The Information Security team at Harrogate-based logistics firm Streamline Solutions has been placed on mandatory leave following last Wednesday’s incident, in which their celebratory email about a successful phishing simulation was itself compromised by an actual phishing attack within forty-seven minutes of being sent.
The original test, which involved a fake email purporting to be from the company’s fictional Chief Happiness Officer requesting employees update their parking permit details, had achieved what team leader Martin Fawcett described as “unprecedented success”. Only three per cent of staff had clicked the malicious link, down from the previous quarter’s seventeen per cent. The security team composed a congratulatory message to all staff, complete with an infographic showing the improved statistics and a link to claim a complimentary coffee voucher as a reward for collective vigilance.
The link, which was genuine when the email was drafted, had been replaced by the time it reached inboxes with one directing to a credential harvesting site. Sixty-eight per cent of employees clicked it. This included Fawcett himself, who accessed the link three times to see why it was not working properly.
“In hindsight, offering a reward via clickable link in an email about not clicking links in emails was perhaps not our strongest tactical decision,” Fawcett admitted during Tuesday’s emergency all-hands meeting, conducted via Zoom after the building’s access cards were remotely deactivated by parties unknown. “Though I would argue the real lesson here is about the sophistication of modern threat actors and their ability to intercept and modify email content in transit, which is actually quite validating for our department. It proves we were right to be worried.”
Jennifer Moss, a warehouse supervisor who had been among the cautious three per cent in the original test, expressed frustration at the sequence of events. “I spent fifteen minutes scrutinising that first email, checking the sender address, hovering over links without clicking, even phoned IT to verify it was fake before I reported it,” she said. “Then I clicked the congratulations one immediately because I wanted my free coffee. I’ve now done four hours of remedial cybersecurity training, taken on a Friday afternoon, which seems rather pointed.”
The IT Security team has proposed a follow-up initiative involving a phishing test about the phishing test that was phished, though this has been rejected by senior management on grounds that nobody could face the paperwork. The team has instead been instructed to attend a three-day external workshop on email security. The booking confirmation for this workshop arrived yesterday. It contains a link to download joining instructions. At time of publication, nobody has clicked it.