It finally happened: I fell prey to a phishing email.
I actually clicked a link.
At work, no less. Not good.
So the place I’m working right now (I’m a contractor, which makes it worse), I’ve been there a while, and have established a reputation.
A reputation for being assigned the tough, technical audits.
A reputation for finding things that other auditors have missed.
A reputation for understanding IT, security, and risk, and being persistent.
And thankfully, a reputation for being fair, shooting straight, being teachable, and never surprising my auditees with findings they didn’t know about and haven’t had a chance to comment on.
So you can imagine what happened when I did the unthinkable.
It was payback time, and I had it coming. Oh no!
What Happened?
I was in the middle of an email audit. I had been given access to an employee’s mailbox, where I downloaded all her mail to a PST file.
Then I attached that PST file to my own mailbox so I could start my audit.
That’s when it happened…I received an email saying that my email account was full, and I had run out of space. I could receive mail, but could not send any until I either got my mailbox under the limit or requested a higher limit.
I didn’t have that much email in my mailbox, so the addition of the other mail file was the culprit.
In a panic, I clicked the link in the email to request a larger mailbox.
When I saw the webpage that the link opened, my panic increased!
It was a phishing email and I’d be had!
Now What?
The webpage said “Ha Ha Ha! You clicked a phishing link, and you’ve been tricked!” and all kinds of evil symbols and laughing faces danced all over it.
I just stared at the page in disbelief.
After a couple seconds, the page changed, and said, “Fortunately for you and your company, this email was sent by the company security team. Had this been a real phishing email, who knows what would have happened.”
“You’ve been lucky,” the email continued, “but you must complete the company security school awareness training. You will receive a separate email later today from the security team, and you must complete the training within 7 days.”
My Reaction
I was embarrassed and thankful at the same time. Embarrassed that I’d fallen for such a scam, and thankful it wasn’t the real thing.
I thought about all the security folks who’d get a good laugh that they caught ol’ Mack being stupid. I wondered how many times I’d hear about this in the near future when I presented my audit findings for the latest audit.
Analysis
So what happened? How could the guy who runs a audit and security blog fall for such a ruse?
I’m not excusing myself at all, but here’s what I came up with:
- I am human and prone to mistakes. Making mistakes is easier that making the right choice each time. The fact that I consult with others on security and risk issues, and have for many years, and know better, doesn’t make me less vulnerable to being human. Regardless of what I know, each action requires a decision. When I don’t rely on my knowledge when I make a decision, I am liable to make stupid choices. That’s what happened. All my fault.
- It was a coincidence that I received a false email about mailbox space right after I attached a PST file to my mailbox. Because this email seemed* to apply to my current situation, my brain disengaged, and I acted anyway.
- I had received many fake emails from the security team in the past (I’m sure they targeted me for the reasons I noted above). I had not fallen for any of them. I was too smart for them! (uh, that’s called pride, folks, and pride goes before a fall (Proverbs 16:18)). Ouch.
*Although it seemed to apply to my current situation, it actually did not, and that made me more angry at myself than anything. I knew better. I used to manage a couple Exchange email servers way back, and PST files do not count toward your mailbox size. They are separate files altogether, and at this company, were stored on your hard drive, not in your email box. Had I checked my mailbox space against the limit, I would have seen I wasn’t over. And I didn’t mention the email was from Email.org, which obviously not from my company. ARRG!
Final Thoughts
Although it has been a while since this happened, no one at work has brought it up. The security folks may be laughing to themselves, but they never poked me for it. That says a lot more about them that it does me. I’m impressed.
So why did I share this event with my readers?
- Confession is good for the soul, especially when pride lurks about.
- That you might learn from it, and redouble your efforts to avoid such problems.
- It allows you to get inside my head, and look out through my eyes. As my mom used to say, I put on my pants one leg at a time, just like everyone else.
- Failures should be acknowledged, and in many cases, celebrated. This goes back to reason #2, but in addition, it’s okay to fail, as long as you learn something from it. It’s hard to learn from hidden failures.
- It gives me hope when I see those I respect admit they failed, and reminds me that they are just like me, just further down the path. Leaders must be transparent and human. And humble.
Update
About a month after this happened, I received an email from the security team saying thank you for not clicking on the most recent phishing emails they sent my way. I guess once you fall, they put you on the high-risk list and keep poking you. So far, so good.
I’m almost to the point where I can chuckle about this…
ITauditSecurity 
Pingback: Mack Falls Prey to Phishing Email – Cyber Security
Pingback: Mack Falls Prey to Phishing Email – sec.uno
Pingback: Top 10 Reasons Why Being an IT Auditor is So Hard | ITauditSecurity