May 15 2017

Gone Phishing: How Internal Exercises Prepare Employees for Scammers

A good defense is the best offense, especially when it comes to preventing ransomware attacks.

IT departments can deploy sophisticated security measures enterprisewide, but if end users take the bait and click on phishing emails, all the best defenses may be for naught. Scammers are using more intricate strategies, such as impersonating internal managers asking human resources employees for sensitive information.

To help combat this problem, some IT departments have begun running mock phishing exercises with employees to determine who may need more training in identifying suspicious emails. The City of Los Angeles’ Information Technology Agency, for example, recently ran such a drill, a StateScoop article reported.

Through its email service, G Suite for Government from Google, the city’s IT team sent out messages informing employees that they had a package waiting for them. When they clicked the link, instead of accessing a package receipt or virus, the city’s IT team was notified which employees would need further cybersecurity training. According to Ted Ross, the city's chief information officer, a “substantial” number of people clicked on the phishing link.

The IT team then instructed those who clicked to watch a 90-second training video. When they ran the exercise again, the click rate was cut in half. But some people did click the link twice.

“We know the people who clicked twice. And that starts to become a different conversation," Ross told StateScoop.

The Benefits of Bolstering Cyber Defenses

In Kansas City, government officials also recently conducted an audit by sending a phishing email to city employees that contained a link to a fake website with the aim to obtain login IDs, passwords and other sensitive information. Employees visited the website more than 600 times within the first 24 hours of the test, and about 280 employees provided their system login information, according to a report.

While phishing exercises like this are cutting down on the human error factor, phishing attacks tend to be inevitable for some organizations, making effective protection software an absolute must. Kansas City uses Microsoft Proofpoint Threat Protection to help secure employees’ inboxes.

Similarly, the city of Westland, Mich., recognized the need for better protection software after an employee clicked on an attachment in an email that looked to be from HR. Once opened, it instantly unleashed ransomware that began locking down the computer and spreading to a file server on the network, StateTech reports. Hackers demanded $25,000 per device, a substantial sum for a city with 350 endpoints.

But Dan Bourdeau, the city’s CIO, credits a layered IT security strategy in preventing a complete shutdown and pricey recovery.

StateTech reports:

When Sendio email security didn’t catch the phishing email, Trend Micro OfficeScan endpoint protection recognized that the ransomware’s behavior wasn’t normal and generated feedback to isolate the affected devices. The city’s backup solution made it possible for Bourdeau to wipe the devices before restoring all of the lost files, minimizing the impact.

Even still, the best offense can be a good defense, and the most effective part of the phishing exercises is likely the dialogue that starts around cybersecurity.

“When we send it out to departments, it is easily the most talked about thing for two weeks," Ross tells StateScoop. "Every general manager, every department manager comes to me and [talks about it]. I've had elected officials come up — it created this really big buzz."

Tom Weede contributed to this article.


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.