What it’s like to let someone try to phish you

Kai Ryssdal and Maria Hollenhorst Jul 7, 2017
HTML EMBED:
COPY
Patrick Lux/Getty Images

What it’s like to let someone try to phish you

Kai Ryssdal and Maria Hollenhorst Jul 7, 2017
Patrick Lux/Getty Images
HTML EMBED:
COPY

How many times have you been told by the information technology department at your office not to click on links or attachments that you don’t recognize? Lots, right? The concern is phishing attacks. Emails with malware or prompts to enter passwords can lead to no good at all. And yet, sometimes the temptation to click on that link is just too great. That’s part of why Lily Hay Newman, who covers security for Wired, handed over both her work email and personal email to a company called PhishMe and told them to have at it. PhishMe simulates phishing scams as a way to train people what not to click on. She talked with Marketplace host Kai Ryssdal about what it was like having the pros try to phish her.

Kai Ryssdal: Why did you do this? Was this just, like, experiential reporting or what?

Lily Hay Newman: Oh, you know, I’m a glutton for punishment. No, I think the truth is that we’re all sort of in one of these simulations all the time. I hate to say that, but I wanted to just sort of take it to a logical extreme and learn a little more about what that’s like.

Ryssdal: How did it go for you then? I mean, you wake up, you check your email as we all do. And what was the paranoia like?

Hay Newman: Yeah. It was real. Every morning I would look at my emails and just have this heightened awareness knowing this could be happening at any moment. I was very paranoid and very on edge, I think.

Ryssdal: So, did you get phished, as it were?

Hay Newman: So, my fear about getting duped did end up protecting me. I didn’t download anything like a malicious attachment, but it’s a mixed bag, because I did open every single email. So I was definitely opening the door. And sometimes I would kind of suspect odd emails like, “You know, I’m pretty sure I didn’t order anything from Amazon this week,” but I would look at it anyway because I was just thinking to myself, “What if somebody did get into my account?” Or “What if my doctor really does have a prescription I need to fill?” Or, you know, whatever it is. In spite of your better judgment, you’re just so tempted.

Ryssdal: So with the potential consequences being so high — and one need look no further than the DNC, which back during the election, that whole thing was a result of a phishing attack — what is one to do?

Hay Newman: Yeah, so I think awareness is helpful. There is a healthy dose of paranoia, without getting too tin foil hat, that actually does help. Because a lot of phishing experts talk about “following your gut” — if something feels weird, not to push through and ignore it, because really phishes are generally trying to create a sense of urgency or like the free airline tickets are only available for the next 100 people, or something like that, and it can really work. It just exploits something that’s in all of us. So I think that there is a way you can help yourself by any time you’re feeling that pull, taking a step back.

Ryssdal: I actually was surprised to learn the other day, and I’ve worked at Marketplace for a long time, I was surprised to learn that our own company sends our own people bogus phishing things to train us not to click on bogus phishing things.

Hay Newman: That’s great. How are you doing?

Ryssdal: Oh, I’m doing pretty well. Apparently, some intern got caught the other day. I don’t know. But yeah, I mean, this is an actual thing that IT departments do.

Hay Newman: Sure. And I think one reason it’s helpful in addition to sort of training yourself to take a second look, having mechanisms in place to report phishes is really important. If an employee doesn’t know how to go about doing that, they’re just not going to. But if there’s a quick and easy way that they can forward something or press a button and they know what to do, then even if a phish is successful, even if an attacker gets into a network, if the IT department knows about it right away, they can take action right away.

Ryssdal: What I hear you saying is, “If you get caught and you do actually click on one of these things, fess up.”

Hay Newman: Right. If you click something, say something.

As a nonprofit news organization, our future depends on listeners like you who believe in the power of public service journalism.

Your investment in Marketplace helps us remain paywall-free and ensures everyone has access to trustworthy, unbiased news and information, regardless of their ability to pay.

Donate today — in any amount — to become a Marketplace Investor. Now more than ever, your commitment makes a difference.