Catching a Phish | Effective Phishing Scam Prevention & Safety Techniques & Best Practices

Introduction hello and welcome everyone to catching a fish simple tips and tricks to keep yourself secure my name is nathan austin i'll be presenting the content today and this is and stephanie kingsley is behind the scenes producing and staffing and making sure that the q a gets answered and responded to so thank you for joining us today i'm very excited to go through this this was really fun to prepare for because i wanted to we wanted to provide as real examples as possible and some of the things we're going to talk about today uh some of the fishing examples actually worked so uh so this isn't just theory this is stuff that actually worked and people actually um did have happened to them uh that did result in uh some loss um but it was it was minimal in both examples minimal to nothing in both examples uh but i'm looking forward to sharing that with you today as well as to help with this in context as far as the problem we're really trying to solve here all right so today what we're going to do uh the purpose of this session Overview really it's to help raise awareness and keep you i say you but you your family your company your co-workers digitally safe because typically the type of actions or kind of bad things that can happen oftentimes are financial meaning that someone might try and steal banking information or get you to buy gift cards or to wire money or um just basically something that could have a negative financial consequence whether it be on you individually or your organization or a friend or co-worker etc so really um i'm hoping that this helps keep you again digitally safe and uh i'd like to ask all of you as you're joining and as you're listening think about those in your life and i don't just mean uh professionally because a lot of times when we think about security awareness training we think about corporations doing security awareness training and talking about phishing and how to avoid this stuff for them but i also feel that this is just as if not more important for you as an individual corporations have i.t support and have i.t resources and security measures in place that oftentimes we as individuals do not have in place and so as we go through this today yes i am speaking to you as an organization or folks of an organization and how this might help protect your your company and we're also talking about all the individuals in your life uh including yourself uh that could be vulnerable to to these kind of attacks all right so we're gonna uh so that's the purpose of today uh secondary we're gonna go through some of the common fishing tactics and then the goals that they have you know why does this happen who are targets we're going to kind of talk about that then we're going to go into our demonstration that we typically do for these sessions is not going to be going through actually screenshots i didn't want to have the live emails but i'm actually going to show you uh three different fishing examples and we're going to talk through some of the ways in which uh how you can identify uh that it's fake or that it's a fish as well as show you ones that but these actually worked so even though they worked there's some reasons why they worked and so we'll talk about ways in which you can keep yourself safe and recognize those so you don't fall victim to similar attacks finally we're going to show you what can you do to prevent this what happens if you did actually click on this or if you did provide information we're going to provide some conversation around that and finally some uh some q a at the end so it'll be about 30 minutes of content uh and then we'll open it up for q a we are recording this and we will send a link to of the recording out afterwards so hopefully if you can reference it later or if there's anyone else in your life your organization that could benefit from this we'd appreciate you sharing as well finally before we move on uh the q a is open so if you have any questions as we go along we're not going to answer them live stephanie might be answering them offline but we will open it up for q afterwards but as we go through the session if you have any questions you'd like any clarity please go ahead and do that in the moment so you don't forget because then we will answer those at the end and go through those details after the end of the presentation all right well one thing really quick one minute about About MyTech my tech my tech is a small medium business consulting organization around i.t services we only work with organizations uh that are you know in the colorado minnesota area geographies and uh over the last 20 years of being in business we have learned a proven i.t strategy that we know can deliver consistent secure and reliable results for our clients now that requires a partnership where we work to build a plan and mutually execute that plan where we know that plan over time as it executes can remove i.t challenges and allows you and your team to focus on better serving your customers and enabling you to be more adaptable to the other business challenges that we all inevitably face uh beyond it um and so with that said our clients we measure this can achieve four times more value and productivity from their i.t investments over the life cycle of that plan and executing that plan and executing that proven strategy so we're not here to talk about that today but if you'd like to hear more if you'd like to discuss that with us please raise your hand we'd love to chat with you more about that but again that's not why you're here today so let's move on with the rest of the this What is Phishing session okay so first and foremost what is fishing all right so what does it mean to be fished um you know fishing is uh typically when bad actors i you know in general we're talking about people that are out to manipulate to fool to defraud uh to exploit uh the vulnerable the unaware they typically are sending emails but it also could come via text so for the most part we're going to be showing emails but just know that you've you've probably all received text messages and if if you were for the live audience and you