I thought this was interesting, in the sense that we seem to always ask the same questions about people who fall for phishing attempts, like “How did you not see this?” Maybe it’s because, like many things in life, absent real world examples, we just don’t really think about it.
“Most people I interviewed know about phishing in general. But the people who were good at noticing phishing messages reported stories about specific phishing incidents they had heard about. They told me about a time when someone at their organization fell for a phishing email, or about a news story of an incident like the one at MacEwan University.
Familiarity with specific phishing incidents helps people remember phishing generally and recognize that it might explain the weird things they notice in an email. These stories are key to people going from “something’s fishy” to “is this phishing?””
And so, I wonder if those yearly, semi-annual, quarterly, video training would be a lot more effective if we also shared specific examples of people who got phished, and how they fell for it?
Like most things in life, it’s one thing to hypothetically know that something could happen, but it’s quite another to know that it did happen to someone we know. Someone just like us. That makes it so much more real in our minds, and it appears to make a huge difference in how users might approach phishing attempts.