I can’t be phished. At least that’s what I used to believe.
I’m a 33-year computer security professional. I’ve written 12 books and over 1,000 magazine articles on computer security. Because of that, I’m a constant target for real phishing attempts and other hacker attacks. I recognize and defeat at least two or three phishing scams a day. Many days, the attempts are higher than that. I have been on a high level of alertness from phishing scams for decades. I watch my “sixes” in military vernacular. I work for a company whose reason for existence is to help everyone recognize and defeat social engineering and phishing. I am exposed to the latest phishing scams every day. I’d put myself on the low end of gullible and high on the scale of street smarts. There aren’t many scams I haven’t heard of.
I’ve long believed that I can’t be phished.
Turns out, it isn’t true. I’ve been living with a false heightened sense of preparedness. To make matters worse, I’ve been phished a handful of times over the last three years. The only good thing I can think of is that I think they’ve all been friendly simulated phishing attacks. At least I hope so.
I’ve also long believed that one of the best things any organization can do is to have their own, highly respected and trusted people, share when they’ve been a victim of a real or simulated phish. It helps to show that even the brightest and supposedly savviest can fall victim, too. I’m here to take my penance. But instead of saying my Hail Mary’s, I’m sharing my shame. Let me explain.
I knew coming to KnowBe4 three years ago that I would be more frequently tested by simulated phishing tests. And it is true. I’m sure KnowBe4 employees are among the most frequently tested employees in the world. It would be strange if we were not. We not only want our employees to be frequently tested, we are also truly, constantly worried about successful real world attacks. The computer security world is full of well-known companies that were successfully phished, got hacked, and ended up in the news. It can happen to any organization, no matter how good you are at computer security and anti-phishing education; but we are trying our best to lower our odds.
My First Fail
I think I was working only a day or two when I fell for my first simulated phish. It came from my boss, the CEO. The email contained a news article relating to a computer survey which purportedly revealed that unpatched software was the number one reason for malicious data breaches. I had recently written what I consider to be my magnum opus, A Data-Driven Computer Defense . One of the core facts it teaches is that right now, in this particular period of time, social engineering is responsible for the vast majority of malicious data breaches. In fact, it is involved in 70% to 90% of all breaches. Unpatched software is second, involved in 20% to 40% of all breaches. No other computer security attack method comes close. And social engineering and unpatched software have been the top two attack methods for most of computer history.
This email from my CEO to all KnowBe4 staff claiming that a survey had proven that unpatched software was the number one threat really got my righteous indignation up. I mean I had spent ten years of research proving that social engineering was the number one problem. The email ended with a sentence saying something along the lines of “If you want to see the data behind this survey, click HERE”. I could not click it fast enough to see what bad data or survey methods were used to create this falsehood that some idiot, biased organization was trying to spread. Boom! I clicked the link and was introduced to my first “You’ve been phished” pop-up message.
You’ve got to love KnowBe4’s software. When you click on a simulated phishing message, we immediately tell you that you’re wrong, and then we tell you immediately, the “red flags of social engineering” that any recipient should have seen and been able to use to determine that the email they thought was real was in fact a (simulated) phish. I have to admit, the immediate feedback and education is pretty awesome.
OK, lesson learned. If appropriately motivated on a subject they care about, anyone can fall for a phish. Even me. But you won’t get me to fall for the same trap twice. I’m bitten and warned. I can’t be phished again.
My Second Fail
My second fail was over a year later and I really have no excuse. It was a regular, not overly sophisticated fake patch notification. I’m one of the rare people in my company that uses Microsoft Windows. Rightly or wrongly, Windows computers are seen as high risk. On top of that, many of the young kids want to use other platforms. I’m a huge defender of Windows, but this particular Patch Tuesday, I was anxious because Microsoft and the media had announced there was a big, active zero day that was now patched and that patch needed to be immediately applied.
