Incident Response, Malware, Phishing, TDR, Vulnerability Management

CTO of media company faked-out employees with “phishing” emails

Some IT departments in businesses are leveraging innovative ways to prove a point to their employees about information security, but debate still rages over the value of some of these efforts.

About a month ago, Atlantic Media Chief Technology Officer Tom Cochran blasted out a faux phishing email to all 450 email addresses in the company directory. The results, he said, should be something of a wake-up call.

Using only the tools available to a standard household scammer, Cochran put together an authentic-looking, yet sham email that claimed to come from Google Apps, asking recipients to verify account information by clicking a link.

The link directed employees to a website that revealed the scam, Cochran told, and the roughly 120 employees who clicked it were likely surprised to see it was a con. Another roughly 120 opened the email, Cochran said, but never went ahead and clicked the link.

“It really resonated with employees when they realized what happened,” he said. “Telling someone that something bad can happen is not as good as demonstrating it. I wanted to demonstrate that it's easy to be phished and easy to protect against it.”

The other half of employees were a little more cautious, Cochran said. He received numerous interoffice instant messages and calls regarding it, and several people flagged the email in their company inbox.

Cochran, who worked nearly two years in the White House as director of new media technologies, said he sees a growing trend in business where functionality, convenience and cost often takes precedence over security.

“Security is of the utmost importance, but it falls by the wayside in companies where budgets are lean and tight.” he said, adding that businesses often see security as “peripheral” or an “impediment” to operations and workflow.

Still, the results of the exercise spoke volumes to Cochran and the company, explaining Atlantic Media subsequently mandated two-factor verification across email accounts – meaning users must insert a second authorization code texted to their phone when accessing email from a new computer.  Thus, if phishers were able to obtain passwords, they would be unable to access the victim's corporate email account from a new machine.

Cochran said most cyber attacks are the result of phishing emails. As a result, he said education seminars are pivotal for employees who do not understand the threat and consider taking preventative measures an inconvenience.   

Others like Bruce Schneier, a noted technologist and cryptographer, find training and awareness programs to be a waste of time for employees and waste of money for companies.

“You're only as strong as your worst offender,” Schneier told this week, explaining that it only takes one reckless employee opening a malicious email to put an office network at risk. “I really would rather see investment in systems that take user mistakes out of the loop. Make it so users can't destroy security. For example, any anti-virus that makes it so the user can't click a link will help.”

There have been similar attempts to showcase how humans behave.

The Symantec Smartphone Honey Stick Project, for example, simulated the implications of losing a smartphone, 50 devices with a variety of stored "corporate information" were deliberately left behind in public and discovered by strangers who did not know the phones were being monitored.

Among the findings, 83 percent of devices showed attempts by the finders to access corporate data, 45 percent to access corporate email, 53 percent to access salary information and 49 percent to access a remote admin app.

The results convey what organizations should expect to happen if employees lose a device containing sensitive company information: They should expect that people are going to attempt to access it.

With tens of billions of spam and phishing emails sent daily, it often is hard to predict who will be targeted in these types of scams. A hacker last year dug up a bit of information on Wired senior writer Mat Honan, resulting in the complete erasure of his MacBook, iPhone, iPad and Google account.

Honan found out later he was targeted simply because the hacker liked Honan's Twitter handle.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.