Story image

Kiwi employees vulnerable to phishing attacks, report finds

12 Oct 16

One in ten Kiwis could fall for a phishing attack, a new report has found.

Ahead of Connect Smart Week, KPMG conducted a phishing experiment with 35 New Zealand organisations, who agreed to be involved, with a total of 8,333 staff.  

Phishing is the practice of sending an email pretending to be from a reputable company or organisation in order to trick individuals to reply with personal information, such as passwords and credit card numbers.

Moreover, Phishing emails increasingly contain ransomware, with a report earlier this year revealing 93% of all phishing emails contained encryption ransomware.

The KPMG experiment saw employees in each organisation sent an email indicating their organisations had signed up to a password quality checking website. The email contained a link and asked the recipient to go to the website to check the quality of their password.

KPMG found that 1,009 people (12.1%) clicked on the link and, once through to the website, 702 (8.4%) entered their password details.

Philip Whitmore, KPMG Partner and head of KPMG Cyber, says the exercise was a great way to educate employees and start a discussion in the workplace, but also a real warning sign for organisations.

“Unfortunately the results were not surprising – as phishing emails are becoming increasingly convincing and sophisticated,” Whitmore says.

“If the phishing emails had been real, then cyber criminals would have acquired the passwords of a significant number of people in every organisation,” he explains. 

“With many organisations still relying upon username and password for remote access, it would have meant it was game over for many of the organisations involved.”

Whitmore indicated there were a few simple warning signs in the phishing email which should have raised alarm bells.

“We made the email look like it was sent from an employee within the organisation, but the name did not match the email address,” says Whitmore.

“The email also did not include a signature block, and there was no personalised greeting – a couple of red flags,” he says.

The Connect Smart website has advice for individuals looking to improve their cyber security, including a tip sheet on how to recognise and avoid phishing attacks.

Director of the National Cyber Policy Office Paul Ash is urging people to ‘think before they click’. 

“Employees should look out for suspicious, unsolicited emails requesting personal information or other information relating to their workplace,” Ash says.

“They should take care to verify links or attachments are genuine before clicking on them,” he ads.

Ash says individuals can take simple steps to protect themselves and their workplace. 

“Workplace cyber security is about protecting information – whether it is the organisation’s intellectual property, financial information, details of customers or personal staff details,” he explains.

Connect Smart Week is hosted alongside Stay Smart Online Week, run by the Australian Government. The theme of Connect Smart Week 2016 is improving the cyber security capability of employees.

Tips to prevent against phishing:

  • Know how to recognise valid emails: Is the email from someone you know or have received an email from before? Is it something you were expecting?  Does it look strange (e.g. unusual spelling or other errors in the email address or domain names)?  Has it passed the anti-virus test?
  • Think before you click: Do not open suspicious links in emails, tweets, social media posts, online ads, messages or attachments – even if you think you know the source.
  • Verify the email: If you are unsure about whether an email is from a legitimate company or government department, try calling the organisation that appears to have sent the email. 
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Preparing for e-invoicing requirements
The New Zealand and Australian governments are working on a joint approach to create trans-Tasman standards to e-invoicing that’ll make it easier for businesses in both countries work with each other and across the globe
5c more per share: Trade Me bidding war heats up
Another bidder has entered the bidding arena as the potential sale of Trade Me kicks up a notch.
Hootsuite's five social trends marketers should take note of
These trends should keep marketers, customer experience leaders, social media professionals and executives awake at night.
Company-X celebrates ranking on Deloitte's Fast 500 Asia Pacific
Hamilton-based software firm Company-X has landed a spot on Deloitte Technology’s Fast 500 Asia Pacific 2018 ranking - for the second year in a row.
Entrepreneur reactivates business engagement in AU Super funds
10 million workers leave it up to employers to choose their Super fund for them – and the majority of employers are just as passive and unengaged at putting that fund to work.
Tether: The Kiwi startup fighting back against cold, damp homes
“Mould and mildew are the new asbestos. But unlike asbestos, detecting the presence – or conditions that encourage growth – of mould and mildew is nearly impossible."
Capitalising on exponential IT
"Exponential IT must be a way of life, not just an endpoint."