An email arrived in my inbox from our internal IT team, including a notification of the needed patch, asking me to apply it immediately, and they provided a download link. Bam! I was duped again. This time, I had no excuse. The email arrived from an unusual email address that was not our IT team’s normal, internal email address. There were all sorts of other red flags that I should have noticed, including the URL link had the words, “Do not click this link, this is a phishing test”. I had no excuse. I was in a hurry, I was expecting the patch and excited my IT team was proactively on it, and the only thing in my mind was “Hurry up and apply this patch and reboot so you can get on with your real work!”
My lesson learned that time around was that being in a hurry can bite you. Whenever you’re asked to click on a link or download software, no matter how busy you are, recognize it for the high-risk events they are, and check them out first. We have a brand mantra you may have heard of before “STOP. THINK BEFORE YOU CLICK.” It really began to resonate with me in a way that it had not before.
My Third Fail
The third fake phish I fell for was from a well-meaning, often humorous friend on Spiceworks, a super helpful computer forum. If you’re computer-minded and are often looking for answers that the standard channels cannot answer, Spiceworks is a great place to hang out.
I was discussing an upcoming anti-phishing conference with a group of online friends when the guy I like the most on the forum posted a reply that said “Click here to see a list of people who have fallen to my simulated phishing attempts and to learn what fake phishing message they fell for.” You can see where this is going. I clicked on the link. It was a simulated phish. I was the victim.
To be honest, I didn’t kick myself too much. It was a trusted friend in a trusted forum, and it didn’t have the normal red flags that I would look for. At least that’s what I thought at first. It took me weeks to realize that it’s exactly the type of phish that would occur in the real world. How many sophisticated phishes start out by someone’s account being taken over by a phisher, then used in a way that would not be overly suspected by most of that person’s trusted relationships. I realized, that’s exactly what a real phisher would do. Instead of taking it lightly, I needed to take it for the serious warning that it was. I was only lucky that it wasn’t a real phish.
My Latest Shame
I’m sure that like your organization, the subject of COVID-19 is a key topic of discussion each week. Like most organizations, we now have a higher than normal number of remote workers. We constantly talk about and teach the heightened risks of people working from home. We constantly talk about and teach about the super high increase in phishing overall and how much of it is related to COVID-19 topics. Our CEO has spent recent weeks sharing his belief that the coming COVID-19 vaccines were certainly going to be a hot phishing topic throughout the world. He has said this multiple times over the last few weeks and told us to be aware. “Yeah, no brainer I thought! You don’t have tell us this. It’s what we do for a living. Of course, COVID-19 vaccines will be a big, successful phishing draw! Why does this guy waste our time?”
I think it was probably less than two hours later that I was once again fooled by a simulated phishing scam. The topic? COVID-19 vaccines.
This time it arrived from HR (and was co-branded by our insurance company) telling us that no one could return to the office without a COVID-19 vaccine and that we could sign up for a vaccine as soon as January 1st. It included a link to sign up for vaccines. I was aghast. Even though the U.S. is getting its first publicly released COVID-19 vaccines underway, it will likely be many months, probably March or later, before most of us get a vaccine. I was acutely aware that the U.S., despite all its political rhetoric and news, is only 32nd in purchased COVID-19 vaccines per capita. The first 50 million doses are likely to go to the elderly, healthcare workers, front-line workers, and other high-risk people. I’m fairly confident I will not be in the first rounds of getting the vaccine even though I definitely want to be. Like many people, I’m beyond tired of self-isolating, wearing masks, and basically changing my life in multiple ways to avoid getting infected.
To be honest, I was a bit angry with the announcement. How could HR think that it was even a possibility to get signed up for a COVID-19 vaccine January 1st? They are crazy! I wanted to click open the schedule to see how far out the dates were from January 1st already from other people jumping on the email link faster than I did. I wanted to get signed up for the earliest possible date. And the entire time I’m thinking, “Who do they think they are falsely getting our hopes up that we’ll even possibly get a vaccine as early as January 1st when it is likely to be March or later? Well, I’ll get signed up as early as possible so that when the vaccine does become available to regular people, I’ll be high on the list. Hey, I wonder if HR and the insurance company will let me wife get signed up, too?”
