Back in February, we had mandatory training for all users in the building, about what to do about suspicious emails, attachments, and anything else that could constitute a Phishing attempt.

So, yesterday afternoon, one of our users gets an unexpected "view information in spreadsheet" email, allegedly from a client.

E-mail address is not the client's. Not even close.
The e-mail recipient is not her, nor that of the account exec.
There is no Excel spreadsheet attached. There is a PDF that tells the reader to go to a portal site and create a login.

Classic signs. Almost exactly what we covered in the class. So what does she do? In order:

Opened the email
Opened the PDF
Followed the link
Entered her company email address on the site, and created a password (which she swears she has never used anywhere else)
Attached the suspicious email & attachment to our file management system
Forwards the email, with attachment, to the account exec
Forwards the email back to the original sender, which verifies it's a legit email address
Forwards the email to the client, at his actual email address, and asks if he really sent this.
Finally, opens a Help Desk ticket to let us know.

I was on my way home when this happened, so I immediately replied to her via email DON'T OPEN THE EMAIL UNTIL FURTHER NOTICE. Her reply? "Oh, he changes his email all the time." followed by "Maybe it's his father's email"

KB3ERQ, who was still "on duty", took over at that point and went to talk with her. She denied she did anything wrong, and insisted that we had to help her open the "spreadsheet". Only after the actual client replied to her, 3 hours later, saying "my email was hacked, don't open anything" would she admit that maybe, just maybe, something wasn't quite right.

(They had a long and somewhat unpleasant conversation, which I'm skipping over. To put it bluntly, we can't figure out if she's stupid, stubborn, or trying to cover her anatomy -- or some combination thereof)

*sigh*

No, I'm not allowed to shoot her.

We are going to sit down and have a word with our boss, followed by the three of us having a word with the company Compliance Officer who ran the seminar, and then a word with the user's supervisors. HR might have to get involved as well. Suffice to say that she won't be happy with us afterwards. I THINK we dodged a bullet -- this time. We won't get so lucky the next time, though.

[ No, I can't summarily fire her. Or I would have. ]