I’m the managing director of an identity management firm, and have been working in the identity management field for over ten years. So I should be immune to phishing attacks, right?
This morning I received an email from a contact at a supplier which appeared to be relevant to a discussion my business had been having about an invoice. The email invited me to look at a shared pdf in Google Drive – given the conversation we’d been having, I imagined the pdf would maybe be a copy of the invoice in question, so I clicked on the link. I was taken to a screen that looked a lot like Google Drive, asking me to log in.
As I was entering my username and password I had a sense that something wasn’t quite right, but continued on auto-pilot. Literally as I clicked on submit, I realized what was wrong – the username and password field were on the same page, and Google changed this around a year ago. I checked the URL – not Google… too late, I’d clicked send, and sent my username and password to a phisher.
So what can we learn from this?
Well, firstly, I really should know better. But this demonstrates how clever modern phishing techniques can be. I was completely disarmed by the seemingly relevant nature of the email – it was entirely in context with my ongoing conversation with a real business contact. That combined with it being 7AM on the first train to London when my defences were down, made me susceptible to such an intelligent attack. If this can happen to me, with all my experience in the field, think how vulnerable typical IT users are. With this in mind, how secure is your data?
Secondly, thankfully at ProofID we use Multi-Factor Authentication (MFA). Because my Google account is protected by MFA, my password alone is not enough to get into my account. So, disaster averted. But if we didn’t have MFA, I would have a real problem now.
The key lesson for me from this episode is that education alone cannot compensate for human behavior and clever social engineering. Attacks are so sophisticated now that really the only true protection is MFA.