This is a true story. We have paraphrased and changed the names to protect the victims.
Tom and one of his contacts, Sally, were exchanging email proposals to work together. Tom received an email from Sally asking him to open a proposal, with a link attached in the email.
He thought the email didn’t look quite right so he did not open the link (good thinking, Tom!). Instead, he emailed Sally, “Hi Sally, just double checking that you sent the proposal this morning with a link in the email.” Sally replied that, yes, the email was legitimate, and Tom should click the link to see the proposal. Thinking he had done due diligence by checking with Sally, Tom opened the email and clicked on the link. In order to open the proposal, he was prompted to enter his email password (phishy, right?).
Unfortunately, the attached link was malicious; it was an attempt to gain access to Tom’s email account and spread the attack to his contacts.
How did this happen?
Sally’s machine and/or email was already compromised when the first phishing email was sent from her account. It then sent an automated second email saying that the original email was legitimate and that Tom should open it. In this case, the phishing scam went beyond impersonating Sally in one email; it also included an automated way to reply to the victim. The likelihood that Tom would open the malicious link skyrocketed after he emailed Sally for a second time and heard that, yes, the email was legitimate. With this level of sophistication, phishing emails are increasingly harder to spot and avoid. Even if you are expecting a document or link from a contact, you are not 100% safe. Even if your contact tells you via email that it’s okay to open, you are still not 100% safe.
What do I do?
- When in doubt, pick up the phone. Call your colleague to avoid dangerous mishaps. Combining in-person meetings with phone conversations and email creates a trustworthy flow of communication that is less easily targeted by phishing scams.
- If you ever open or click on something you feel you shouldn’t have, or if your computer starts acting funny, notify your service provider or IT department immediately.
- Malicious code can cause exponential damage when left unreported. No matter how foolish you feel for clicking on a phishing email, report it right away.