Principle 1:
We trust an (apparent) authority

There is an innate human tendency to trust people that we believe to be authority figures. Hence cyber criminals often impersonate senior executives or IT personnel to gain credibility and twist our decisions the wrong way.

Example: a phishing email may appear to come from the CEO, requesting an urgent wire transfer or access to sensitive data. The perceived authority of the sender disables our scepticism, making us more likely to comply with the message before checking that it’s genuine.

Principle 3:
We like to follow suit

Attackers often fabricate ‘social proof’: the perception that our peers or seniors have already taken the action requested, meaning that we can, or even should, also take that action. Our human tendency is to conform to perceived group behaviours, especially in uncertain situations. Social engineers abuse this impulse by suggesting that others have already complied with the request being made.

Example: spear-phishing emails or texts may say (falsely) that the recipient’s colleagues have already downloaded an app,  or shared a login  — often naming the colleagues, who did nothing of the sort. We are then inclined to think: ok, well, if so-and-so  did it, then this must be fine! And of course it isn’t.

Principle 5:
Vigilance is tiring

All the tedious admin that goes with a safe digital life can be exhausting: think entering OTP’s, proving we’re not a robot, finding that email with that link to that form we have to sign, and much else besides. Sometimes we can just give up and take our eye off the ball.

Example: in one notable case, an attacker used a technique known as multi-factor authentication (MFA) fatigue, sending repeated push notifications to an Uber employee until one was mistakenly approved. The attacker then impersonated an IT staffer via WhatsApp, convincing the employee to grant even more access.

1. Clock the techniques

Keeping track of the various tricks used by social engineers is critical. Keep a mental or actual checklist of them. And if any message you receive provokes an emotional response in you — like anxiety, fear, gratitude or fomo (fear of missing out) — pause and think.

And then ask yourself these questions:

• Does this seem legit?

• Is there any good reason why this request is urgent? Or being made all?

• Why am I being asked to do this, and not the IT staff or someone else more appropriate?

• Why are my colleagues not copied into this mail?

• If the request seems at all odd, can the colleague or authority that is supposedly the sender directly confirm to you that it’s legit?

2. Click the PAB (phish alert button)

Let’s say you receive an email requesting that you take a specific and unusual action, and quickly. If that sounds suspicious, it’s because it is. But don’t worry. You can now do your bit to resolve the situation and give your cybersecurity team the information they need to defend Sappi against malicious email attacks.

It’s fast and easy.Thanks to the phish alert button (PAB).
The PAB can be found on your outlook ribbon bar, and it enables you to report suspicious emails effortlessly. One click on this button notifies the cybersecurity team, who carefully reviews the email, and takes any necessary action. You don’t need to go from this person to that person to find out whether it’s something dodgy. Just click the PAB and relax.You’ll be notified if the mail is not a threat and can then respond accordingly.

More information can be found on our internal cybersecurity SharePoint site.

3. Use SpamTitan

Our email security tool, SpamTitan, safeguards Sappi from spam, phishing, malware and ransomware by filtering incoming and outgoing emails. It uses real-time threat detection, attachment scanning and content filtering. With over 99.9% spam detection accuracy, it also offers features like email quarantining, customisable policies and detailed reporting.

You can maximise the power of SpamTitan by regularly checking the quarantine report feature, which reviews, releases or blocks emails that were flagged as potentially harmful or unwanted before they reach your inbox.