were in the room with me today i'd ask you to raise your hand how many of you have also received text messages that look suspicious or text messages with links that look like they could be fraudulent or trying to get you to click on them so really phishing is bad actors sending emails or text messages that are trying to get you to take some sort of action so the benefit the nice thing is if you're not taking that action if you don't take any action you're okay so for instance if you click on a link they're trying to get you to sometimes just clicking on the link is all it takes um sometimes uh then if you click on that link and you provide information such as um maybe you're saying hey we need your password information or you accidentally provide a credit card or social security number anything like that they might be taking you to a page that looks like microsoft office 365 for example but it's not and they might get you into your password information and then you're wondering what's going on with that but they use that information later and we'll talk about that here in a bit maybe they might want to get you to buy gift cards that's one of the examples we'll talk about today then the other example is what who does fishing target we go okay so now if we understand what it means to be fish well who does fishing actually target my best way in a in a simple way to say that is they target the unaware the reason why i use that phrase in particular is because if you make yourself aware and if you help others become aware we can we can prevent all this stuff from happening so they target the unaware someone that's uh is not really paying attention to some of these things they're not really aware that these are things that could actually happen or the problems that might exist from accidentally clicking on something or providing information so and again as i mentioned earlier this could be targeting your family members this could be targeting co-workers very often if it's a targeted attack like one of the ones we'll show you uh they're actually targeting someone that has financial access the ability to get reimbursed or the ability to have um information to bank accounts etc and really ultimately uh fishing you know in a wide net perspective because sometimes it's targeted but sometimes it's just you know it's a numbers game and they send out millions of emails and all they need is a couple people to be able to click on them in order for them to be successful so ultimately they're trying to target anyone with an email or a cell phone which pretty much is nearly everyone in society today okay so now we have a better understanding of what is fishing let's move on to some of the Common Fishing Tactics common fishing tactics all right so let's go down these in order so authority what i mean by authority is sometimes uh fishing tactics will pose uh as someone with authority that could be your boss ceo cfo an executive uh someone with whom like if you're in an organization and you receive an email from this person or a text message from that says they're this person um you're more apt to act because it's coming from a person or position of authority so that's what i mean by authority uh urgency might be self-explanatory but they're trying to get the bad actors here are trying to get you to do something now something quickly something time sensitive something where you're not taking the time or taking the moment to maybe run across that person in the hallways or send them a message on teams or whatever messaging platform or catch them in person by walking in the halls if you're in the hall with them at the same time and they're trying to get you to take action quickly so that you don't have the opportunity to to check on whether the validity of the request um another one is secrecy or confidentiality uh i've uh we'll show how um some of these are just it might be a personal request the request might be private like this is a person like a private request coming so it makes it feel like it's coming just for me or maybe it's for a surprise or a gift um something that gets the person saying oh i'm helping out i'm i'm doing someone a favor i'm helping them they can't do it themselves because uh they're they're in the middle of something and they want to surprise someone or they need to do it so the other person doesn't see um i've had it with one of my clients where this happened our clients where uh they tried to fool the person and they did actually they fooled the person that had access to the financial records because they posed it as something relative to an acquisition and for anyone who's familiar with acquisitions mergers and acquisitions that's very confidential you can't share it you can't say anything to anyone about it so they're trying to impose or imply some sort of secrecy or confidentiality so you're not asking or communicating this outwardly then current events this one is actually um it's kind of like click bait if you will so for example what would make what are the timeliness of certain um common situations or current events excuse me um that might make someone click so for instance um you know at the end of january which we just passed um if someone got an email about the 1099 or a w-2 they might be more apt to click on it than if they got that midsummer for example um what about the elections that were happening uh were there charged conversations happening then and what if someone got an email that might agitate them because of some political comment that was made in an email that might get them to click without thinking um taking advantage of current events taking advantage of the pandemic taking advantage of anything that's going on in a current event that might get someone to click without thinking and that's the point is to take advantage of that because it might seem like an email that you should expect or an email that might come from a marketing agency or an email that you that could be legitimate and valid but again the point is for to get you to not uh take it take time to think about it the other one i like to mention is common situations one of the examples we're going to use today is receiving a package who hasn't increased the