Anon: Okay, Phish. Let's see if my targeted phishing campaign works. I've written an email to Cindy that contains a file that has a malicious URL embedded within it. If she clicks on the file, malware will be released on her computer. I have name the file "Fiscal Year Planning", so hopefully she won't even think twice as she works in the finance department. Even better, I'll use one of the health care facility executives names as the sender to make it look like it's more legitimate. I'm sure we'll catch her now.

Narrator: While working at her desk, Cindy receives an email notification from her director. It's titled Urgent Request, which causes Cindy to panic. She immediately opens the email. Noticing a file titled "Fiscal Year Planning". As she goes to click on the file link, she pauses and remembers the top few tips that were shared in her cybersecurity awareness training.

Cindy: Hmm. This seems very suspicious.

Narrator: Cindy's director would never send something with such an urgent title, especially without talking to her about it first. Also, this email is not from the company domain, even though it has her name in the body of the email. There are also quite a few spelling errors throughout the email. After the suspicious emails she received this morning, Cindy decides it is better to be safe than sorry and reports the message as phishing.

Anon: Oh, Phish. It's been a few hours, and Cindy still hasn't clicked on the malicious URL in the spear phishing email. Have I lost my touch? You're right. I can't let this one get me down. I'll just try something different. Cindy will never see this one coming. I'll send her a malicious text message that contains a link for an e-transfer. I just know this text will be the catch of the day.

Narrator: Cindy has been working tirelessly all afternoon trying to meet all of her deadlines coming up. Suddenly, Cindy's phone buzzes, notifying her she has a new text. Cindy reads the text but doesn't recognize the phone number. The message tells her she has an e-transfer waiting to be claimed. Cindy looks at the URL for the link and pauses. The name of her bank is misspelled in the URL. She decides to delete the message as she doesn't know the number. She isn't expecting money from anyone and the link did not look safe to click.

Anon: No luck in this smishing attack either. The only thing I have left to try is Vishing. I will call her work phone number and impersonate her company's I.T. Service Desk. Hopefully she'll trust me enough to give me her password, which I can then use to access more sensitive company information.

Hello. This is I.T. Service Desk, George... Yeah, George. I'm just calling because my records show you need to update your computer. Wouldn't want it to have any bugs or anything, now, would you? I just need your password, and I can get it done right away for you.

Narrator: Cindy feels surprised by the phone call and thinks it's strange that the I.T. Service Desk would be calling her directly to remind her of the update. Even further, the agent wants her password. Remembering her Cyber Security Awareness training and trusting her gut instinct, Cindy decides to hang up the phone.

After hanging up the phone, Cindy feels uneasy about the suspicious emails, texts and phone calls she has received. Cindy decides the best choice is to tell the I.T. and security team what has been happening. She also recalls that she needs to follow the incident response plan created by the security department, not wanting anyone she works with to fall for any suspicious messages. She also decides to message all of her coworkers to remind them to stay on the lookout for any weird emails, text messages, or phone calls.

Cindy: Wow. It sure feels good to put what I learned in Cyber Security Awareness training into practice.

Anon: Well, Phish, it turns out these health care facility employees are a lot more cyber safe. than I originally thought. I won't let this deter me though. I'm still determined to infiltrate their organization. Time to think of even more cyber attacks.