Earlier this year, employees at a prominent media company received a strange email asking them to reverify their accounts. These emails didn't come from a web hosting company or a cloud service provider—instead, they came from an attacker trying to find vulnerabilities in their network. But the attacker wasn't the Syrian Electronic Army or Russian criminal gangs. Instead, the employees of Atlantic Media (publishers of, among others, The Atlantic and Quartz) were phished by their CTO, Tom Cochran.
Cochran was trying to identify which employees would be most susceptible to spearphishing attacks similar to those which took down huge targets like The Guardian and The Onion over the past year. Nearly half of Cochran's employees opened the email with the phishing link, and 58% of those clicked on the link itself. In an email to Fast Company, he said "I wish I could say I was surprised, but being in the industry and role I am in, I'm well aware of the ease in which one can be phished. I've been phished before (and subsequently spent a couple hours changing every single password I use). So, I wouldn't say surprised as much as slightly disappointed that it was in fact that easy to dupe someone. On the positive side, tricking people that easily made it a much more compelling ask to push the whole company to use two-step authentication, which was my ultimate objective."
Fast Company did something very similar in August. Following the August hack of Outbrain (a Fast Company partner company which is responsible for our "You Might Also Like..." links), CTO Matt Mankins conducted an impromptu security audit. Our employees were emailed by an address which faked the name of a high-level Fast Company editor and asked to click into a site that looked like one of ours—but wasn't. Nine employees, ranging from editors to advertising team members to corporate, all clicked on the link and gave our hacker login information. But luckily, it was just a drill.
Mankins told me that he felt the wake of the Outbrain attack "was a good time to run a similar attack and see how we did. I setup a Google Form, downloaded our login page, and put it on a similar, but fake domain that we own. I then connected the login form not to our CMS, but to the Google form so that whenever someone entered their password they would go directly to the Google Form. Anyone who entered their login and password would have known pretty quickly that something wasn't right. I sent the fake email to the staff without telling anyone (except Executive Editor Noah Robischon who was in on the project). I then watched to see what would happen. I wanted people to make noise and contact or warn each other, which is basically what happened. Within minutes someone from my Dev team had alerted myself and the rest of the group, so I had to let them in on the secret so we could watch what the others did."
State-associated hackers such as Outbrain-hack perpetrators Syrian Electronic Army and the accused Chinese military-related cyber break-in teams all use phishing attacks to break into targeted governments and corporations. It isn't too much of a guess to assume America's cyberwarriors spearphish, too. Employees at Atlantic Media were sent an email shortly after the surprise security audit informing them of the result, and warning them—for the good of corporate security—to be more vigilant in the future.
Cochran, the former Director of New Media Technologies for the White House, said in a writeup the fake hack attack "attained the crucial buy-in of employees; now that they personally understand the dangerous implications of not following the rules, they’re more willing to take data security seriously. People are more apt to learn from an experience than listen to a recommendation or policy. Just like a regular office fire drill, senior leadership should be running random phishing drills to give them that experience. And, the experiential learning doesn’t stop with these emails."
Atlantic Media and Fast Company aren't the only organizations conducting fake hacks of their own employees to find security holes. Due to the discretion the topic usually receives—no company wants to announce their own employees will click on any file labeled "Spreadsheet" or "Meeting Agenda" from any Gmail address—it's hard to find companies going on record to talk about this.
However, CSOs from several Fortune 500 companies have given anonymized versions of their self-spearhacking experiences and Brian Krebs has reported previously on toolkits that let CTOs and IT staff fake-hack their own employees.
A report from security firm Wombat, cybersecurity specialists discussed the obvious: how to smooth things over with hundreds or thousands of employees that might be taken as fools or feel that their tech teams want to make them look bad. One respondee said fake attacks "need to be framed correctly" because they could make employees "tend to think they are being spied on or not trusted" or are being targeted by corporate higher-ups. And, of course, when a disproportionate number of victims of fake spearphishing attacks turn out to be high-ranking or important employees that creates office politics nightmares that no one wants to deal with.
One expert told Fast Company that this office politics nightmare scenario is likely. Patrick Peterson, head of email security firm Agari, noted that CEOs of large firms are less likely to be clicking on spearphishing links because they have more assistants standing between them and their inbox. However, he said there's always a risk of other high- or medium-level employees like CMOs, chief counsels, CFOs, and vice presidents falling victim. One of the major factors is busyness on the employee or executive's part—the more harried they are, the less likely they are to check the legitimacy of a file sent via email.
Cochran elaborated on this in our exchange, adding, "In simpler terms, nobody likes change. The perceived cost of changing the status quo was greater than the perceived benefit. There is a general false sense of security and a belief that, while hacking does happen, it won't happen to me. With beliefs like this, the benefit is almost nil, given that there is a false sense of security, coupled with the fact that increasing security would decrease convenience. The objective was to explain that 79% of hacking targets victims of opportunity, and it is really easy to be tricked into handing over your password. Demonstrating that almost immediately proved that the benefit of changing far outweighed the cost of changing behavior." But it's necessary—Carl Herberger of security firm Radware told me that "Phishing, and social engineering in general, represents one of the biggest security threats for this decade and prudent testing of desired and appropriate employee behavior is paramount for today’s secure environments."
For CTOs, CSOs, and IT staff fearing cyberattacks, the question remains how to make sure that spearphishers won't target the companies without alienating staff that is not tech savvy. Fake attacks, it seems, can help. Spearphishing attacks can devastate a company—a distracted employee clicking on one link can cause untold amounts of damage. Conducting spot checks of cybersecurity hygiene is a smart idea for businesses. Once attacks take place, there is a massive industry of third party firms waiting to offer defenses for the future and forensics to find out what happened, but it's best to put those anti-spearphishing blocks in place to begin with. Conducting fake spearphishing audits of employees isn't a one size-fits-all-solution, but it's a valuable tool in the arsenal.