Insurer tests staff with email clickbait
The country’s largest insurer is sending fake phishing emails to its own staff to test them on their ability to identify scams.
Mark Knowles, director of cyber security and risk at IAG New Zealand, said the firm began sending fake emails several months ago as part of a company- wide approach to cyber security.
Its 3500 staff are sent a phishing email once a month and those who click on links are sent an instant reminder to undertake cyber security training.
Knowles said it began the programme with an easy scam — an email about a turkey recipe for the American holiday Thanksgiving.
Not many people fell for the first one but a more elaborate second scam got more clicks.
Knowles would not say how many staff were tricked into clicking the second time around, citing security reasons.
“The more important part was that it raised awareness across all staff not just about phishing emails but security.”
It also prompted more people to click on its internal cyber security warning button which automatically sends a notice to its cyber defence centre.
Knowles said the system helped the company to identify which scams people were most likely to fall for.
It also created a whole team of people looking out for scams across the company rather than just having a small team focused on it.
Staff are not punished for clicking on the fake scam emails but those who identify emails which they think are scams are rewarded.
He would not say how many scams the company had caught but said there were a lot going on all the time.
This week’s global WannaCry scam was just the latest cyber attack, he said, and it served as a reminder for companies and individuals to be aware of the risks.
Knowles said another reason the company was training its staff to recognise scams was to help make people safer at home which also protected the company because of the number of people who brought devices in and out of the office.
He said some of the banks also sent fake email scams to staff. Corporates were also sharing scam warnings with each other, putting aside their competitive differences.
“We do talk to each other. It is the good guys versus the bad.”
Knowles said for individuals, the most important way to protect against cyber attacks was password control. “I think the thing with cyber security is getting your basics right.”
Knowles said people should have a secure password and change it regularly.
The other big no- no was putting too much trust in people met online.
Knowles said reading the email carefully was also very important. Usually the grammar was poor, although more sophisticated email scams were getting better at this.
Scrolling over the link without clicking on it often gave clues to arouse suspicion.
Knowles said those who were targeted by phishing scams should report it either to CertNZ or Netsafe.