In the last two weeks days I have received dozens of e-mail messages purporting to be from the IT staff here at Inc. magazine. These messages—retrieved remotely—warn me that my password must be changed, that my profile records are out of date, that my account has been hijacked and exploited for nefarious activities. Click on the embedded link or attached document, these messages promise, and we will rescue your hard drive, your reputation, your digital umbilical cord to the world.
Now I'm not a total gull. I've been phished by every faux bank, credit-card company and online merchant out there. I never click on anything—anything—unless it is something I'm expecting from a documented blood relation or acquaintance of 20 years standing. So I've blown by those warnings like they were so many business propositions from Nigerian potentates. (I actually like to read the Nigerian potentate letters. The language is so formal and courteous: a refreshing change from the careless slurry of more honorable business exchanges.)
And yet the fake IT messages unnerve me. The domain names from which they originate are as familiar to me as my own--they are my own. Receiving them, I feel like the baby sitter who gets a phone call from the knife-wielding maniac and realizes he's in the house! My trust is rattled. When I receive legitimate messages from IT, how can I not look at them askance? Will they really be working on the server this Saturday from 2 to 5? Or is it a plot to keep me off e-mail during those hours to facilitate some diabolical scheme? I know very little about technology except what I see in spy movies, so it all seems plausible to me.
The relationship between technology support and business users has always been fraught. The business side views IT as unresponsive, ignorant of how non-IT employees like to work, unable to communicate in simple English. IT staff sees the business side as impatient, unsympathetic to their workloads, and unrealistic about what systems—their companies' systems anyway—can actually do. (You go to work with the technology you have'¶.)
In such an environment, fake tech-support messages are especially insidious. The perps may hope to damage businesses by wiping out employees' hard drives; what they are doing is wiping out employees' trust of IT. A message arrives from tech and, suspicious, I ignore it. The next thing I know, it's five minutes before my conversation with the CEO of Google, and I can't access my e-mail for the pass-code to the conference call.
So listen up black hats. You can phish for our data and pillage our address books--but please don't erode our faith in IT. It's been too hard won. It's too important.