maybe the number of packages they've had delivered to their homes over the pandemic over the last year maybe it's something uh holidays you know the comments like we all experience holidays at different times of our life at different times of the year and if someone's exploiting holidays maybe bank statements you get monthly bank statements you get monthly bills nearly everyone has those experiences and so if i'm a bad actor i know this i might try and exploit someone who is expecting to get a monthly bill via their email or expecting to get a monthly bank statement in their email and to get them to click on something without thinking so those are some of the tactics uh that bad actors and from a fishing perspective take and ultimately their goal as i mentioned on multiple occasions is they want you to act without due diligence or act without thinking they're hoping to get information that they could exploit in the future so for instance if they get your credit card information they might be able to use that to do fraudulent charges they might get your password um which might then maybe they take over your email this has happened before where maybe they take over your email or forward email so they'll create forwarding rules this has actually happened um they'll forward emails from you until they get that financial information and that allows them to get a foothold into other things so that one piece of information they got from you might not have given them everything they needed but it gave them that foothold that them i mean the bad actors gave them that foothold into your world into your company's world that allowed them to to dig in deeper and exploit other information from which then they could act in a future date uh and finally the the gain access for future exploit what i mean by gaining access is sometimes when you click on that link or potentially open up a document that you shouldn't have opened that was suspicious that is inadvertently and you don't even realize it's happening installing malware or key loggers or something on your machine behind the scenes that then could be used to gain a foothold inside your environment get behind your security policies and procedures uh as well as then you know move across the environment you know one of the things that when you think about different exploits a lot of people are familiar from years ago the target exploit that they were in target's environment for many many months before they were actually discovered and the average exploit is on your computer or in your network for over 120 i think it's actually around 180 days now so from four to six months they're they're in your world uh investigating seeing tracking your key logs everything you're doing before they might choose to uh ransom your machine or encrypt your machine they've already taken advantage of the data they've already exploited what they want and so that's what i mean by gaining access for future exploits so those are some of the common phishing tactics and some of the goals that they have so keep those in mind as we look at this next slide which is human error dave ultimately uh this is Human Error what i want you to take from this slide is that and this is probably something you've seen before but it does illustrate a couple points one when it comes to social engineering and phishing is an example or an attempt at social engineering vulnerabilities and potential threats it only takes one time it only takes one click one mistake is all it takes to allow the bad actors in which means that we must be diligent every time and bad actors only need to be successful once so that's one of the challenges of fishing and why awareness is so critical because and i imagine as i mentioned earlier think about those people in your life whether they be co-workers in your organization or family members that they are potentially vulnerable to these kind of exploits because they're not aware so again i think about family members just as much as i think about co-workers uh in this example um so and and family members unfortunately don't have the benefit of having all this extra security that we as corporations and individuals as part of companies have so all right so keep those in mind keep dave or the human error dave or that human error dave in your life i know we're not trying to poke fun at people named dave or david or mac or buddy uh we're just uh trying to give an illustration that it really just takes one time uh for bad actors to take a foothold okay with that said let's look at some real world Real World Examples fishing examples uh and two of the three of these examples that i'm about to show you again i've got screenshots i'm not actually pulling up the actual emails but they're screenshots of the actual emails and i'm gonna tell stories about them two of these three examples we're about to give actually worked and so this is real world stuff and i'm hoping that we can all take lessons and i asked the people that had this happen to them if they'd be okay with me using this example to share so that hopefully can create awareness and help other people avoid um what happened to them so let's start with fishing example number one all right so efficient Example 1 Email example number one so uh i'm at first um you know if you're part of my tech you know that leaf wildenberg is our ceo that's not a secret that's not private information that is available if you if you do look on the internet you're going to see that look on linkedin you're going to see that leif wildenberg is our president and ceo and everyone in our organization knows that so this is an example where an email was sent from our ceo so first and foremost uh remember i talked about the different tactics that uh bad actors take well this one they used uh and and by the way i forgot to mention that it's not just one of the tactics often times these tac they use multiple facets of those tactics at the same time to take advantage of or to try and manipulate you into feeling and taking action without asking um so in this example they started with authority started with well this is lee wildenberg and people know that he's the ceo and president and this was very targeted because