses that don't exist either.
Yet, reading the message further, it was clear that this wasn't a pitch. In fact, this was a Phishing email. Despite our sometimes overly heavy filtering, this message somehow managed to get past both the company's email gateway, and Postini, our Anti-Spam service.