CLOSEClose Daily Report Menu

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
(Photo: Billion Photos/ (Photo: Billion Photos/
Justin Daniels, Baker Donelson, Atlanta. Justin Daniels, Baker Donelson, Atlanta

About a week prior to my presentation, the 100 prospective attendees received an email from me. In that email, I asked that the recipients review a slide for my upcoming presentation by clicking on an embedded link which routed them to a site that looked like Google Docs. At that site, they were asked to supply their email again. On the day before my presentation, I received no fewer than 12 phone calls from people who wanted to help and had tried unsuccessfully to review the slide after repeatedly clicking on the link.How would you feel if you found out 57 percent of your organization clicked on the link from a phishing email simulation? I pondered this question in the aftermath of the results of a phishing simulation I recently conducted. It involved a group of about 100 people who were prospective attendees at a local chamber of commerce event where I would be presenting. After considering the circumstances, I concluded two things: (1) the manner in which we conducted the phishing simulation made clear why this type of attack is so successful; and (2) this event presents an opportunity for in-house counsel to educate the C-suite and the organization about cybersecurity as a strategic enterprise business risk.

About 10 minutes into my presentation the following day, I asked the audience if they might have received a phishing email in the last few days. As the question hung in the air, I saw some sheepish looks as many realized where I was taking the conversation. The results of the simulation got everyone’s attention: 76 percent opened the email; 57 percent clicked on the link; and 37 percent repeatedly tried to submit credentials, which could not be accepted.

Why was this simulation so successful? It used social engineering to take advantage of trust and people’s desire to help when asked. In my case, the email came from the speaker and had a seemingly innocent request. In fact, the email sought to take advantage of people’s trust that an email from the speaker must be legitimate. If you take a close look at the email, however, my email address was intentionally misspelled, as it used two L’s in “Donelson.” The simulation also leveraged the fact that most people want to help when asked.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.