they knew the person that they sent this to was someone in our organization so i don't know how they got this information maybe they called us maybe they asked for an email maybe somehow somehow someway they got the email address of someone in our organization who does work closely with leaf who knows that they might be inclined to take this action so um now however one of the things that that came about is that how would you notice that this is fake well okay this does have a suspicious email but you know what if that was just something that maybe it was a voice to text or maybe it was something that he's using this email because uh he doesn't want to let other people know about it he has a personal request so he's using his personal email potentially it is a little suspect that it doesn't have l wildenberg or wildenberg or anything related to his name or anything like that but so it is a little suspicious in the email but you know okay we're still moving forward here so then what does the bad actor try and do the bad actor suggests secrecy or confidentiality first of all i need your cell number i have a personal request now if you're someone who works closely with leaf and he asks you for maybe a personal request uh you you're probably apt to maybe respond you're like well and not everyone in our organization necessarily has leaf cell phone number on speed dial so they wouldn't necessarily know that it is or isn't his cell phone number um but that could be something to look up by the way is make sure you look for someone's cell phone number if if they're on your company directory but anyway suggesting secrecy or confidentiality so right now that's two of the three of the two of the tactics that we mentioned earlier that fishers oftentimes use again cell number and a personal request lastly now sense of urgency so those are three of the five tactics that we identified that fishers often try and take advantage of relative to getting someone to take action without thinking or without acting so they've used authority suggesting secrecy or confidentiality as well as suggesting a sense of urgency all right so what happened with this this email and example resulted in this person on our team giving their phone number and they did receive text messages from that person requesting that they go online and buy a few hundred dollars worth of gift cards when they went and bought those those gift cards um once they received them online uh then the person said okay you know this person thinking lit leaf is asking for this it's like hey i wanted to give these gift cards as a gift to individuals so could you please give me the code on the gift card send pictures over to screenshots of it and text it to me so i can use them so lo and behold the person's like well that makes sense if you want to use those you want to keep them secret here let me do that and i'll send them to you and so now those gift cards and the codes to execute or to use those gift cards were were sent via text and then they were used immediately so this is the example i wanted to provide this one first because it is an example of people are can and will target your organization for something as simple as a few hundred dollars worth of gift cards now fortunately this was only a few hundred dollars worth of gift cards um and it was found out relatively quickly after that happened uh so that um they were able to realize and so that this person will not uh fall victim to something like this again um and at the end we're gonna talk about what are some of the things you can do to prevent something like this happening or how can you make sure that part of your organizational process and procedure make sure that for any final request you have something defined uh to mitigate against something like this happening so that's an example of a real phishing email that resulted in quick action with a personal cell phone number and a personal request with the authority of the president of the organization and um the the the action was a few hundred dollars worth of gift cards that was actually executed okay so that's uh the example of something that did actually happen here is uh phishing example number two Example 2 Email now this one was um uh to a friend of mine and uh being that i'm an i.t they asked me they i was made aware of this because uh after they actually clicked on this and after they provided information they they they asked me hey is this real or not because i know i'm nit and i'm in security and i'm aware and i i work with folks in this regard so and it was definitely identified as a scam but one of the things we're going to call out here for example is that it's not if you notice this is not a real u.s postal service email address however if you're on a mobile phone when you just look at an email on your mobile phone it doesn't show you the email you have to click on it intentionally for it to actually show you the email so this is an example of where if i'm on my computer my say my outlook or my email program i might see this really quickly and easily however if i'm on my mobile device it's much easier for me to be fooled if i'm not intentional about double checking the email address all right so that's an example one of the pieces of information that would have enabled you to find out that this is a fake email you know and how many of you have gotten an email like this for example and it just says here's the uh code number or here's whatever it's just a random number of digits but okay maybe it looks legitimate because it actually has something that says well maybe it's a tracking number or something like that um that i'm looking for and how many people how many of you would actually double check that tracking number so okay there's some things that say this could be legitimate and then a delivery failed well how many of you again using that common situation or common occurrence is how many of you might be in a situation to receive a package that you might be expecting i know i have i mean with different things i'm doing some home improvement projects i'm expecting packages all the time of different things that i'm ordering that i'm going picking up so um and in this example this person