The Art of Huh?
One of the best things you can teach yourself, your family, and your organization to mitigate successful phishing is how to recognize the common signs of phishing and how to mitigate and appropriately report it. Phishing messages can have many different looks, traits, and narratives. What worked yesterday for the attackers eventually becomes blocked, recognized, and less profitable, and they move on to different tactics. Yesterday’s fake antivirus warning becomes today’s “I am sorry, we could not deliver your package” scam.
Phishing scams can look a hundred different ways. But if I only had one thing I could teach someone about how to spot most phishing, regardless of the narrative, it is this: If the message arrives unexpectedly (i.e., you were not expecting it) and it is asking you to do something you have never done before (at least for that requester), have a healthy level of skepticism and research further using independent methods, before performing the requested action. Graphically, this idea is represented like this:
Not all social engineering and phishing attacks have these two traits, but most do. It is also common for legitimate messages to have these traits. Nearly everything my boss tells me to do in email is unexpected, and is sometimes a first-time request. The key is that even if it looks like a legitimate message from someone or something that you might otherwise trust, stop, review, and research further before performing the requested action.
At KnowBe4, where I work full-time, we have long pushed this review strategy as Stop, Look, and Think!
Personally, I have shortened it to “Huh?”
Recommended by LinkedIn
What I mean is that anytime I get a message that makes me think, “Huh?”, I slow down and research more. If I look back at every real world and simulated phishing message I have ever received in my life, I read it and quickly went, “Huh?” at first…because it surprised me a bit. Sometimes I quickly went past my “Huh?” moment and clicked on the included link. Luckily, as far as I know, all of my failures have only been against simulated phishing tests. But in each failure, I still had a “Huh?” moment that I too quickly discounted and prematurely responded to.
So, in my movement to retrain my brain to better spot potential phishing attacks, I have taught myself that any time I see a message that makes me go, “Huh?”, I slow down and research. Maybe my boss is asking me to set up an unexpected meeting to discuss a budget. Maybe LinkedIn is sending me an email warning about a potential compromise. Maybe a customer is sending me an unexpected password-protected zip file. Whatever it is, if the message causes me to go, “Huh?”, I slow down.
It is my informal way of training myself to Stop, Look, and Think! I have just triggered my mind to respond to any “Huh?” moment.
Perhaps your natural mental keyword can be something else to personally describe what emotion you feel when you see an unexpected message asking you to perform something unusual for the first time. Maybe it is “What?”, “Strange!”, or even, “Meh!” Whatever you need to key on emotionally to start your Stop, Look, and Think! cycle is what you need to be doing.
This advice may sound silly, but it works for me. Maybe it will work for you, your family, or your co-workers.
Senior Consultant at Niche Consulting Group
8moWords to the wise.