I recently opened my email to find a rather nasty surprise. Although “sexploitation” Bitcoin ransom emails have been around for most of 2018, I had never received one. I knew what they were and their purpose, but I had never seen one “in the wild.”
I opened the email, not paying very close attention. Like many of us, I am bombarded by emails – marketing, shipment notifications, etc. I began to read the email, unprepared for the contents. It claimed to have one of my passwords and that malware had been activated on a porn website that I had visited to take control of my webcam and capture video of me. The sender claimed to have my email and Facebook contacts and threatened to send the video out to them unless I paid $1,293 in Bitcoin within 36 hours. If I did so, the sender promised to destroy the recording and all the details he had on me. He helpfully provided the URL for the payment, as well as an offer to provide proof of his threat by responding “Yes” to the email. If I didn’t send the money, he would send the video evidence to nine of my contacts right away. To close the email, he reminded me of my potential humiliation and the impact to my relationships if this video were to get out.
I immediately knew this was a total scam – the password he claimed to have was one I had never ever used; I had never visited the site he claimed I had; and the email header information made it clear it was spam. Although I knew what was happening, I still had a physiological reaction to the email – my stomach dropped, I felt physically ill, my mind began to race. For a brief period of time, I felt sheer panic. It was a terrible cascade of primal reactions.
I am glad it happened.
I understand security awareness from two perspectives – I not only work for a company that provides security awareness training and phishing simulation to others, but I am also one of the people responsible for our internal security awareness. I live cybersecurity and awareness. I know the many ins and outs of phishing emails and ransomware. I know the signs of a suspicious email and what to do if one is received. I can write a fake phishing email with the best of them.
Scammers are betting on people’s panic to do something rash and against their own interest. The physiological response I had is primal to humans when they are threatened. When the threat occurs, our focus gets very narrow, but also more scattered. It can feel as if the walls are closing in and we have to do something to protect ourselves. We are willing to do whatever it takes to make the threat stop.
Because of my background, my primal response was brief. I soon recovered and was able to look at the situation with a clear head. I knew how to review the email and determine what it really was.
This incident was a great reminder of these facts:
- We cannot assume that a single training course is enough to help employees handle these situations
- We must train not only for the “academic” response to these types of emails, but also be aware of the physiological response that may lead someone to do the wrong thing
- Consistent, relevant training and simulations are essential for preparing people with what they should do if they receive a phishing or ransom email
- We need to prepare employees for phishing, ransomware and scam attacks in both the workplace and at home
Think of training and simulations as a vaccine against the curse of phishing and ransom emails. The more we expose our employees to what they may see in their inbox, the better prepared they will be to make quick, correct decisions. That is why I am glad I received the email that I did. It was an effective reminder of what employees face each day and that we shouldn’t be complacent when it comes to giving them the tools and experiences they need to be ready.