told me one of the reasons why they actually clicked on this is because and i kid you not this is where it's a numbers game is that this person had actually received a failed delivery uh from the post office um 48 hours prior to this email coming through because of something not being able to be delivered and so it this fish this fisher got really lucky because in this example they happened to catch this person when they were expecting capacity package they had actually received a notification that the package was a failed delivery and that they were trying to deliver again and again it looks legitimate it's actually using the us postal service logo so at a glance it passes the test right so there's several things that um that got lucky here but there's also things that are showing that this could be real and then um uh who doesn't love getting packages right so even if you're not expecting a package well gosh if someone's trying to send you a package and they're not able to deliver it don't you want to try and get it of course you do so this is an example too of where using a common occurrence or something that people would want to get a package as a reason for them to act quickly act before thinking or act before doing their due diligence now this last part of this example is that and this is also the difference of if you're on your computer versus a mobile device if you hover over the link it's pretty obvious of what it is it's it was vmi dot bmi 2599. and i didn't put the actual domain here but not up usps.com it was some other domain name and so if you're on your computer and you hover over this it's really easy to see the url is not legitimate the url is not the us postal service but if again if you're on your mobile device it's much harder to see it because you don't see the url you just see the rescheduled delivery and you can't really hover over it on your mobile phone without actually clicking on it so those are some of the reasons why this person actually was fished and so the reason excuse me the result of this uh fish was that this person actually clicked on the link because they were expecting this package they had received a deny a delivery or an attempt to redeliver um they entered their credit card information um and then as they as they after they entered the credit card information the site also asked for their social security number that's when this person's uh kind of hackles went up or their hairs raised on the back of their neck like wait a second why would the u.s postal service need my social security number and you also could ask that about your credit card because they're delivering your package to you unless it's cod which i don't think they i'm sure they probably do maybe they don't i don't know um then there's no reason why they would need your credit card number either however it was that second action when they needed the social security number that sent this person's uh suspicions up and said wait a second this doesn't seem legitimate that's actually when they contacted me again knowing that i'm in in the industry um and i said yep this is absolutely a scam you need to cancel uh your credit card so they actually were able to go online immediately cancel their credit card and within a couple hours of them cancelling their credit card and this happening uh fraudulent attempts were made on the fraudulent charges were made on this card or attempted on this card it wasn't able to happen so this is an example of a phishing email that worked and uh part of it is this wide net that fishers sometimes cast is to say that the chances of someone in our world expecting a package and the chances of someone in our world maybe have receiving uh an undeliverable package or a need to re uh a re you know a re-delivery attempt on a package is high and so the additional variable is the fact that a lot of people are checking these emails on their phones and so when you're checking on your phones there's things that take uh extra action or extra due diligence in order for you to actually see some of the examples of why it could be a fish so here's a few examples this one actually worked but nothing nothing bad happened other than this person had to get a new credit card issued so but hopefully that helps with some of that visibility so the last example that Example 3 Email we'll provide here this one is a real one that was actually sent to me uh within the last if you notice the date is february 10th so just uh just a couple weeks ago and um this one did not work by the way but uh but here's a few examples so when you look at phishing email number three one of the things i liked or not liked but i thought was interesting about this email is that at a glance it's it's coming from a legitimate email or domain meaning that if you went to onedrive.com if you looked at the domain here if you went to the domain it's coming from onedrive.com you could go out to onedrive.com and that's real that's microsoft's onedrive domain so at a glance it starts to pass the test however i wasn't expecting anything from the sender i don't i don't know angela matero um i was not expecting the signed group secured scanned proposal i wasn't expecting that um and so it definitely was started to raise my suspicion um then notice there's creating some urgency download these files now or uh until uh only available until uh february 28th so it was credited to create some urgency for me to take action and then uh i did not know the sender notice it did provide an email address but i don't know that sender so that's another suspicion um then again this is an example also if you if you're on your mobile phone you wouldn't necessarily know that this you can't hover over the link on your mobile phone maybe there's a way to do that i i don't know i should have done some research on that but maybe someone out there knows how to do it you can put it in the comments or in the q a but if you hover over the link in your computer it was at distinct dash wealthy nickel dot not onedrive.com it wasn't onedrive it was some other domain com but again you can't really see that on mobile but that's an easy trick when you hover over it to see that it wasn't a legitimate domain and then