On a typical morning I have about 30 new emails in my personal inbox, and 40 in my work account. You know how it is. I archive what I don’t want, scan part of a newsletter, click through to a coworker’s Google Doc, and click “track my package” more often than I’d like to admit. It’s all pretty standard stuff.
These days, though, I face my inboxes with grim determination. Because for about five weeks this spring I was under attack by a team of hackers from the company PhishMe whose goal was to … phish me. I had given company CTO Aaron Higbee my personal and professional email addresses, and full permission to trick me into clicking on a malicious link, downloading a nasty attachment, or visiting a bogus site where my personal information could be compromised.
If you think that might instill a certain depth of paranoia, you’re absolutely right. Every email from my doctor could be fake. Every shared album of vacation photos, a trap. I knew that they were coming for me. I just didn’t know when or how.
Hyper-vigilance is a surprisingly difficult thing to maintain if you’re not used to it. And by the time the first phish hit my personal inbox, three weeks into the process, I’d already slacked off a bit.
The subject was “Court Notice,” and it read: “This is a reminder to appear on June 2 for your case hearing.” The PhishMe team didn’t know that burglars raided my apartment a few years ago, and that I’ve received a number of similar notices because of that. I started frantically scrolling through past emails related to the burglary, panicked that I had misunderstood something I needed to do for the case. The new email included a Microsoft Word attachment, as had many of the legitimate messages I had received in the past.
But then I noticed that the new email had come from firstname.lastname@example.org, not a .gov address. I exhaled—what a sucker. At least I hadn’t clicked to download.