Homer Simpson's guide to phishing emails

From: [email protected]
To: [email protected]
Subject: Email safety

Dear Homer:

It has come to our attention that you should pay more attention to cyber awareness when reading your work email. IT support has been rather busy fixing network security issues which resulted from certain messages which you opened. A data breach at a nuclear power plant is a rather serious matter, don’t you think?

Does the message make sense?

Your job has important but specific responsibilities. These don’t include paying invoices or processing personnel records. If you get a message that asks you to do something which you’d normally never do in your job, like paying $1,000,000 to a foreign customer, you should at least ask the shift supervisor if you should really do it. Please ask before opening any links or attachments.

If you get a message from me, saying I’ve forgotten my password and desperately need to get into the system now, don’t reply with my password. We have a policy of never asking for authentication information by email. That means it can’t be me. Unless I’m really stuck, and even then why would I be asking you? Call me if you think it might be real.

And those are the rare clever ones. More often, the mail is saying you need to confirm your credit card with the Royal Bank of Croatia. I’d guess you don’t even have an account with the Royal Bank of Croatia. If you get a message like that, then just ignore it. It’s not anything you have to deal with.

You really aren’t very likely to get a message from a foreign billionaire asking for your help in transferring a huge amount of money. It’s even less likely that they’ll give you a big chunk of the money for your help.

The more desperate the message sounds, and the more rewards it offers you, the less likely it is to be legitimate. Boring email isn’t guaranteed to be real, but its odds are much better.

Is the link plausible?

Phishers love to send links to fake sites. If you insist on clicking on a link to a site, please take a moment to see if it looks right. If the spelling and grammar are seriously wrong, it just might be fake. That site which said it was the “Sprengfield Nucular Powar Plant” wasn’t what it claimed to be.

The page you reach might give you a form to fill out, including your username and password. Please don’t just rush in and fill these out. You don’t know who will get the form, even if the email claims to come from me or Mr. Burns.

The link which an email message displays isn’t necessarily the one a click will take you to. What you see in the message is text. The real link could be anything. Also, the link might be spelled just a bit differently from what you’re expecting. Little things make big differences.

It’s safer to log in directly to our cloud service, using a bookmark. You can check there for status updates and find out what you need to do, if anything. If it doesn’t mention a need to give out confidential information, assume you shouldn’t.

Protective measures

We realize that in spite of your diligent efforts, you might accidentally give away your password for the emergency shutdown system. Smarter people than you have made that kind of mistake.

Accordingly, we’re implementing two-factor authentication (2FA) for critical systems. We’ve installed an application on your cell phone which will get a code when you log in. You’ll have to copy that code to the login form to access the system. Oh, and please don’t start an emergency shutdown just to test the app.

The responsibility for training falls on the company, of course. We realize that any mistakes you’ve made can be attributed, at least in part, to our failure to provide adequate instruction. A cyber awareness training course for all employees will start up next month. Please sign up for a time slot that fits your schedule. Preferably while you’re not on inspection duty.

By working together, we can make this facility’s IT systems safer. At least we can avoid a repeat of last month’s embarrassment, when we were generating more Bitcoin than watts for a while.

P.S. I think you’ll find this link very interesting. Open it now! Don’t stop and think about it! openme.instantransomware.com/goodies!

W.S.

In all seriousness…

You don’t have to be Homer Simpson to be fooled by phishing messages. Our training courses will help employees at all levels to improve their security awareness. Contact us to find out more.

Connect, Transform, GrowYour biweekly cybersecurity briefing

Tackling cybersecurity can be overwhelming. But don't worry — we'll let you in on all the industry secrets to help you protect and secure your company like a pro.