How Vulnerable Are We to Phishing? Our Sysadmin Wanted to Find Out

I’m sure everyone reading this is now aware of the threat that so-called ‘Ransomware’ attacks pose to businesses and consumers alike.

There is a perception that this is a new problem, but the first known attack actually happened way back in 1989 , distributed by post on a 5.25” disk (anyone else remember those?).

Back then, the best way to avoid being caught by ransomware was user awareness – a lot of people were suspicious of this unsolicited disk and didn’t install it.

Today, well, things are much the same really – one of the best protections is user awareness. Sure, we can use backups to recover infected files once we’ve been hit, and our anti-virus software might get lucky (but it might not, especially with a new 0-day threat), but if our users know never to open that dodgy looking attachment promising riches from the tax office, or click that web link in the first place because their account has been compromised, then we’ve stopped that threat before it even started.

Running an internal phishing test

With all of these attacks in the news recently, I was curious to see how the users in our company would react to a phishing email, and by extension if we were at threat from an attack.

There are a number of sites out there providing a phishing simulation service, whereby they email a phishing email to a list of addresses, and report back on how many clicks those emails get. Most of them have a free trial option, and I ended up choosing the free ‘Phishing Security Test’ from www.knowbe4.com (they were the first result in Google when I looked for ‘phishing test’ – many others are available).

They suggest that 16% of phishing emails succeed, but it seems to me that if you get just one person clicking that suspicious link, then you’ve got an issue. Once that software is on your network, it can spread freely, and it doesn’t really matter at that point how it got there.

Here’s what got sent out to the users:

I clicked ‘Send’ on our test at about 7PM, not really knowing what to expect. Would anyone click at all, or was it too obvious for them? Or would they all click it, meaning I can never again sleep well at night?

I had my first report of the suspicious email from one of my users about an hour later. Hadn’t clicked anything, thought it best to let me know that he’d received it. Perfect reaction to the email in my book. Perhaps all of my users would do that?

Silence from then until the next morning. Checked the dashboard at Knowbe4, which was showing that no-one had clicked – very encouraging. People started coming into the office, and started reporting it to me, also discussing the obvious phish on Slack (I did tell those who’d reported it to me that it was a test, asking them to remain quiet about it – seemed the best option really). Still at 0% click, and I was beginning to really hope that no-one would click the link in the email.

It only takes one (and we got two)

Not to be of course! About an hour later, the Knowbe4 dashboard reported a click. A few minutes after that, an email saying:

Oh well. Had to be one. Then a few minutes later, we got another report in the dashboard, followed by this Slack conversation:

Because I’m a nice guy, I’m not naming names on who clicked those links (despite a few requests!). What matters is that two of our users were taken in by this phishing email, so some user training is called for.

We’re now almost a week into this exercise, and I think it’s been useful. It’s gone better than I expected I think, I was fearful that we’d get a lot more than just 2 successes. Most people just deleted the mail, and a few forwarded it over to me to check if it was legitimate or not – I’m very encouraged by that, people are being paranoid about unexpected emails, and that’s one of the best protections you can have.

Thanks to everyone at Coast Digital for being unwitting guinea pigs in this experiment – it’ll be repeated again sometime, and I’ll be looking for a 100% pass rate!