the other thing um well a lot of phishing emails some of the ways in which we used to catch fishing or what makes them more obvious is when they misspell words they're a little messy the grammar seems to be off but if you notice in pretty much none of these examples was there anything along those lines where grammar or spelling was off however fishers sometimes get lazy right did someone forget that they were sending from onedrive so notice it looks like they copied and pasted a dropbox and if i actually hover over this it does actually show a dropbox link so on one hand they're using one drive up here and then the other hand they copied and pasted a dropbox link here at the bottom so another reason to see that's incongruent and for suspicion so we did catch this this was not no action was taken but it's an example that i wanted to give because it at first glance it does look like it could be legitimate um especially if you see this on your mobile you you might not recognize uh some of these uh these more obvious or evident things to catch it as a fish okay so now that we've gone through those examples um what uh what can you do uh so first of Phishing Tips all uh expect that phishing attempts are gonna happen and be suspicious do not click on the links so for instance if i want to go to a link go directly to the website if they're asking for your password you know from your bank or from a a vendor that's a bill you know like a utility vendor or something like that go to the site in question type it into the your browser don't actually use the links if it's something like the the financial request or to request to take action maybe go to the person verbally confirm call them on the phone track them down in the office if you're in the office with them make sure to verbally confirm with the person who's making the request about gift cards or wiring funds or any of those things because that's just a simple quick thing you can do just double check and make sure that you're not accidentally providing financial information or giving gift card information to someone that shouldn't get it i do recommend that you define a process or procedure for any financial request that could be internal processes and procedures as well as processes and procedures with your bank to make sure that if they do receive a request maybe the requirement is that they have to call you maybe there's some some way in which you can work that out with your bank so there's some sort of financial safeguards from being able to accidentally wire money uh to the wrong recipient be aware just increase awareness because ultimately fishers attack the unaware if you're aware of these things can happen it reduces the probability that you're going to fall victim to them i do recommend that if you ask for security awareness training that's how you increase awareness not only for yourself but your for your family or your organization and from an organizational perspective build security awareness training into your employee onboarding process and annual training regimen so that you can help increase awareness and keep people aware that this stuff happens again two of those three examples worked um and those are recent examples i didn't have to dig deep to find them they were there so those are things you can do proactively but what if you do get phished well What if you get phished first of all it depends on what you did and uh will also provide as a follow-up resource the federal trade commission provides a resource site that says if you provided this information what should you do if you provided that information what should you do so there's some information there that we'll share but if you provide the credit card information cancel your card immediately what if you provided your social security number well a lot of times your social security number could be found out on the internet if people really know what they're doing it's not hard to find however if if you did provide it potentially put a lock on your credit file or pay attention to your credit file so you can see if there are any inquiries coming through because someone might try and take out credit in your name or do identity theft so be aware of that what if you clicked on a link or a document that you think may have been malicious now here's probably the example that for individuals if it's on your personal machine or family member i don't know that's this one's a hard one because i'm hoping that your antivirus might catch it or i'm hoping you might have to take it into some consumer technology company to help service like geek swat or something like that i can't believe i actually just said that in real world but ultimately report it to your it company do not hide that if you accidentally clicked on something or if you feel like you might have unintentionally clicked on something do not hide it report it to your i.t support or your it resources as soon as possible because i promise you the bad actors will act very quickly and sometimes the only thing that we can do is to get your computer off the network and sometimes the only thing you do to guarantee is to rebuild your machine and so personally that's also something you can do but don't hide this if you accidentally click on something please report it to your it department all right so recommended actions those are some individual things you can do Recommended actions but identify areas where you your company or your families might be your family might be at risk i recommend that personally and or professionally take action to help increase awareness with those individuals or those folks you know raise a hand if you'd like my tech to help we'd love to be able to help provide security awareness training this or other types of security awareness training this was really focused on phishing but there's others so we can help with that and as well as join us for other future virtual events we host them every other week and we have bi-monthly or every other month power user group sessions the next one's coming up this friday around around microsoft teams and microsoft 365 resources so thank you all very much i know i went Questions a little over as i didn't think that going into