By: Tom Sheeley
So I got a weird email the other day…
… The weird part is, I'm the "IT guy" for the office, and I know I didn't send this.
Obviously, this is a "phishing" attempt and it should be immediately deleted… but, would you have done the same? Luckily, everyone here at VPG passed with flying colors when they got their own copy.
How do I know? Oh, I forgot to tell you, I was the one that sent it. Bwa-ha-ha.
Using the free tier of KnowBe4.com, I sent the above email to everyone in the office. After the dashboard on the site showed that it was sent… "I'll be back in 15 minutes, guys. I'm going on break." Little did they know what was waiting for them.
At first, there was a general panic.
You see, we had been hit with a "drive by" earlier in the year - one day we came in to find some of our files encrypted by the Locky ransomware cryptovirus. (A "drive by" is when you get a computer virus or other malware from an infected ad on a website… without actually clicking the ad.) In that case, the majority of the files affected were backed up on our cloud storage provided by Egnyte, so none of our advisors documents were actually lost… they just needed to be restored to an earlier version, before the encryption.
So understandably, there was a reason to be concerned. But, after a second look at the email and a quick check in with everyone, everything turned out to be fine... now they were going to use it against me as a prank.
Immediately after returning to the office, I'm told about this suspicious email we all received and that someone clicked the link without thinking and now we've been hacked and that Melanie is on the phone with Nate (our off-site internet security consultant) and it's the end of the world and the four horseman are nigh and… and… and…
"So, someone clicked the link in the email?"
"YES! WEREN'T YOU LISTENING!?!"
"Uh huh. What did it say on the screen?"
"I DON'T KNOW! BUT WE'VE BEEN HACKED!"
"Uh huh. So no one ACTUALLY read what it said on the screen, you say?"
"NO, NO ONE READ IT! THEY JUST CLOSED THE WINDO... Hey, wait a second, why are you so calm about this?"
"Oh that's because it was a test to see if you guys would click links in random emails. I'm guessing that no one actually clicked it?"
"Well, no, of course not!" *clicks link*
"Good job, everyone! You passed!"
Important Safety Tips
- Never click links in random emails. Fake emails about your Amazon, Gmail and iCloud accounts are getting more "real" looking all the time. If you really want to check… open a fresh tab in your favorite browser and try going to the site directly. If there really is a problem with your account, you'll know as soon as you try to log in.
- If you are going to click a link in an email, check the bottom of the screen as you put your mouse over the link. You should see the actual link appear somewhere… amazon.com and amazon.myhackerwebsite.com are two VERY different sites. Be sure you know what you are clicking on.
- Don't click random ads on the Internet that make promises to speed up or clean your computer. 99% of these things are junk programs that use fear and lingo to make you think they do something useful, when in fact they are trying to up-sell you more junk at the least or at the worst give hackers an open door to your data.
- Microsoft and Apple will NEVER call you out of the blue that they "detected a problem with your computer" and need to remote into it in order to fix the issue. They don't have that ability, hang up the phone immediately. (We actually got one of these calls once too.)
- Read reviews of new apps before you install them to your various devices. Be on the lookout for tons of 5 star ratings but no actual written review or just a generic “Great app!" for the review… it could be a trap.
- Be sure the level of permissions for an app makes sense for what it's supposed to do. There is no reason the "Ad-free Super Duper Flashlight 5000" needs access to your contact list and the ability to send texts.
- Most of all, just use common sense… if it sounds too good to be true, it probably is.