FactFinder 12: Scammers target companies through 'phishing' emails

WICHITA, Kan. In March 2016, a Wichita Regional Chamber of Commerce employee sent off employee W-2's to a scammer pretending to be the chamber's president in an email.

Last December, a Sedgwick County employee paid more than $500,000 after a scammer sent an email, pretending to be a vendor.
And just last month, Butler County had to limit its service because of a ransomware attack on its computer network. Ransomware is often spread through spam and phishing.

From what we know about these cases, all of these appear to be examples of email phishing. They might seem like no-brainers to you. But would you fall for scams like these? We put one Wichita company to the test to see if its employees would take the bait.

Inside the Friends University Cyber Security lab, you can watch a phishing attack in progress.

"So the attack is going on inside our lab, in that network,” Program Director Jonathan Lanning said.

Within the controlled environment of the Cyber Security Lab, Lanning can cast his net. Simulated people react to his phishing email the way a "real" person would: some of them ignoring it, others reading it, and the rest taking the bait by clicking on the link inside.

"This was the link that was sent in the email,” Lanning said.

The link takes potential victims to what looks like a legitimate company's login page. But on this website, the logo is a stolen image. And the address at the top is misspelled.

"Now when a user goes in here, they're going to put their username in, they're going to put in their password, they're going to click "submit" and nothing is going to happen. They just gave away their username and password,” Lanning said.
And just like that, an online criminal has access to your company's network.

"If you're not in a business that's doing this, you're potentially doing your folks a disservice. They need to know what this looks like because they're not going to stop it if they don't know what to look for,” Lanning said.

Many businesses don't conduct cybersecurity-awareness training with their employees. We found one in the Wichita area that currently doesn't but was willing to let us test its employees with a phishing email. Because of the sensitive nature of the testing, the business asked us not to reveal its name. But, we can tell you if its employees took our bait.

"I put myself in shoes of any cyber criminal,” local systems administrator and community IT educator Vince Hancock said.

He’s our "cyber crook" for this experiment.

"Our email said that they had upgraded to a newer version of payroll software and 'because there has been a problem verifying your direct deposit account, you need to follow this link and give us new information so that you'll get paid,'” Hancock said.

There are three red flags to look out for:

First, Hancock says the email came out of nowhere with no additional company communication about the change.

Second, the email didn't originate from within the company.

"It almost looked that way. But also keep in mind, crooks can spoof or fake that email address so that it looks like it's coming from the CEO in the company,” Hancock said.

Finally, the email asked employees for their "prompt attention to this matter."

"If they say you have to act on this now -- we hear that all the time with the jury duty scam,” Hancock said.

Hancock sent 98 phishing emails to employees. Keep in mind, some of those emails bounced back or were no longer valid. Fifty employees viewed the email. And 24 -- nearly half of the employees who viewed the email -- clicked-on the link, taking the bait.

"We deliberately did not ask them for personal information on that page, but that's what the attackers would do,” Hancock said.

Hancock says the employees performed the way most would. But cybercriminals don't need dozens of people for their scam to work.

"All it takes is one,” Hancock said.

Ultimately, Hancock and Lanning agree that the goal is educating people *not* to fall for it.

"It doesn't matter if it was an organization of 10 or an organization of 1,000, one person clicks on that email, it could be putting their information at risk, their company at risk,” Hancock said.

In the interest of full disclosure, Hancock obtained half of the company's email addresses by doing some research online. The company supplied the rest.

Online resources to help you recognize and safeguard against phishing emails

Google Safe Browsing

Anti-Phishing Resources

How Social Engineering can be used against you

Protecting your organization from phishing

Protecting your computer from phishing emails