Industry Insights

State of Michigan Employees Fall Victim to Test Phishing Scam

April 2018
Author:  Lanny Morrow

Lanny Morrow

Managing Consultant

Forensics & Valuation Services

1201 Walnut Street, Suite 1700
Kansas City, MO 64106-2246

Kansas City

A recent article on the website, “One in Three Michigan Workers Tested Opened Fake ‘Phishing’ Email,” underscores how, in spite of the push for greater training, education and awareness, people still fall victim to phishing and other email scams designed to harvest important information, divulge access credentials or initiate a cyberattack such as ransomware. Hackers love this form of ‘social engineering,’ as it’s low-cost, simple and highly effective—so expect to see even more phishing scams going forward.

In the Michigan case, state auditors sent a phishing email to 5,000 randomly selected state employees, with roughly 33 percent of them falling for the scam. The Michigan Office of the Auditor General made 14 findings in its report, including five considered “material,” i.e., the most serious.

Michigan isn’t alone—in BKD’s IT Risk Services and Forensics & Valuation Services divisions, we see employees in state and local governments, not-for-profits, higher education and corporations fall victim to phishing scams at an alarming rate. Our experience is that a minimum of 7 to 8 percent of employees will fall prey to a phishing scam email when tested. That figure reaches as high as 46 percent, with a median of 23 percent. This is alarming considering it only takes one victim to open the door to identify theft (W-2 scams are seeing a resurgence again this year), sensitive data harvest or a malicious attack such as ransomware—see our article, “Look over Here! (While I Steal Your Data over There).”

Call to Action

Following these practical tips can help your organization better prepare itself for phishing scams:

  1. Training & Awareness – Humans are the weakest link in cybersecurity. Properly training employees will raise awareness on what to look for in phishing emails and how to handle them. Organizations with formal training in cybersecurity are less prone to attack.
  2. IT Risk Evaluation with Penetration Testing – An IT risk evaluation can highlight weaknesses in the organization that could lead to a cyberattack. Penetration testing (ethical hacking) often includes fake phishing emails, like the test performed by the Michigan state auditors.
  3. Endpoint Protection – Keeping endpoint protection tools in place and up to date adds a technological component to your insulation. For example, recent additions to Microsoft Outlook help identify potential phishing emails before they’re opened, and emails from outside the organization are visually flagged as originating from outside the organization.
  4. Incident Response Plan – The best-prepared organizations are those that understand it’s not a matter of if they will suffer a cyberattack, but when. Adopting this mindset allows for better preparation in the form of an incident response plan—the guiding processes and procedures that jump into action when a cyber incident occurs. Without such a plan in place on the front end, organizations find themselves overwhelmed and reactionary during an incident. A well-crafted, tested incident response plan is the foundation of a responsible, thorough response in a crisis.
  5. Cyber Insurance – Given that all organizations are likely to experience some sort of incident in the future, cyber insurance helps provide peace of mind and a financial backstop in the event a phishing email is successful and results in compromised identity data or sensitive information or a systems shut down as a result of a ransomware attack. Such policies also provide coverage for the costs of getting back on your feet and often pay for incident response, forensics investigation and reporting.

The price of cybersecurity is eternal vigilance for the organization. Carefully learning from the mistakes of others, heeding the warnings of published stories like the Michigan phishing test and implementing better protections as a result will help make your organization more cyber aware, and therefore more cyber secure.

Contact Lanny or your trusted BKD advisor if you have questions.

BKD LinkedIn BKD Twitter BKD Youtube BKD Google Plus