Corporate Fund-Raising: Training Users to be Vulnerable
Subtitle: How often do you train your users?
On three separate occasions in the last month, I've been stirred from my revery at work by an inbound email that didn't come from my colleagues.
This isn't normal - the only emails I get at work are generally from the people with whom and for whom I work.
So each time I've been irritated by the email to begin with, and each time the email is the same.
It goes roughly like this (the items in angle-brackets, such as "<yourcompany>" and "<theircharity>" were real names in the original email, but it really doesn't matter who they are, because I'm sure we all get this kind of email.):
From: <someone not @ yourcompany>
Subject: <theircharity> fund-raising program.
This is a reminder on behalf of <yourcompany> that the <theircharity> drive is going on right now.
We need you to visit the <theircharity> web site at <link> to register your donation to <theircharity> - your user name at that site is your email address, and your password is XYZZY-Plugh.
If you do not wish to donate, you should still log on to the web site at <link> so that we can remove you from our database.
I will readily admit that my first reaction was peevish discontent with my employers that they'd allowed a charity to interrupt my work - over and over again - to request money (does my company pay me enough to persuade me to donate to a charity not of my choosing?)
But after a few seconds' thought, it hit me that this is more serious than that.
This is a phishing email - or if it's official, it's fundamentally indistinguishable from a phishing email. It bears all the characteristics - no branding, the "From" address is from a different domain than the link to the web site, and neither one belong to <yourcompany>.
I'm serious that if this is an official mail, it's training our users to be vulnerable to spam and phishing, because it's telling them that it's okay to click on links in email without first verifying that the email comes from a recognised and approved source.
I've made recommendations that future mailings made by third parties to our employees should use some method to prove their link to our company - this will train our employees to expect such proof in all unsolicited non-work-related email, making it a little harder for spammers and phishers to con the people with whom I work.
What policies does your company have in place for third-party emails that are approved to be sent to your company's entire address list?
Are you inadvertently training your users to be more vulnerable to spam? Or are you actively training them, day after day, with every email they receive from you and your authorised partners, to be suspicious of email that doesn't carry proof of its authenticity?
So, the answer to the question raised in the subtitle is that you train your users with every email your organisation sends. Every time you talk to someone, every time you email, every time you post to your web site or blog, you get an opportunity to model appropriate and acceptable behaviour.