Oct. 29, 2020
By Elizabeth Walker, Walmart Corporate Affairs


Phishing. Spear phishing. Apparently, vishing is a thing.


It seems like every day someone is coming up with a new way to be deceptive online. And that’s because, well, they kind of are. Scary, right? It’s called social engineering, and it’s a broad term for the various ways criminals take advantage of someone’s trust and curiosity.


Carrie Roberts is a dynamic defense engineer tasked with building defenses against cyber attack (file under: “Cool Jobs @Walmart”). She said in general, people are very trusting. “It’s harder to break tech than to abuse trust,” Carrie said. Meaning it’s easier to get information through an actual person than breaking into the technology itself.


What can a Walmart associate do to avoid being the weak link? As we close out National Cybersecurity Awareness Month, here is some advice from Global Tech’s InfoSec team:


Beware of Look-Alike Domains

Most of us have seen emails from addresses that look almost but not quite like a Walmart account (looking at you @walmartbr.org). Spammers use these email addresses from look-alike domains to send vaguely official sounding messages with links for you to learn more. You click it, and before you know it, the spammer is all up in your business.


In the throes of a busy day, trying to respond to emails between meetings, it’s easy to forget to check the sender’s address and just take the email at face value. Carrie gives this example: You receive an email from a sender claiming to be your child’s school. The message says there’s been an emergency and all the kids need to picked up ASAP. You’d want to know what’s up immediately – who wouldn’t?


And that’s how spammers get you. They want you to act first and think later.


Don’t Click the Link

The solution is to slow down. Take a good look at the sender’s email address, and – this is important – keep a skeptical mind. Carrie said that when she’s reading a message, she tries to keep in mind, “It’s possible that the thing I’m reading isn’t true.” Sounds simple, but that skepticism could be the key to keeping the company’s information safe.


Think the message might be legit? Before you click the link, hover your cursor over it, or copy and paste it into your browser, to check if the URL is really what the message claims it to be.


But My Emails are Boring!

It’s possible you’re reading this thinking, “Who cares if someone sees what’s in my email? It’s not even that interesting!” But according to Carrie, just being on the Walmart network can make you desirable prey for a hacker.


Also, the content of your email is probably more interesting than you think. Justin Simpson, systems engineering director for Walmart Technology, added, “We become desensitized to information we see on a daily basis.” An email that seems mundane to you might contain valuable information if it fell into the wrong hands.



Vishing is essentially “voice phishing” or tricking people into revealing sensitive or personal information over the phone. It’s a type of “pretexting,” meaning the caller comes up with a pretext to trick the victim. For example, a scam artist might call and say your social security number is about to expire. Pro Tip from Carrie: Your SSN doesn’t expire. Don’t fall for this!


In the same way, someone claiming to be from Walmart might call and ask you for your password. This is also a trick. No one from Walmart will ever call you up and demand your password.


Another scenario: Say an associate you don’t know calls you, frantic, because they're locked out of a system and need you to email them some important sales information. They wouldn’t normally ask, but they are really in a tough spot, heading into an important meeting, so could you just email it to them?


Hard no. Take the caller’s information, and then see if you can confirm their legitimacy. After getting off the phone, you can coordinate the best course of action with your management, contacting the information security team if suspicions remain.


As part of our culture of integrity, we all have a responsibility to keep company information secure. For more information for how to report a phish, smish or vish go here. To stay up-to-date on other areas of InfoSec, check out their page at wmlink/InfoSec.