Phish tales

The weakest part of your phishing defense probably lies in the human at the keyboard.

August 27, 2021

I’ve never been a good fisherman. So, when I took up fly fishing it was akin to a Ford Pinto entering the Indy 500.

Still, I love the thrill of it, the endless hours of striving to make the perfect cast—one that didn’t land in the trees, bushes, or my fishing buddy’s earlobe (which did provide some lively activity as I reeled him in).

I yearn for time on a river, standing at dusk presenting to the fish a tantalizing lure to which its pea-sized brain cannot resist.

Any angler will tell you this is best accomplished by “reading the river,” a process of analyzing the water temperature, the time of day, and the local insect population. If you ask any successful fishing store clerk, however, it also includes spending at least $50 on gear.

The reward is worth it, giving you the most exciting minute of your life as the fish takes the hook and you fall into the river.

Another contest also grabs my attention: Phishing. Only in this endeavor the trawler is an evil scoundrel, you are the fish, and the fly is an irresistible offer dangled in front of you via email.

Like many credit unions, we regularly send fake phishing scams to employees to test their wherewithal in detecting the obvious signs of a phishing email. These include misspelled names, odd links for something they never ordered, and return emails that end in

Sophisticated scam emails, however, are difficult to detect. Even worse are sophisticated scam emails with a “hook.”

The hook is like the fisher’s fly—something so enticing they’re impossible to resist, like a toddler with Sharpie, a wall, and 60 seconds of unsupervised time.

Scientific proof has identified such a beast. It is perfect in every way, tantalizing beyond measure, and always overpowering: the free coffee gift card.

When we tested this hypothesis, we sent three emails with offers of $5, $10, and $15 cards, and learned the following:

  • $5 does not get you much coffee or elicit many responses.
  • $10 gets some interest, but also a fair amount of skepticism.
  • $15 is the apparent price of a human soul.

The obvious risks of phishing are hard to ignore. The May 2021 ransomware attack on Colonial Pipeline is suspected to have started with a phishing attack.

This risk has increased greatly due to the explosion of remote workers, virtual private networks, and a propensity for staff to open any email that mentions “stimulus check.”

In fact, the weakest part of your phishing defense probably lies in the human at the keyboard. So, how can you reduce your risk?

  • Mandate two-factor authentication for remote workers. A username/password is about as useful as a laser toy is to a blind cat.
  • Educate employees about topical subject lines scammers may use. The bad guys read the news, too, and often change their wording to match to recent events.
  • Know the difference between regular phishing (which even a rudimentary spam filter can eliminate) and spear phishing, where scammers carefully research their targets and craft messages to the recipients.

According to the FBI’s 2020 Internet Crime Report, U.S. organizations reported more than 241,000 phishing attempts costing $54 million dollars in 2020. The impact of falling for one of these is both financial and reputational—and with members increasingly turning to electronic services, the impact will only grow.

Now, pardon me but I just got an unexpected email from “Fishing Lord 2001” who is promising me a $15 fly fishing discount card if I act fast.

JAMES COLLINS is president/CEO of O Bee Credit Union in Tumwater, Wash. Contact him at 360-943-0740 or at