OCT 2015 – Kind en Gezin (K&G) is an agency of the Belgian Flemish Government with around 1300 employees. Their mission is to actively improve the well-being of children and families. They do this via a variety of activities including: preventive medical aid, children shelter coordination and child adoption guidance. Through these activities K&G staff manages sensitive personal information on a daily basis. Therefore, it is essential that staff is well trained in properly handling such information. One of the initiatives to train people is via an awareness campaign, managed by Krinos Academy, which includes email phishing simulations, communication aspects & online trainings.
In this customer case the communications department tells the story in the 3-monthly internal personnel magazine. What follows is an abstract from that article. We have taken out the actual phishing results that were also included. This goal of this article was to debrief the email phishing results to everyone and to raise additional attention and awareness around the topic.
Safety first: Getting Viruses in and out.
Phishing, cyber criminality, ransomware, etc… . The cyber world might seem a galaxy far away, but K&G was a victim not so long ago in June. Sounds exciting, but it really is not. A cyber attack can harm an organisation, it’s people and its customers, in this case even children.
Do you want to hack with us…?
Welcome in the world of hackers! Lien Keulemans, managing partner van Krinos Academy, a company that takes care of our cybersecurity informs us.
“Since 2010 the number of cyberattacks is steadily growing at a fast pace. The worldwide losses due to cyber criminals could be estimated at least around a couple of 100 billion dollars. Many big and smaller Belgian organisations already became victims. A technique most commonly used is email phishing. Hackers are sending our emails to get malicious software installed on your computer or to steal your passwords for other malicious intent.”
Just clicking around can cause serious damage to yourself and your employer
The sender usually presents itself as a known partner, the IT department, etc… and as such gains confidence and looks credible.In a realistic email with sometimes relevant info on ongoing project you are motivated to click on a link, to give your password or to open an attachment. This way hackers gets interesting info about you and your organisation which allows them to find more files, systems, confidential information, etc… Often they convince you by stating that it is urgent or to promise you some form of reward.
Some cyber criminals even employ ransomware, a type of ‘blackmail virus’ that makes your computer unusable. After which the hackers demand a ransom to unlock your computer or decrypt your files. Radically digital might be the future, but it will only work if everyone is made aware of the dangers in cyber world.
Enough reason to see how quickly K&G staff would expose themselves…
So, did it click with K&G?
All K&G staff members received a fake phishing email in their mailbox on the 23th of June, sent by ‘IT support’, with subject ‘Suspicious Activities with your Outlook Account’. From experience with other non-aware organizations we know that, depending on the organization, on average 34% of the employees click through. With this exercise, also the Office 365 password of the staff members was ‘stolen’.
This is the email that everyone got (translated to english):
One of the many people that entered their password was Nele: “I read the announcement on phishing emails a couple of days ago. My computer was running slow that particular day on the notebook in O365 and than this email came… I thought it was going to provide a solution. I did not even check the sender, the subject made me click instantly. Everything looked real. Unfortunately it wasn’t… I’m grateful that I was able to learn this in an exercise and that it was not in a real email. I learned my lesson and always think twice before I click on a link.”
Remain vigilant
Because keeping people awake and changing behaviors is a continuous exercise, we will keep repeating our email phishing simulations. You can expect new emails that we want you to detect and report. So stay on the lookout, and when you do accidentally click on something that turns out to be strange or weird. Inform the Helpdesk immediately.