Phishing Examples: Even the Security Folks Get Targeted

We all hear about phishing emails. All the time. In fact, there is a never ending dialogue about phishing emails in the news, the most recent one being the IRS emailing to say that you owe them money and they are going to arrest you if you don't pay immediately. As a side note, this is not true, so don't fall victim to the scam. Or the instance where one of my relatives clicked on a link that they shouldn't have and had their computer become infected with ransomware, demanding that they pay $500 through a gift card to get access to their computer back. And who can forget the Nigerian Prince who needs to send you money immediately due to their lottery winnings and for some strange, unknown reason, they have picked you to share it with! Well I have some great news for you folks out there - Even the people "in the business" get targeted too, and today that target was me!

I am going to give you some quick backstory so you can understand the context of this attempted phishing scheme. Here at Compass we use Google Apps for Work for our email. It's great as you can use it on multiple devices and has 2 factor authentication, which in my opinion is a must these days, and is overall very user friendly. We also get a pretty good amount of storage in our email as well, somewhere around 30GB, so you can save all those emails from 3 years ago that you probably should have deleted by now. In the 3 years I have been with Compass, I have managed to use a whopping 14% of my email storage, and I keep everything (I'm like an email hoarder!). So today, while working and navigating through my email, I got an email that had a catchy subject line that read - Mail delivery failed: returning message to sender. I send a lot of emails, however not many get "returned" so I was intrigued and opened the email. That's when the fun began and I decided that this would make for a good blog post (hopefully). I took a screenshot of my gmail inbox and have decided to include it in this blog post so I can walk you through what I deemed to be some red flags. So without further ado, lets tear this email apart and look at all the suspect stuff these clowns tried to pull off on me, the guy "in the business" (Warning, the picture is a bit small): 

1. The large blue arrow indicates that I clearly have a Google email account (just wanted to make that clear)
2. The "status bar" in the middle, the obnoxious red line, doesn't make any sense. While it says that I have used 4889MB, what in the heck is the 111MB to the right? Obviously that is how much "space" I allegedly have left in my inbox but come on. Please do a better job of showing me how close I am to capacity and put the 5000MB where the 111MB is.
3. The first line of this "warning" suggests that I have used 91.08% of my capacity. Now I will admit that I am not a genius when it comes to math, however, 4889MB out of 5000MB is actually 97% of capacity. If you are going to scam me, please get your math right!
4. The next paragraph where it tells me to log in to the "mail client admin" to remove old emails to free up space is not well written. I am not being judgmental here but the truth is the truth.
5. My favorite part of this email is this point. I liked this point so much that I used a huge red arrow to illustrate what I am trying to say! When you "hover" over the hyperlink that says "Delete Junks Mails" (again, terrible writing here), you get some link to a non Google site. In fact, the site is for jmonline and has "user files" in it. Not good. Not good at all. Therefore, I did not click on the link to "Delete Junks Mails" cause that's how I roll!

So what's my point in writing this long post making fun of someone who decided to send me a phishing email? Education. My point is to educate you on the various phishing examples that are out there so you can see what they look like and when you really look closely, just how ridiculous they really are. The problem is that they are effective. Even with the bad math and the grammar errors, at a quick glance someone is going to fall for this and click on the link and then the problems begin. Here is what you can do about it to prevent or minimize your employees from falling victim to this type of scam:

• Security Awareness Training - Train your staff and refresh this training annually. Don't do it because it is a compliance requirement, do it because you want to build a culture of security in your organization. People are your weakest link so empower them and equip them to question suspicious emails and phone calls they receive.
• Social Engineering Assessments - Test your employees. Send them phishing emails and see how many click on the links that are suspect and see how many times they click on the links. We do these all the time for clients and you would be shocked at how many people click on the links. 

Train. Test. Repeat. Security is an ongoing process, not a single point in time event. Download our Phishing Statistics Infographic below and share with us in the comments or on social media what's the best phishing email you have received?