The Courier & Advertiser (Perth and Perthshire Edition)
Council phishing own staff in lesson about malicious messages
One-quarter of staff members clicked on a link in unsolicited email messages
Perth and Kinross Council has revealed it has been “phishing” its own staff as part of crackdown on cyber crime.
The council began sending out bogus emails to employees as it battles increasingly sophisticated attacks by hackers.
Throughout December, council staff received messages promising special Christmas offers and discounts from well-known companies.
If they clicked on the link they received an educational message, highlighting the risks of malicious emails.
About a quarter of employees were duped by the first wave of simulated scams.
A report to go before councillors next week reveals that in February, there were 683,367 spam and phishing-type emails, nearly 400,000 malicious connection attempts and 18 viruses and malware.
All were successfully blocked, although the council said a small amount of breaches have been reported in recent years.
The council’s information security officer, Paul Dick, said: “The council is not considered to be a high-profile target.
“Attacks against the council are generally indiscriminate, but the sophistication of these attacks is increasing rapidly.
“The council has invested in new technology in an attempt to block more of these attacks from entering the network.”
He said: “The council has purchased a product to carry out simulated phishing attacks against our employees.
“These simulations allow employees to be exposed to superficially malicious emails and providing an element of awareness education to those who fall for the ruse without any danger to the network.”
He said an initial test of the software, which saw messages sent out imitating internal emails from IT, had click rates of about 25%.
“This unfortunately means that one in four of our staff when presented with a similar but malicious email would be at risk of clicking on its links and introducing malware into the council network.”
The report, to go before the strategic policy and resources committee on Wednesday, shows that the Christmas offers scam only had a click rate of 6%.
“This indicates that staff are appropriately suspicious of spam-type emails, but that more work is needed to make internal emails more recognisable and to increase our employees’ awareness of potential malicious emails,” said Mr Dick.
The council has invested in new technology in an attempt to block more of these attacks from entering the network. PAUL DICK PERTH & KINROSS INFORMATION SECURITY OFFICER