The training comes every year, and every year we go through it. Phishing, spear-phishing, malware, Trojans, ransomware, viruses, worms, click-bait. The adversary is out there and they are good. So we go through training. And me, I’m a certified IT Security professional. I have a degree in Information Assurance, for goodness sakes!
And still. Today, they nearly got me.
They spear-phished me. Phishing is an email designed to make you click through to a fake site and capture your user name and password. Spear-phishing is when they aim right at you. And they did. They sent me an email, that looks exactly like those that I get when my kids make in-game purchases from the Apple store. And the game is a game that my kids play. Except my kids were in school during the purchase time. So they didn’t buy the box of gems.
So, I clicked thru the “I did not authorize this purchase” button. All poised to get my money back, I nearly gave away my user ID and password.
The thing that saved me was my browser. Thank goodness for modern tools to address modern threats. My browser stopped and asked, “Are you sure you are where you want to be?” An older browser would not have had these tools and safeguards built in. Your users will do stupid things. No matter how much training, no matter how aware they are, the social engineering will get them some day. Training isn’t enough. You have to have modern defenses against a modern adversary.
Defensive arms races are tough to win. But for today, it was enough. Maybe someday they will get me, but not today, fake Apple ID store, not today.