Lemonade from Lemons or, In This Case, Sushi from Phish

I want to apologize. If I have ever emailed you from my retrofit email account, you most likely received a phishing email from me in early January. I don’t usually fall for these but this one looked legit and was very well timed. I had just been emailing with a contributor who wanted to ensure confidentiality for his client and building project. I agreed to his terms and received a “contract” from him moments later. I waited about an hour before I clicked on it, thinking he’d follow up with another conversational email, explaining the contract. He didn’t. I never questioned the legitimacy of what appeared to be a Google Doc. I clicked on it. I mindlessly entered my Gmail password and wham-o! All of you had the same “contract” phishing scam within seconds. (retrofit’s email is hosted via Google Apps for Work.)

I didn’t know what was happening at first. When about an hour passed and I didn’t receive a single email in my inbox—highly unusual—I wondered whether our email server was down. I’m not sure why but I clicked into my Deleted Items folder and found a massive amount of Delivery Status Notifications from all of my email contacts. My heart began pounding. I knew immediately I had been hacked with that “contract”. I felt an overwhelming sense of guilt and thus spent the next few hours responding to hundreds of business contacts who were asking what the contract was for and why it didn’t work.

Many of my contacts made me feel better and said the contract certainly looked real. These phishing scams truly are becoming much more sophisticated and can allow cyber criminals to exploit building control systems to gain access to facilities. According to Michael Chipley, Ph.D., GICSP, PMP, LEED AP, the author of this month’s “Business” article: “Many facilities have minimal precautions to prevent social engineering and phishing or to even identify an exploit. By setting up even basic security levels, facility operators can greatly reduce the potential for harm.”

You may not think your building is at risk but Chipley notes building automation systems, energy-management systems, physical security access control systems and fire alarm systems are potential hacking points into an organization. Your building is at risk!

After I changed my email passwords, consulted with retrofit’s IT expert and got my email back in order, I was left wondering what the real motive of the phishing attack was. Were my credit cards being used? Was my bank account information compromised? I even had my husband (a loan officer) pull my credit report to ensure no credit had been applied for in my name. So far, everything seems OK.

Although I still feel some guilt for filling all of your inboxes with potentially dangerous garbage, I definitely found the silver lining. I re-established some friendships with folks I’ve met in the design and construction industry whom I hadn’t spoken to in quite awhile because of job changes, moves, etc. I gained some marriage advice (I’m a newlywed) from one long-time friend, learned about another’s newly born son and have started planning a trip to Maui this fall. These wonderful exchanges made what could have been one of my worst days at work one of the very best. Don’t get me wrong, though: I’ll certainly be less trusting of what appears in my inbox in the future.

About the Author

Christina A. Koch
Christina A. Koch is editorial director and associate publisher of retrofit.

Be the first to comment on "Lemonade from Lemons or, In This Case, Sushi from Phish"

Leave a Reply

%d bloggers like this: