Cyber security test sent phishing emails offering phones and pizza to council staff
The promise of a new iphone proved too tempting for some staff at West Sussex County Council who fell for a fake phishing email put out to check cyber security.
Members of the regulation, audit & accounts committee were told on Monday that, in order to assess weak points within the council’s cyber defence, a variety of emails were sent to 886 staff.
The messages, which were sent by a third party, included offers for cheap pizza and free iphones.
Another told them they needed to change their bank details, while another claimed to be from the council itself and told them they needed to reset their work passwords.
The committee was told that the emails all contained ‘horribly obvious’ mistakes, but 611 people opened them anyway – not a disaster in itself – and 285 clicked on the link.
Had the email been a real attempt at phishing, it would have taken them to an unsafe website where malware would be waiting to invade their computers.
Instead, the users were met with an error message.
Members were told that the most worrying part of the results was that 200 people clicked on the link claiming to be from the council – even though ‘Sussex’ had been spelled incorrectly.
The next highest was ‘people looking for free iphones’.
As well as being seen as a ‘learning experience’, the results will be used to educate council staff on cyber safety and security over the next 12 months.
Another security issue centred around passwords.
The council recently brought in a group of specialists – known as white hat hackers – to test the complexity of the passwords being used within the authority.
The meeting was told that the hackers managed to find their way through 150 passwords in ‘a relatively short period of time’.
After analysing the data, it was realised that most of them had been simple passwords such as ‘password1’ or ‘qwerty23’, meaning they were extremely easy to crack.
Roland Mezulis, chief information officer, told committee members that consideration was being given to changing all passwords to 14 characters rather than the current eight ‘which can be cracked within nanoseconds’.
Mr Mezulis also explained why the council’s cybersecurity risk level was likely to stay high.
He said: “It’s one of those threats that probably will remain at a high level. While we can put mitigations in place, we’re never quite sure what the next risk around the corner is going to be.”
Phishing attempts can be sent to Action Fraud, which is the UK’S national reporting centre for fraud and cyber crime. Visit www.actionfraud.police.uk or call 0300 123 2040.
Meanwhile the Government’s National Cyber Security Centre has outlined the steps which can be taken to identify the most common phishing attacks.
It explained how phishing emails were getting harder to spot, and some would still get past even the most observant users. It advised that unless users were certain the sender was genuine, they should not follow any links or reply.
The next thing to do would be to try to identify whether the email was a scam or genuine. Some have poor grammar, punctuation and spelling while the design and overall quality of the email can be lower than expected.
Other tips were to check if an email was addressed to the recipient by name, if it contained a veiled threat that called for urgent action or if it sounded too good to be true. It added: “Try to check any claims made in the email through some other channel. For example, by calling your bank to see if they actually sent you an email or doing a quick Google search on some of the wording used in the email.”
For more information visit www.ncsc.gov.uk