Cofense - Security Awareness Training & Email Threat Detection

This Well-Trained User Caught a Phish

Share This Article

As security professionals, we often view our users as a potential liability. I have plenty of first-hand experience that confirms the trope myself. But what if users could become a strength instead of a chronic risk?

Meet Linda the human firewall.

Let me tell you about a PhishMe® customer. To preserve her anonymity, we’ll call her Linda. She works in her company’s accounting department.

Linda recently received an email which, at first glance, it didn’t look out of the ordinary.  Like many in financial positions, she gets lots of requests to sign documents.

Email Security - Spear Phishing Attack - InfographicLinda received this message and recognized the sender, who we’ll call Bob. Bob is the VP of Sales for a vendor Linda’s company works with.  She didn’t expect anything from Bob and had no reason to be suspicious. However, Linda was very cautious. In fact, not long before receiving this email, she had mistakenly clicked on a link in a simulated phishing email, part of her company’s ongoing training using PhishMe Simulator®.

These extra steps helped to prevent a breach.

She looked at the target of the hyperlink and noticed the domain in the URL was not the domain of the document signing service, or the sender.

Linda sent an email back to Bob asking him if he sent the message. Bob responded by urging her to open the link, but used poor grammar. Aha! Linda immediately recognized she wasn’t really speaking to Bob.  She hit the PhishMe Reporter® button on her email toolbar to send the emails to her company’s incident response team.

The link in the message came from an attacker and would have directed Linda to a phishing site designed to harvest her email credentials. If an attacker were to obtain these, he could execute further attacks masquerading as Linda. This is what is called a ‘Man-In-The-Mailbox’ attack—one that exploits the inherent trust between Linda and those people with whom she routinely does business.

Your users can be a source of strength.

Examining the proxy logs, the IT team was able to identify other users in the organization who had received the email and clicked on the link. Thus, the company was able to stop a potential breach before it happened, all because Linda chose to hit the Reporter button.  All of the security controls the company had in place meant nothing when the email came from a compromised, and trusted, vendor account.

This is a powerful example of how users not only pose a risk but can help to identify and contain breaches, before they actually happen. All it takes is ongoing training and a simple way to report phishing.

For more success stories, view PhishMe’s case studies.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.