In many CVs, applicants for a job boast about having a sense of urgency. Indeed, many employers list “a sense of urgency” among the character traits they want their young recruits to have – and the greater it is, the better. But is it really so desirable? Social engineering, particularly in the form of phishing attacks, has demonstrated how quickly employees with a sense of urgency can become willing victims.
Social engineers – essentially frauds and cyber criminals – understand human nature. They know that ambitious employees, or those working in a competitive environment, are eager to perform and prove their value. That often involves acting quickly and decisively, with no hesitation. They also know that loyal employees rarely question instructions they get from their superiors. And they know that many employees are afraid of their employers, or can’t afford to lose their jobs.
That is why so many phishing emails fall into three categories:
- Messages that promise something desirable or valuable, provided action is taken immediately or within a very small window of opportunity.
- Messages that impersonate managers or executives of a company and ask users to forward sensitive or confidential information.
- Messages that falsely refer to some kind of computer damage – a virus, loss of files, or corrupted storage with serious consequences – that can be recovered by immediately disclosing access credentials to the company’s protected system or data.
These three types of phishing emails are so common, and yet successful. Why? Because they appeal to employees’ sense of urgency, which in many cases is so strong that it overrides common sense and stops users from examining the email more carefully and noticing the red flags.
Studies have shown that users often respond to a phishing email within the first few minutes of receiving it, and up to half of those who fall for such scams actually click on links to fraudulent websites within an hour of the phishing emails going out.
The moral of the story is this: A sense of urgency is only good if it is coupled with critical evaluation. When responding to emails, acting too quickly can be as damaging, or more, as acting too slowly. At the very least, every email that contains an unexpected message, or comes from an unknown sender, or at a strange hour, deserves a closer look. Especially emails that ask the recipient to click on a link or open an attachment or share sensitive information must NOT trigger a user’s sense of urgency, but rather a sense of caution.
Phishing simulation campaigns are the ideal way to teach users how to recognise suspicious emails and how to respond – or not – to them. If you would like to know more about how we can create phishing simulation campaigns for your organisation, give us a call or drop us a line.