It’s a normal Tuesday morning, you’re catching up on work email and you notice a strange message. It looks legitimate. Maybe from a social media site or a popular entertainment site like Netflix. Perhaps it looks like it’s from a company affiliated with your own. But there’s something odd about it.
The email is flagged as urgent. The capitalization is wrong. The reply email isn’t quite right either. Perhaps there’s even a minor spelling mistake.
You, being the sharp employee that you’ve been trained to be, know this is a scam. It’s a phishing email and you should not click on it. So you don’t. You delete the email, give yourself a pat on the back and treat yourself to one of the donuts in the break room.
Put the donut down. Because you didn’t pass the phishing test.
You didn’t report the email to your company.
“But I didn’t click on it either!” you say and you’re right, you didn’t. You were aware, but you also probably didn’t follow company policy.
Maybe you kept certain company data safe by not clicking on the email, but what if your coworker is on autopilot that day and clicks on it. What if they’re just flat out fooled. Then guess what? That phishing email is still going to compromise you and your company.
When a phishing email makes it through to your work address that is not only an attack on you, but also a potential attack on your company and it must be reported. Maybe your company asks that all security incidents be reported to an IT Consultant or a helpdesk. Maybe it requires a quick phone call or an email. Five more minutes of your time. Whatever it is, always go the extra step and REPORT IT.
And if you don’t know what your policy is, ask! There’s no shame in asking. It means that you care about your own well-being, as well as the company’s.
Are you reviewing your company’s security policy right now? Good. You totally deserve that donut.