A week later the actual contractor called asking when the payment would arrive.
The email about the account number change was fake.
Instead of going to the contractor, the payments were sent to accounts controlled by criminals.
Cybersecurity experts oftenblame the peoplewho receive such messages for not noticing that the emails are fake.
Making up the difference comes down to listening to your instincts.
They initially took everything in the email at face value.
They noticed things like typos in a professional email, or the lack of typos from a busy executive.
They also noticed things like someone uncharacteristically emailing them without mentioning it in person first.
But noticing these signs isnt enough to figure out the email is a fraud.
Instead, the experts just became uncomfortable with the email message.
It wasnt until they saw something in the message that reminded them of phishing that they became suspicious.
They would see an anomaly like a link that the email was trying to get them to click.
In their minds, these are commonly associated with phishing emails.
They became suspicious of the message and investigated to figure out if it was a fraud.
Good instincts
If thats how experts do it, then what do regular people do?
When I interviewed people without computer security experience, I founda similar process.
Most people noticed things that seemed off, became uncomfortable with the email, remembered about phishing and investigated.
And if people thought about phishing, they were also good at investigating.
But they were still able to correctly figure out whether an email message was a phishing attack.
Phishing stories
Most phishing training teaches people to look for problems in email.
But for most people, the hard part about phishing isnt noticing the weird things in an email message.
People often deal with weird but real emails.
Many messages feel a little bit off.
Sometimes your boss is having a bad day, or the bank changes its polices.
No email message is perfect, and people are often attuned to that.
Without that awareness of phishing, the weirdness in phishing messages can be lost in everyday email weirdness.
Most people I interviewed know about phishing in general.
These stories are key to people going from somethings fishy to is this phishing?
