News

Ransomware - It's time to put your colleagues to the test

Author

Prodec

Date

19 Jul, 2017

Category

Blog

Find out how Prodec Networks sent a simulated phishing attack to its employees, and why you should do the same.

As the world becomes more digital, the number of potential attack vectors continues to increase. Before long, criminals will be buying dairy farms, then hacking your smart fridge to buy their milk without your consent. In all seriousness though, there are some older methods of cybercrime that have proven time and time again to deliver results. One such attack vector that has always been popular with hackers is email phishing, because it’s so easy to dupe unassuming victims into clicking on links that lead to infected web pages, or even worse, downloading attachments.

Social engineering is big business for cybercriminals. Tailoring emails to specific individuals or teams within a business increases the chance of a user clicking on a link and potentially executing a piece of malware or ransomware. Prodec Networks decided to put this theory to the test, and sent out a spoof phishing emails to its users, to see just how vulnerable an average business could be. Remember, your employees are the last bastion of defense within your network security infrastructure, and at this point, all it takes is one click.

The test

Prodec Networks is one of the UK’s leading IT solution providers and has a team of approximately 100 employees. Using a random sample, 56 recipients from various internal teams were selected, and a fake phishing email was sent from a spoofed email address claiming to be Prodec’s “technical” team. The purpose of the test wasn’t to catch out employees, but to understand just how “click clever” the organisation is as a whole. Because of this, a few tell-tale clues were included in the email in order to give employees a fair chance!

The email that was sent is as follows (the From: address display name was a legitimate Prodec email address – a tactic which social engineering hackers often use):

The link in the email went to a spoofed Office 365 landing page, which looked identical to the genuine article – it even auto-populated a user’s email address:

The email was sent out to all 56 users at the same time, on a time and date of no consequence and importance. Keep on reading to find out how Prodec’s employees fared.

The results

Of the 56 recipients of the email, 47 individuals opened, and why wouldn’t they? At face value, it looks like a legitimate email from technical, and there’s no harm in opening an email. However, this is when it gets interesting. Within five minutes of the email being sent, six recipients clicked on the link. Of these six, four went on to submit their passwords into the spoofed web page. Naturally, we didn’t save these vital personal details, but the case is made clear – four of Prodec’s employees, of different ages, departments and locations, unwillingly sent their personal data to the fake hacking team.

It’s not all doom and gloom however. Within the same ten minutes, an alert sales representative realised that the email was definitely not legitimate, and shouted out across the office – “Don’t open the email from technical!”. In addition to this, a member of the technical team distributed a legitimate email to all users, stating that the first email was definitely not from Technical, before researching the source of the email and investigating further, as per protocol.

 So – of the sample test, 12.5% of employees were phish prone. Although this is still a great score when compared to the average, if this were a real cyberattack, the outcome could have been catastrophic. In fairness to the Prodec employees, this was a fairly advanced spear phishing attack. The (fake) social engineer in question has managed to spoof a legitimate email address (which is in turn normally blocked by Prodec’s email security system).

It’s time to put your employees to the test

Even if you think your business is savvy enough to identify a phishing email, there’s no way of knowing until it’s too late, and somebody clicks on an unsavoury link, infecting your network.

It’s far safer to have that unsavoury link come from a simulated phishing attack than a real one. Enrolling your employees on security awareness training, and testing them with regular simulated phishing attacks similar to the one described here can save your business money and integrity, without naming and shaming your employees. 

As part of its suite of security solutions and services, Prodec Networks provides businesses with email security training and simulated phishing attack programs. Are you interested in finding out how #clickclever your employees and colleagues are? Request a free simulated phishing email attack to up to 100 employees by getting in touch with Prodec Networks today.

Are you #CLICKCLEVER?

Could you spot a phishing attack 100% of the time? Are you sure? Prove it.

Learn how your business can be #CLICKCLEVER