Tuesday, September 16, 2014

Mock e-mail scam raises red flags

OTTAWA—Many of the Justice Department’s finest legal minds are falling prey to a garden-variety Internet scam.
An internal survey shows almost 2,000 staff were conned into clicking on a phoney “phishing” link in their e-mail—raising questions about the security of sensitive information.

The department launched the mock scam in December as a security exercise, sending e-mails to 5,000 employees to test their ability to recognize cyber fraud.
The e-mails looked like genuine communications from government or financial institutions, and contained a link to a fake website that also was made to look like the real thing.
Across the globe, an estimated 156 million of these so-called “phishing” e-mails are sent daily, and anyone duped into clicking on the embedded web link risks transferring confidential information—such as online banking passwords—to criminals.
The Justice Department’s mock exercise caught 1,850 people clicking on the phoney embedded links, or 37 percent of everyone who received the e-mails.
That’s a much higher rate than for the general population, which a federal website says is only about five percent.
The exercise did not put any confidential information at risk but the poor results raise red flags about public servants being caught by actual phishing e-mails.
A spokeswoman says “no privacy breaches have been reported” from any real phishing scams at Justice Canada.
Carole Saindon also said that two more waves of mock e-mails in February and April show improved results, with clicking rates falling by half.
“This is an awareness campaign designed to inform and educate employees on issues surrounding cyber security to protect the integrity of the department’s information systems and, in turn, better protect Canadians,” she said in an e-mail.
“In this case, this exercise specifically dealt with the threat from phishing, which is increasingly being used as an attack vehicle of choice by cyber criminals,” Saindon noted.
“As this project progresses, we are pleased that the effectiveness of this campaign is showing significant improvement.”
A February briefing note on the exercise was obtained by The Canadian Press under the Access to Information Act.
The document indicates there are more such exercises planned—in June, August, and October—and that the simulations will be “graduating in levels of sophistication.”
Those caught by the simulation are notified by a pop-up window, giving them tips on spotting malicious messages.
The federal government’s Get Cyber Safe website says about 10 percent of the 156 million phishing e-mails globally make it through spam filters each day.
Of those, some eight million actually are opened by the recipient, but only 800,000 click on the links—or about five percent of those who received the e-mails.
About 10 percent of those opening the link are fooled into providing confidential information, which represents a worldwide haul of 80,000 credit-card numbers, bank accounts, passwords, and other confidential information every day.
“Don’t get phished!” says the federal website.
“Phishing e-mails often look like real e-mails from a trusted source such as your bank or an online retailer, right down to logos and graphics,” it notes.

More stories