A technology company has put its employees to the cybersecurity test with a clever email phishing campaign, and said that 34% of its employees failed in a dramatic fashion- handing their personal information over when prompted by a fraudulent email.
GitLab, a popular tool used by web developers with more than 1,200 staff chose a random sample of 50 employees, and sent them a number of emails that perfectly mimicked the tactics and language of a sophisticated phishing email campaign.
Of the fifty employees that were sent the email by GitLab’s security team that prompted the recipient to enter their personal information onto a fake company login page, 17 employees – or 34% – clicked the link provided. Of those 17 employees, 10 (or 20%) logged their personal information on a fake website, meaning that 59% of that smaller sample size freely exposed their employer’s credentials which could have provided invaluable information to third-party scammers.
What’s more interesting is the fact that in a tech-based company, just 6 of the total 50 email recipients reported the emails as suspicious to the company’s security operations team, illustrating that technological literacy doesn’t ensure you’re able to spot a phishing scam when presented with one.
GitLab designed the phishing scam to look as though it was sent from Apple, and passed on to employees via its IT team. The email announced that “your IT department has identified you as a candidate for Apple’s System Refresh Program. The following laptop has been selected for you,” it said, prompting the user that in order “to customise your laptop or learn more about the program, please click here and sign on to GitLab.”
Ironically, when users entered their details into the faux-log in page, they were redirected to the company’s employee handbook regarding information security processes.
How to spot a phishing scam:
GitLab noted that there were a number of giveaways that the emails were fraudulent phishing campaigns. These included the fact that “targets could have identified that this was in fact a phishing email in the following ways… the email address was firstname.lastname@example.org – not a legitimate gitlab.com one. Similar-sounding domain names are a common technique used in targeted phishing campaigns.”
“The email references an older model of Macbook Pro than what most users already have. Subtle factual errors are often indicators of an illegitimate source. No secondary communication method, such as Slack or a company call, provided an announcement regarding any laptop upgrades.”
Finally, Gitlab noted that “Email message header entails in Gmail can be viewed to give specific clues as to the methods by which
It’s worth noting that these employees work for a technology company, and would have high levels of technical competence. They were fooled, so it’s safe to assume that anyone in your organisation could be fooled, too.
Chris Rothe, co-founder and chief product officer of Red Canary told SiliconAngle that “because email is a critical business function, it has to be optimised for its business function and not security in most cases.”
“There are many strategies IT teams can use to reduce the number of successful phishing attackers – email blocking, stripping and analysing attachments, awareness training… but there is no 100% solution,” Rothe concluded.
Last week, we reported that Microsoft was warning of new phishing scams, and Google said that its Gmail servers were blocking as many as 240 million scam or fraudulent phishing scams each day.