Fly Phishing

The first phishing drill email was sent in mid-June and appeared to come from Southwest Airlines. The promise of “A Brand New $500 Southwest Airlines Gift Card” seemed only a click away. Here are some red flags that should have alerted you that the offer was too good to be true:

• The email address was “noreply@stubclub.co,” a suspiciously vague sender.
• The image embedded in the email had an incorrect Southwest Airlines logo.
• If you hovered over the image or the links in the message showed lengthy web addresses, none of which were related to Southwest Airlines.

Fortunately, most employees weren’t on board with this phishy flight: Only 2% of recipients who opened the email clicked on it, and 13% reported the email by clicking on the Report Suspicious button in the top right corner of Outlook, requesting IT to investigate.

Phishy Gift

The second phishing drill email hit employees’ inboxes 10 days later, this time supposedly coming from Methodist Benefits. Here were hints you were getting phished:

• The following email address is not right: “MethodistBenefits@cardservices.online”
• An urgent subject line that read, “Gift Card balances expiring soon!” trying to get you to react.
• The phony offer was similar to the holiday gift cards from H-E-B employees received last year.

While most employees steered clear of this crooked Kroger card, the bait hooked a few more people — 5% clicked on the email while only 10% reported it as suspicious to IT.

Getting Smarter, But Lures Are Everywhere

So far, our 2023 phishing drills show we are making progress. In Fall 2020 when IT began sending planned phishing drills, 27% of recipients were clicking on phishy links. However, no matter how well-versed we become in cybercriminals’ schemes and tactics, it can take only one wrong click for clever criminals to cause unthinkable damage to our precious patient information and corporate systems. These drills remind us to remain vigilant and critically examine every email message that lands in our inbox.