Canadian Justice Department Employees Fall Hard for Phishing Scam, Prompting Security Concerns

An internal Justice Department mock exercise/scam sent emails to about 5,000 employees—about half of whom are apparently lawyers—that contained a link to a fake website that was made to look like the real thing.

This phishing expedition trapped 1,850 people in its wide net, which equates to about 37% that clicked on the phony embedded links.

The study was conducted in December, and more of these awareness campaigns are planned for June, August and October. Carole Saindon, Justice Canada spokesperson, says the simulations will be “graduating in levels of sophistication.” She also said that the previous two waves of mock emails sent in February and April show improved results, with clicking rates falling by half. Nevertheless, the saying “Fool me once” comes to mind.

37% is not a good number. According to a federal website, the success rate of phishing scams for the general public is only 5%.

Before we get all worked up about the alarmingly gullible nature of our federal justice department, let’s give them the benefit of the doubt by assuming they’re going about their day-to-day electronic communications with knowledge that the government deploys top-notch spam filters and impenetrable firewalls. That could be a reasonable defense as to why so many were successfully duped.

Okay, so if that were their story and they’re sticking to it, shouldn’t they still err on the side of caution? Remember, it was their own department which found itself in a major privacy breach in late 2012. The breach involved one of its lawyers, working at Human Resources and Skills Development Canada, who had lost a USB key containing unencrypted confidential information (containing their medical condition and SIN numbers) about 5,045 Canadians who had appealed disability rulings under the Canada Pension Plan. The privacy commissioner is still investigating that breach.

The results of this test notwithstanding, it’s important to note that the weakest link in the computer security chain is and always will be people. Phishing, whether its targeted at the general population or the Canadian Justice Department, is a form of social engineering.

Social engineering is always the easiest method for hackers to get the information they want from you. Why go to all the trouble in trying to penetrate the corporate firewall, access the corporate network and try to steal passwords with a computer program when it’s much easier to just ask for the passwords (like in a phony email)? A smart hacker can call a random employee at a given company, act friendly, name-drop a little bit, pretend they are from the help desk and eventually come away with all the information they need.

Canadian federal employees aren’t the only ones who have fallen prey to such mock exercises. I recall back in 2007 in Washington, DC, IRS employees disregarded security policies and turned over sensitive computer information to a caller (social engineer) posing as a technical support person. A whopping 61 of the 102 people who got the test calls—which included managers and a contractor—complied with a request for the employee to provide his or her username and temporarily change his or her password to one the caller suggested. The findings were reported to the Treasury Inspector General for Tax Administration, an office that provides oversight of the Internal Revenue Service.

And I’ll never forget the informal survey conducted in San Francisco outside a very large financial institution. A security researcher stood outside the building with a stack of $10 Starbucks gift cards. As employees from the financial company approached him, he presented them with a survey that eventually asked to divulge very sensitive corporate data such as their network ID and password. In exchange for the information, the subjects would receive the $10 gift card. Over 70% of them gave up the data—all for a few cups of coffee!

While the results of the justice department’s experiment are admittedly scary, we shouldn’t be reading too much into the numbers either. As mentioned earlier, people – regardless of where they are or who they work for – will always be susceptible to scams, especially those that mask themselves as most legit. Hackers and advanced social engineers will always be one step ahead.

After spending years leading in-depth information security training at the provincial government level, I soon realized that no matter how often we try to ingrain these policies and procedures into people’s heads, there’s only so much they can absorb. When we’re busy sitting at our computer with seven apps running, 10 browser windows open, and 30 emails to answer, we’re going to click once in a while without thinking.

But sometimes all it takes is that one click. Hopefully it doesn’t lead to disaster for you or someone you know.