Being phished is "easy", according to Atlantic Media CTO Tom Cochran. Cochran emailed employees a fake phishing email supposedly from “Google Apps”, and found that 58% clicked the link.
On one of the company's publications, business magazine Quartz, 73% clicked.
“Telling someone that something bad can happen is not as good as demonstrating it,” Cochran said in an interview this week with SC Magazine. “I wanted to demonstrate that it's easy to be phished and easy to protect against it.”
Cochran conducted his “test” a month ago, as reported by the New York Observer - using a fake, but convincing, email that asked employees to verify information by clicking a link. Cochran crafted his attack using only basic tools, the sort that would be available to "ordinary" cybercriminals.
Cochran said that half of the employees, rightly, ignored the email, and he received “numerous” calls and IMs alerting him to it. He said the test itself “really resonated with employees.”
“Across our entire company, 58% of us clicked the email after opening it. Wow. Fifty-eight percent!,” Cochran wrote in an email to employees at the time. “With those odds, all a scammer needs to do is craft an intriguing enough subject line and they have a great chance at getting your account information. Then, you’re hacked and so is Atlantic Media.”
"Phishing emails are going to be convincing with a message to act on right away. They’ll link to a form that looks legitimate, and in a split second, you’ll have given up your username and password."
Atlantic Media instituted improved security practices including the use of two-factor authentication as a result of Cochran's test.
ESET Senior Research Fellow David Harley warns that phishing emails are evolving rapidly to become more convincing in a detailed blog post here. Crucially, such emails are often getting through to inboxes of well-defended mail services - meaning that they may find a fresh audience.