all those details were going to take as long but hopefully this was valuable valuable to you i really want to thank everyone for attending for those who need to sign off again thank you very much we'll send up a follow-up email with the recording um for those you can stick around we'd like to open it up for any questions you might have so we can offer any clarity or or talk through any details that we may have overlooked so stephanie let's open it up for questions thanks nate um and as you were going through the session someone did post that you can click and hold on a link in a mobile and it will display the link but not open it nice i haven't i think i've never tried that because i'm scared to click on it so i think that's a good that's but that's a good that's good to know that you can actually do that uh on your mobile awesome but be careful that you don't actually click on it yeah i just tested it when she wrote that so okay it does work awesome that's great awesome um so we did have a couple questions here uh so the first one is what should you do if you receive a meeting invite from someone you don't know do you just delete it that is a great question um uh you know one of the things that um i have found on meeting invites that uh because sometimes they're forwarded like if an email if a meeting invite is forwarded to you it comes from the person who originated the meeting so that's actually a little tricky but i don't know of a meeting invite itself being something malicious maybe there might be links in the meeting invite or attachments in the meeting invite that could be another way you could look at it though is if you hit reply all on that sometimes it'll actually show i know in calendar invites if you do a reply all it'll actually show all the all the attendees so that might be a way in which you don't necessarily have to reply but just if you click reply all it'll show all the attendees of that meeting so those are sometimes the ways in which i'll look at that as far as who's attending is this something that i should be receiving um but if it's suspicious i would definitely delete it i mean or or send it along to your it for them to take a look at it um but uh in general i haven't i'm not aware of but that doesn't mean it doesn't exist or won't exist in the future of um just accepting a calendar invite could be malicious or cause a problem on your machine so but yeah definitely be suspicious nonetheless thanks another question here is can replying to an email without clicking on a link will allow the fisher access to other information that's a really good question so i have heard and this is um i have heard of some rare they happen exploits that um if you have your email preview on right if you even preview the email um that it actually like in your outlook you know you can have the view screen on where you actually don't have to double click to open it i have heard of some exploits that take advantage of that preview that could actually without you taking any further action uh could happen but i haven't have not seen a lot of that i've never actually not that i've seen every exploit but uh in general no um if you're if you didn't click on a link or open the document um it's it you're not uh you're in general you're not gonna be um causing a problem um in fact i've definitely like that that actually the email that i the the third example that i gave here in the session uh i worked with our internal i.t i forward it to our internal i.t so that we could work through trying to identify how we might be able to block that because oftentimes it will happen with those kind of emails is that if it went to one person in the organization they might be trying to target or exploit other people in the organization so there are things that it can do at a spam filter level at a security level to potentially identify those and block or filter those before they even get to people's inbox in the future so so i say that to answer the question of forwarding those replying to those doesn't necessarily create a problem but just be aware by forwarding or replying to them you're also creating extra instances of that email where people might be able to click on it so um but in general just forwarding or applying is not going to create a problem um it's not going to cause the action to happen um but in rare instances i have heard of over the years some extremely rare exploits that take advantage of just the preview or just opening up the email itself so be suspicious and and uh curiosity kills the cat right that's that's definitely something to keep in mind with this and i know sometimes you think gosh i want to reply to this or i want to forward it but in general if you think an email suspicious don't forward it don't reply to it just delete it and if you think it looks like it could be coming from someone in your organization or someone you know well contact them pick up the phone send them a text message do something to actually reach out to them and personally validate that that's something you should have been receiving or expected to receive just to keep yourself safe nate um those are all the questions we have in the q a panel awesome well thank you very much everyone for attending uh this is a topic that's uh near and dear to my heart because i worry about those near me that uh i love and care about uh that that are might not be as aware of these kind of issues and how technology works and how people try and exploit and take advantage of people that aren't aware so the best thing that we can do uh one of our values is care and share so one of one of the best things you can do to care and share about those individuals whether it be on your team or or family members or friends uh is to try and share um uh share this information share anytime this happens it's okay to talk about it um don't be embarrassed it happens again two of these three examples in the last month happened to people uh that that i work with or that i know um and so this stuff does happen so just help create awareness because that ultimately is what's going to help us all stay better more digitally safe so take care everyone make it a great day and look forward to seeing you soon you