I got phished – hook, line and sinker

I should have known better. 

Yes, you read that correctly. Me, with a high level of experience, knowledge and understanding when it comes to DON’T CLICK ON SH*T fell for a phishing email. What’s even worse is that I gave away my login and password credentials. 

Adding insult to injury, I work for KnowBe4 who, yes, <insert your judging giggles here>, are the provider of the world’s largest security awareness training and simulated phishing platform, which is used by more than 30,000 organisations around the globe. 

I know the red flags, I know what to look for, I always pay attention – well I thought I did.

After spending years and countless hours helping people understand and look for all the red flags that are evident (if you know where to look) in suspicious emails – I did the unthinkable and clicked. Sadly, I have seen the 100’s of hours, lost productivity, stress and considerable dollars, spent in the aftermath of a suspected breach. What had I just done?

How could this have happened to me of all people?

It was early in the morning and I had just sat down with my first coffee for the day. Mobile in hand I checked my emails. “Oooh – a new policy to read”. For those of you who know me, I love a new policy. The email was from the correct person, it looked ok, email addresses checked out, up until now I ignore the timestamps due to differences between here and head office in the US. Nothing seemed out of the ordinary, we are all finalising Q1 with objectives and key results so an updated Employee Performance Policy seemed legit. I clicked to open the policy (so far so good) and was prompted to log into the shared drive. I use a password manager tool so I retrieved my impossible to remember password and clicked login.

As soon as I realised my error I felt sick. That sinking feeling in my gut was overwhelming.

Then I was annoyed. So very annoyed because this was a simulated phishing email dam it! I have never ever fallen for one until now. My clever team at KnowBe4 are creating some brilliant simulated phishing emails and they caught me <insert slow clap>.  I am sure they are all having a giggle at my expense because up until now they haven’t been able to catch me out. We get multiple simulated phishing emails each month using our platform and I have been able to spot every single one. My 100% record for spotting and reporting all the simulated phishing emails is now blemished. Looks like I am stuck with a 99% un-phishable grade. 

The moral of the story is pay attention to the red flags and stop, look and think before you take any action with emails. And perhaps to finish your coffee before you embark on the morning email check!

It is so much better to get phished from a simulated email rather than a legitimate one, this is where new-school security awareness training takes centre stage so your people can make better decisions when it comes to online security.

Until next time, stay safe online and educate your people because this could happen to anyone.