Basic training in avoiding phishing is no longer sufficient
Oof. I read something like this notification below from Boise Cascade Company in Utah, and I wonder if the employees had been regularly trained in avoiding phishing attacks, or if it was just the case that the phishing was done so damned well that the employees fell for it despite their training. In this case, the intrusion was part of a scheme to alter or redirect employees’ payroll direct deposit accounts.
The Company’s investigation determined that a phishing scheme got into its email system on or about October 31, 2017. Our information technology team caught the scheme within minutes of the first phishing email, blocked the email, and notified employees not to click on the link in it or similar emails. Unfortunately, approximately 300 employees clicked on the link anyway. The investigation further revealed that company-wide, 23 employees’ direct deposit instructions were changed.
I’d love to see what that phishing email looked like if 300 people fell for it.