Earlier today, everyone at Atlantic Media received an email warning them to “reverify” their Google Apps account. But the email wasn’t actually from Google; it was from Atlantic Media’s Chief Technology Officer Tom Cochran, who wanted to test his staff to find out it they would click the fake link.
And within two hours, 58 percent of people at Atlantic Media did.
“Across our entire company, 58% of us clicked the email after opening it. Wow. Fifty-eight percent!” Mr. Cochran wrote in a follow up email chastising Atlantic Media employees. “With those odds, all a scammer needs to do is craft an intriguing enough subject line and they have a great chance at getting your account information. Then, you’re hacked and so is Atlantic Media.”
These kinds of phishing attacks are how groups like the Syrian Electronic Army gain access to news organizations’ twitter accounts. If 58 percent of people are willing to click a fake Google Apps link, it’s a miracle the Atlantic twitter accounts haven’t been hacked yet.
The worst offender? Quartz, Atlantic Media’s business website, whose staffers—despite working for an online-only publication—apparently aren’t savvy enough when it comes to protecting themselves online.
Full email below:
From: Tom Cochran
To: Everyone at Atlantic Media
Date: Friday, May 31, 2013 4:08:15 PM
Subject: Did you pass today’s phishing test? 123 of you didn’t.
123 of your colleagues clicked the email. That’s not good.
Phishing emails are going to be convincing with a message to act on right away. They’ll link to a form that looks legitimate, and in a split second, you’ll have given up your username and password.
Across our entire company, 58% of us clicked the email after opening it. Wow. Fifty-eight percent!
With those odds, all a scammer needs to do is craft an intriguing enough subject line and they have a great chance at getting your account information. Then, you’re hacked and so is Atlantic Media.
Some of the business units were shockingly high, as you can see below.
The Atlantic: 58%
National Journal: 52%
Government Executive: 67%
Sadly, this was all in just two hours. Even if we generously say that a quarter of the clicks were by people who knew it was a drill, that’s still 90 people. That’s not good.
All it takes is one stolen password and we are hacked. Then, we could have a website defaced, Twitter account tweeting false information, financial information leaked, expose your sources and a lot more. Imagine how quickly this spirals out of control if, in just two hours, a scammer can trick 123 people.
Now would be an excellent time for you to set up 2-step authentication for your Google Accounts (if you haven’t already). Follow both links below or email [redacted] and you’ll get some assistance. (Of course, these are not phishing links.)
Please take this seriously, because otherwise, it’s just a matter of time before something bad happens. Spend an extra 15 seconds to examine an email before clicking anything. And, if you have any doubts, just forward it to [redacted] and they’ll take a look.
Thanks, and please let me know if you have any questions or concerns.