The answer is both yes and no: you can reduce the risk of them being caught, but you can’t realistically expect them never to take the bait.
The National Cyber Security Centre has illustrated this by releasing details of an attempt at a phishing prank that was made against their Technical Director, Ian Levy. A trickster carefully researched the organisation and created a fake e-mail appearing to come from one of the other directors.
The intended victim was able to see through the subterfuge, but only because their extensive cyber experience allowed them to spot discrepancies in the detail when they inspected a link. In this case, it wasn’t the kind of detail that an individual from a different industry would ordinarily spot.
In addition, even Ian Levy admits to being takin in initially: although the e-mail address used was not a correct ‘NCSC’ address, the way that mail app interfaces display messages on phone and tablet screens sometimes hides the address in favour of showing the sender’s name, so faked addresses aren’t always easy to spot. If a scammer has done their research carefully and included lots of details to give their e-mail plausibility, with a little luck, it seems that anybody can be scammed.
This case study shows us how easy it is to be taken in, but it does also demonstrate the value of awareness and training: even without sophisticated technical knowledge, in many cases, phishes can be avoided by taking the time to check links to make sure that they’re genuine, (hover a curser over them or touch-and-hold the link on a touch screen). It also helps just to keep reminding users of the deceptive techniques that are at the scammers’ disposal, so that they have this in mind when they look at their e-mails.
Levy concludes that it is ‘almost certain that at some point, someone in the NCSC will fall for a fishing attack’, and that when this does happen, ‘they won’t be ashamed and we won’t blame them.’ This is an important point – there is no benefit in shaming individuals who fall for these scams. Fear of reprisals can cause the victim to try and conceal their mistake, but it is in the best interests of the organisation that they’re ready to own up right away. Unrealistic expectations won’t benefit anyone.
Read the original NCSC article here: https://www.ncsc.gov.uk/blog-post/serious-side-pranking
To arrange Cyber Security training for your IT users, contact us at [email protected]