CTO of media company faked-out employees with "phishing" emails

Share this article:
CTO of media company faked-out employees with "phishing" emails
CTO of media company faked-out employees with "phishing" emails

Some IT departments in businesses are leveraging innovative ways to prove a point to their employees about information security, but debate still rages over the value of some of these efforts.

About a month ago, Atlantic Media Chief Technology Officer Tom Cochran blasted out a faux phishing email to all 450 email addresses in the company directory. The results, he said, should be something of a wake-up call.

Using only the tools available to a standard household scammer, Cochran put together an authentic-looking, yet sham email that claimed to come from Google Apps, asking recipients to verify account information by clicking a link.

The link directed employees to a website that revealed the scam, Cochran told SCMagazine.com, and the roughly 120 employees who clicked it were likely surprised to see it was a con. Another roughly 120 opened the email, Cochran said, but never went ahead and clicked the link.

“It really resonated with employees when they realized what happened,” he said. “Telling someone that something bad can happen is not as good as demonstrating it. I wanted to demonstrate that it's easy to be phished and easy to protect against it.”

The other half of employees were a little more cautious, Cochran said. He received numerous interoffice instant messages and calls regarding it, and several people flagged the email in their company inbox.

Cochran, who worked nearly two years in the White House as director of new media technologies, said he sees a growing trend in business where functionality, convenience and cost often takes precedence over security.

“Security is of the utmost importance, but it falls by the wayside in companies where budgets are lean and tight.” he said, adding that businesses often see security as “peripheral” or an “impediment” to operations and workflow.

Still, the results of the exercise spoke volumes to Cochran and the company, explaining Atlantic Media subsequently mandated two-factor verification across email accounts – meaning users must insert a second authorization code texted to their phone when accessing email from a new computer.  Thus, if phishers were able to obtain passwords, they would be unable to access the victim's corporate email account from a new machine.

Cochran said most cyber attacks are the result of phishing emails. As a result, he said education seminars are pivotal for employees who do not understand the threat and consider taking preventative measures an inconvenience.   

Others like Bruce Schneier, a noted technologist and cryptographer, find training and awareness programs to be a waste of time for employees and waste of money for companies.

“You're only as strong as your worst offender,” Schneier told SCMagazine.com this week, explaining that it only takes one reckless employee opening a malicious email to put an office network at risk. “I really would rather see investment in systems that take user mistakes out of the loop. Make it so users can't destroy security. For example, any anti-virus that makes it so the user can't click a link will help.”

There have been similar attempts to showcase how humans behave.

The Symantec Smartphone Honey Stick Project, for example, simulated the implications of losing a smartphone, 50 devices with a variety of stored "corporate information" were deliberately left behind in public and discovered by strangers who did not know the phones were being monitored.

Among the findings, 83 percent of devices showed attempts by the finders to access corporate data, 45 percent to access corporate email, 53 percent to access salary information and 49 percent to access a remote admin app.

The results convey what organizations should expect to happen if employees lose a device containing sensitive company information: They should expect that people are going to attempt to access it.

With tens of billions of spam and phishing emails sent daily, it often is hard to predict who will be targeted in these types of scams. A hacker last year dug up a bit of information on Wired senior writer Mat Honan, resulting in the complete erasure of his MacBook, iPhone, iPad and Google account.

Honan found out later he was targeted simply because the hacker liked Honan's Twitter handle.  

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.

eBay addresses XSS issue affecting auction page visitors

Due to the flaw, iPhone bidders were vulnerable to being redirected to a phishing page.