It is with all these thoughts rushing through my head that I clicked on the included link. It goes to a multi-factor authentication (MFA) login page that I’m used to seeing, but I was wondering why it was prompting me to sign on again. I had just logged in successfully and usually that means I don’t have to sign in for every new session for at least a few minutes. But not this time.
“Sometimes I hate technology.”
I opened my password manager and clicked on the link that gets me through the first part of the login before I have to provide my MFA links. It didn’t work.
“Damn password manager! Why aren’t you working?”
I looked up the information I needed, including a very long and complex password, and manually typed it in. I put in my MFA credentials when requested. “It’s not working. I hate technology.”
I get distracted by other work. A few minutes later, I went back to my login session and I saw a video clip playing from the queen’s exit on Game of Thrones and the audio is from the crowds of her dissatisfied subjects saying, “Shame! Shame!”.
Shame. Shame. Indeed. It too me a few seconds to realize what had happened and then it hit me like a ton of bricks. I had been again fooled by a simulated phishing email; this time using the topic that our CEO said, over and over, to be prepared for. The email was full of red flags. The email sending address was not the normal one. The URL link literally said, “This is a phishing link.” The insurance brand’s name was misspelled in the email in a way that you just know would not happen in an email from the real insurance company. Worst of all, there was a paragraph of small text included at the bottom of the email, below the link, that literally said “This is a fake phishing email. You should not click on it.” But in all my indignity of the incorrect information on the vaccine, I had been duped. I had been duped despite being one of the best trained people in the world on this subject. I had been fooled despite my CEO warning us for weeks to be aware of COVID-19 vaccine scams.
Shame. Shame. I have no false dignity left. I am a person who can fall for real phishing scams. It took a few years. It took a few failures. But the truth is that if I’m appropriately motivated using issues I personally care about, I can be fooled.
I was also amazed with the automation and efficiency of how our system responded. I was sent emails telling me that I had failed a simulated phishing test. I was sent an email telling me that I had provided login credentials. I had been sent an email saying I had provided my MFA credentials to a fake website. I was sent a separate email telling me to take some additional, related education, including written information to read and several videos. I had to take a few quizzes to make sure I understood the information.
The head security officer at our company, a friend, reached out to me, and told me of my multiple failures. He said I had to change my login information now. I could tell he knew my personal embarrassment. He was very gentle and congratulated me on using very long and complex passwords for my login credentials.
I was especially intrigued that I had to update my password when my password was only compromised on fake, controlled websites that we owned. But then I realized the efficacy of that requirement. They realized that if I had been fooled by a fake phishing login site, who is to say I wasn’t fooled by a real phishing attempt. The company can’t take the risk and I was forced to update my password…again…even if it had only been a few weeks since my last password change.
I’m sharing this to say that not only did I have a false belief in myself that I could not be phished, but any attempt of me to believe otherwise is just false bluster. I’m appropriately humbled.
With that said, I don’t think, or at least know of, any time I’ve ever been successfully fooled by a real phish. My login information hasn’t appeared on any password dump site due to something I’ve done. Any time my login information has appeared on a known dump site, it was because a website was compromised. And the compromised websites have often included big names: Adobe, Facebook, Twitter, etc. But I’ve never experienced a compromise or account takeover event. So, as far as I know, I haven’t been successfully phished.
But who knows? The simulated phishing tests sent to me by my organization have proven that I am phishable! Despite my best efforts, I can be phished! It is with this in mind that I’m re-dedicating myself to trying to ensure that I never get phished by a real phish. I will STOP. THINK BEFORE I CLICK.
Immediately after falling for the simulated phish, I was sent three real phishes. All three were fairly sophisticated. And I spotted them easily. I am grateful for the simulated phishing emails that I’m getting because it makes me hyper aware of not only the latest subjects and techniques used by real phishers, but it also teaches me that I’m phishable. I’m not infallible. And if you think you can’t be phished, you’re more likely to fall for a real phish. If there is a silver lining to me, my failure is that I know I’m phishable, and I’m trying to act accordingly.
I wonder if there are any others out there who think they are un-phishable, like I used to think.