On a typical morning I have about 30 new emails in my personal inbox, and 40 in my work account. You know how it is. I archive what I don't want, scan part of a newsletter, click through to a coworker's Google Doc, and click "track my package" more often than I'd like to admit. It's all pretty standard stuff.
These days, though, I face my inboxes with grim determination. Because for about five weeks this spring I was under attack by a team of hackers from the company PhishMe whose goal was to ... phish me. I had given company CTO Aaron Higbee my personal and professional email addresses, and full permission to trick me into clicking on a malicious link, downloading a nasty attachment, or visiting a bogus site where my personal information could be compromised.
If you think that might instill a certain depth of paranoia, you're absolutely right. Every email from my doctor could be fake. Every shared album of vacation photos, a trap. I knew that they were coming for me. I just didn't know when or how.
Hyper-vigilance is a surprisingly difficult thing to maintain if you're not used to it. And by the time the first phish hit my personal inbox, three weeks into the process, I'd already slacked off a bit.
The subject was “Court Notice,” and it read: “This is a reminder to appear on June 2 for your case hearing.” The PhishMe team didn’t know that burglars raided my apartment a few years ago, and that I’ve received a number of similar notices because of that. I started frantically scrolling through past emails related to the burglary, panicked that I had misunderstood something I needed to do for the case. The new email included a Microsoft Word attachment, as had many of the legitimate messages I had received in the past.
But then I noticed that the new email had come from nyhighcourtclerk@gmail.com, not a .gov address. I exhaled—what a sucker. At least I hadn’t clicked to download.
The PhishMe intelligence team later told me that it had based the court notice attempt on a real phish that was circulating at the time—down to the attached .doc file. The team modeled their email on that active threat, and personalized it to me based on publicly available information like what county I live in. “A phishing scam tries to get people worked up,” says Higbee. “There’s going to be some trigger that evokes emotionally heightened themes like fear, reward, and urgency.”
After the court notice near-fiasco, PhishMe opened the flood gates, hitting my accounts with a trick message every few days for more than two weeks. My inboxes became a digital minefield, littered with clickbait subject lines like, “Action required: Confirm removal of email address as account alias,” and “Your order has been processed,” complete with a big Amazon-esque yellow button to “Manage your order.”
PhishMe runs simulations like this with corporate clients, trying to test how vulnerable they are to a well-placed phishing email. And the company constantly tries to trip up its own employees, as well. “I worry about the target on our back because we’re servicing large customers,” Higbee says. “Security researchers and pranksters might think ‘wouldn’t it be funny if you could phish PhishMe?’ So we’ve always directed an aggressive phishing program at ourselves.”
Because they’re always on alert—like I was during the experiment—PhishMe’s employees generally excel in these tests. But Higbee recently orchestrated an elaborate phish that duped six out of 370 staffers into exposing their data. The attack was based on a sly trend. Instead of fooling users into directly sharing their login credentials, attackers convince them to grant a malicious third-party app access to an account like their email—the same strategy employed in a recent high-profile Google Docs phishing scam. Higbee executed his internal con by exploiting the account “Add-In” feature of Microsoft Office 365 Outlook.
Therein lies the inherent challenge of phishing and the theme that has kept me paranoid to this day: The tactics always change, and the consequences can be devastating. Just ask Sony Pictures or the Democratic National Committee. It’s much easier for digital attackers to install malware on a computer or gain access to a network by tricking people into interacting with questionable web content than through purely technological hacks. Human tendencies turn out to be much easier to exploit than complex digital defenses.
During my own trial, I personally never did click one of the PhishMe links, or download one of their sketchy attachments—but I came close many times. I also opened every single phish they sent. I was suspicious of plenty of emails just from their subject lines, but never enough to override my desire to confirm that someone hadn't broken into my Amazon account and ordered 1,000 tennis balls.
Toward the end of the experiment, just days apart, PhishMe and Conde Nast (the company I work for) both sent eerily similar emails to my work address about mandatory cybersecurity compliance training. As someone who researches and writes about security every day, I took a mature and informed approach to dealing with the situation: I ignored that first wave of emails, and then stopped opening menacing followups about non-compliance. I may have gotten reprimanded by HR. But, hey, I didn't get phished.
