Open in app

Sign in

Write

Sign in

OPINION: Every Tech Company Should Phish Its Own Employees

Red Ventures
INSPIRED
Published in
5 min readJul 30, 2019

Meet Patty Thatcher, Red Ventures Security Analyst.

Her mission? To hunt for inside threats — as part of the team that protects RV’s data and systems from falling into the wrong hands.

Her arsenal of secret assets? A laser-sharp focus on social engineering, a robust knowledge of security vulnerabilities, and the power of (employee) education.

Patty started her Red Ventures career at the IT help desk, and moved over to our Security and Privacy team in 2014. She’s seen a lot during her 7 year tenure — enough to earn the title, “First Lady of IT Operations.” (She was, after all, the first woman to join our IT team.)

Hunting for Inside Threats

In Patty’s mind, the greatest security threats are not the ones you’d typically think of — they’re not masked hackers or malicious code bases. They’re our own employees.

The overwhelming majority of breaches start with someone clicking a link in a phony email. So whether you’re a summer intern or the CEO, when you’re behind your company computer, YOU are the last line of defense. And we have more than one thousand people behind computers.

Patty’s job is high-stakes. It’s dead serious. And the more you know, the more it becomes… downright scary. But to her, it’s an art.

Don’t take it from us, though:

It’s my job to make people do things they don’t usually do. I’m a people hacker. And I prey on your basic human instinct to want to know.

How She Gets Us

Over the years Patty has crafted some pretty convincing phishing emails and sent them out company-wide. Her hope is that every single employee reports the emails as a phishing attack.

But, you don’t know what you don’t know until you know. And tracking how many people get duped by her emails gives her a solid baseline for measuring the larger organization’s security savvy.

Here Are Two Hall-of-Famers:

1. Flower delivery (strategically sent on Valentine’s day)

2. Speeding Ticket Citation (with “photo evidence” and a hefty fine)

7 Ways to Keep Your Data (and Your Company) Safe

1. NEVER use your work email for personal business.

A wise woman once said:

“If you never use your work email for personal accounts, you’ll never receive a personal email on your work account.”

That wise woman was Patty, and she has a very good point.

2. ALWAYS hover before you click.

People have found all kinds of ways to get through spam filters — even ways to get their name into your contacts. Don’t assume that an email is safe just because it got into your inbox.

Get in the habit of hovering your cursor over any link to verify the domain matches . If it doesn’t make sense, it looks funny, or you’re not expecting it… it’s probably phishing.

3. NEVER reply to an unwanted email.

If you reply, you’re validating that your address is real. Which… will result in more unwanted emails.

4. NEVER ‘unsubscribe’ from an email list.

Sure, unsubscribing may stop the emails for now. But you can bet that your name and contact information will be added to another list and sold to someone else. And the spam cycle continues.

If you want to opt out of a list, simply block, delete, and carry on.

5. NEVER publicly endorse the tools you use at work.

Be selective about what you say on social media, especially professional networking sites like LinkedIn. Smart hackers can scrub your profile and target you or your company directly. When you tell the world which tools and technologies your company uses, you’re also saying, “Want to hack us? Here’s where to start.”

6. ALWAYS use a password manager, like ******.

Ha! Nice try, but we’ll respectfully abstain from recommending a specific tool (cough, cough Rule #5). The point here: don’t use the same password on all your accounts.

7. NEVER send unencrypted PII.

PII (Personally Identifiable Information) includes data that’s tied to your identity, like your birthday, Social Security Number, or Bank Account number. Generally, it’s best to keep all of that stuff off the internet. But if you must, send only one piece of PII at a time. With just two pieces of PII, hackers (or, anyone, really) have enough information to do some serious damage.

Be extra cautious about sending Personal Health Information of any kind. That’s when things get real illegal.

Phishing Trends to Watch For

Even if you stick to all seven rules, it only takes one convincing email to get hacked. Here are some increasingly common themes to watch for:

  • Imitating charities and asking for donation
  • Imitating CEOs and asking to complete a time-sensitive task
  • There’s a problem with your account, verify your password
  • An urgent ask for help
  • Attempts to gain legitimacy
  • An announcement that you’ve won a prize

TL;DR: Sorry, you probably won’t win a free cruise in this lifetime.

In Closing: A Note From Patty

We’re security admins dealing with scary stuff, but we always want to be approachable. We want to help you.

Here at Red Ventures, it’s a part of our culture to pay it forward. When it comes to the tools and practices we teach at work, we hope you carry everything home and put it to use in your personal life. Pass along your pearls of wisdom to help keep others safe.

Because also, that keeps our company safe.

Love, Patty.

Security
Privacy
Data Protection
Phishing
Data Security

--

--

Red Ventures
INSPIRED

Written by Red Ventures

555 Followers
Editor for

We combine the speed of a startup, the DNA of a digital agency, the strategic thinking of a consultancy, and big data to unleash transformative growth.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams