Defining “Weird” and Other Ways to Spot Phishing Attacks

I am sure all of us have phrases in our Acceptable Use Policies or onboarding information stating, “make sure you report anything unusual,” regarding what you see when working online.  

The thing is, what is unusual to you might be normal to me. And we Security folks are even more skewed, as we are instinctively layering risk into our thinking. 

Last week, I spoke in my blog about making sure there is personalization and context in messaging. We have several opportunities here: 

• Specific to your organization and tools 
• Specific to someone’s role 
• Specific to home life (though that is understandably going to be a bit more generic) 

So, what is “weird” in the work environment? While we might, as security professionals, lump a whole bunch of stuff together in a bucket called “phishing,” our employees would probably value more examples and specificity – especially if you can add any of your corporate rules or ways of working.  

Here are just a few considerations: 

• Did you just get prompt to install some new software? Normally, you will never be asked to install software yourself. On the rare occasion you need to, there will have been communication from IT via the support channel in Microsoft Teams. No communication, no install! 

• Multi-factor authentication (MFA) prompts should only appear when you have done something. You log into an application for the first time one day, after a long period of time or from a new device. Don’t remember doing any of those things? Don’t click Approve. Attackers can try to trick you in to approving as a way of getting around the control. Click Deny to help the security team spot it – because it might be happening to others, too. 

• Invited to use a new online collaboration tool? Only IT manages new tool releases. Even if it seems to be from someone inside the company, if there hasn’t been communication from IT, don’t click on links or enter any credentials. 

• ‘Hey, have you seen this website? You can upload data and get it to analyze it for you.’ There are lots of potential tools out there – such as AI tools that well-meaning employees use, looking for ways to make work easier or to do more — but do you know if they are a safe place for our data? If you have a requirement, check the service catalogue. If it not there, please talk to IT or your manager so we can assess the benefit of the tool. Please DO NOT trial services yourself with our data. 

For specific roles, say your Legal team: 

• Remember, we only sign documents with DocuSign*. Don’t use anything else and raise it with Security if you see any other requests flying around! 

For something for home — and one I use with many people in my parents’ generation: 

• You can’t go wrong if you treat every email, SMS or call as a knock at your front door. Do I know them? Can they prove who they are? Was I expecting the visit? Politely refusing is the way to go. 

If you want to drive positive behavior, remember how we learn as humans: direct experience — or the ability to associate with a situation — is so important. 

Want more insight? See my previous cybersecurity awareness post, Cybersecurity Awareness Must Move from Attendance to Understanding.   

*For example only; other document signing products are available