Doug’s experience tells me one thing, they’re getting better, and phishing emails are less obvious.
It was an email from a colleague asking me to “please review the proposal documents attached in the link below and let me know if we can work on this project together.” While the email seemed like it was auto generated, it came from a colleague I know and even had my colleague’s email signature on it. So, I clicked on the link to an RFP number, which was probably my first mistake.
There are still things you can do, and there were things that saved Doug, enabling him to catch it, but when you combine less obvious emails, sent from the actual, albeit hacked, account of the person you know? That’s going to be tougher to catch, and all it takes it one person, to get fooled, one time, and you have quite the mess on your hands.
2FA and backups, folks. It’s only a matter of time before someone gets a user password.