Perth and Kinross Council has revealed it has been “phishing” its own staff as part of crackdown on cyber crime.
The local authority began deliberately sending out bogus e-mails to employees as it battles increasingly sophisticated attacks by hackers at a rate of about a million per month.
Throughout December, council staff received messages promising special Christmas offers and discounts from well-known companies.
But if they clicked on the link they received an educational message, highlighting the risks of malicious e-mails. About a quarter of employees were duped by the first wave of simulated scams.
A report to go before councillors next week reveals that in February alone, there were 683,367 spam and phishing-type e-mails, nearly 400,000 malicious connection attempts and 18 viruses and malware. All were successfully blocked, although the council said a small amount of breaches have been reported in recent years.
The council’s information security officer Paul Dick said: “The council is not considered to be a high profile target. Attacks against the council are generally indiscriminate, but the sophistication of these attacks is increasing rapidly.
“The council has invested in new technology in an attempt to block more of these attacks from entering the network. No technological measure is 100% effective and ultimately we must depend on our staff being vigilant to those malicious messages which make it through our defences.”
He said: “The council has purchased a product to carry out simulated phishing attacks against our employees. These simulations allow employees to be exposed to superficially malicious e-mails and providing an element of awareness education to those who fall for the ruse without any danger to the network.”
He said an initial test of the software, which saw emails sent out imitating internal e-mails from IT, had click rates of about 25%. “This unfortunately means that one in four of our staff when presented with a similar but malicious e-mail would be at risk of clicking on its links and introducing malware into the council network.”
The report to go before Wednesday’s strategic policy and resources committee shows that the Christmas offers scam only had a click rate of six per-cent. “This indicates that staff are appropriately suspicious of spam type e-mails, but that more work is needed to make internal e-mails more recognisable and to increase our employees’ awareness of potential malicious e-mails,” said Mr Dick.
