Sophos Cloud Optix
Imagine you are at work. You are rattling through your email. And in your inbox, sitting quietly, is a message with the word “sexy” in the title…
Do you open it? (probably not, as you wouldn’t likely be a reader of Naked Security)
But what about others in your organisation? Do you think they might be tempted?
More than 6100 government workers in Taiwan’s New Taipei faced this exact scenario. According to Time.com, they each received an email message with the following subject line:
"Justin Lee's sex videos, download it, quick"
For those, like me, who aren’t aware, Justin Lee is hailed by many as one of Taiwan’s richest playboys.
He has recently been in the press for leaked videos and photos of him engaged in “private” activities with models and celebrities.
A quick search on Google for the phrase “Justin Lee Taiwan” finds a myriad of images:
And earlier this month, 12 people were arrested for reportedly distributing dirty videos and images starring Justin Lee.
The recent fevered focus on Justin Lee makes him the perfect lure for a regional email campaign attempting to ensnare clicks from unwary recipients.
But the email wasn’t malicious or even a targeted spam campaign: it was actually sent by the local government to the 6000+ employees with the aim of testing their computer security behaviour.
Would recipients try to open it? Or would they do the right thing and delete it or report it as spam?
Time.com reports that one in six employees, or almost 1000 recipients, tried to open the link. Once clicked, they were told to report to their manager and made to attend a two-hour course in data security.
Eeek, there must have a few head-in-hand moments…
The thing is, not everyone thinks that this sort of test is fair.
Should everyone who uses a computer today be aware that opening unsolicited emails with provocative subject lines is likely to have negative consequences? I think so, but then I work in the field and live and breathe this stuff every day, so I am certainly not impartial.
I cannot help but think that if the modern computer user is not aware of what lurks behind such emails, perhaps tactics like the one employed by this municipal government group is just what is needed to drive home the point of computer security.
man shocked at computer, courtesy of Shutterstock
Nothing educates quite like making mistakes.
By testing staff with these e-mails, you're projecting an attack situation (that they will think is real), but in a safe environment (Your overwatch). So what if they feel a little embarrassed about it? Got to give them some tough love for their own sake!
If 1/6 of a companies employees are a potential vector for infection, it's your job to lower that risk by the most effective means possible (bar removing all users, of course!)
Doesn't the fact that one in six employees opened the email say it all? I bet those employees are all a little better educated and a LOT more wary of opening questionable emails now.
I agree with Time- give them the tough love. Maybe the next test will be to see if one in six employees divulge their passwords or fail to appropriately secure them.
If opening a URL in a browser is considered a security risk, it's time to change browsers and maybe the whole operating system. I open suspicious links frequently, especially ones that people say "Don't open or it'll destroy your computer." What nonsense… it's just another spammer trying to collect money from click-through impressions, or a scam intended to collect money from gullible consumers (like the common "free" iPod/iPad scams), a phishing scam for bank details, or cheapo pornography. I scan server links and proceed to block the server names of all sites connected to the scammy URL, including entering information into phishing scam fields and going after the target domains, reporting the potential crime as appropriate and blocking the rest.
On a corporate/government network, anyone who can install software that can cause a security threat must be an admin with the root password. Everyone else shouldn't be able to install software outside of their personal profiles, which would also prevent the installation of keystroke logging software and other potential threats to data security specific to one machine. New Taipei is blaming users, when it should be looking into its own administrative security configuration.
Your heart is in the right place. But, at the same time, user education is important. If they would click on the link, what else would they do? Even if the PC is protected, and the user is not privileged, that doesn't mean that you should accept them doing whatever they please.
It's the same principle as a fire practice! Better to remind everyone to wake their dozing colleagues than leave them to fry when the real inferno arrives.
1/6 people open those e-mails
15% voted No
Hmmmmm.
There is the other question, which isn't related to security but to employee responsibility: You shouldn't be using company equipment and time to leer at 'sexy' photographs. So, weeding out those who do is definitely a win-win for the company.
Seriously, when will people GET that an email address that ends in @corporation is OWNED and MONITORED by said corp!?!
That corp is also entitled to protect their servers AND reputation.
Sheesh people! Figure it out!
The company would spoof the email. No mention of the company name at all.
I'm pretty sure that was referring to the email address of the RECIPIENT, not that of the sender. In other words, if your employer gives you an email account, they will have access to its content and activity.
The word might be spelled S-E-X-Y but I read "Malware".
If this hadn't been done before, 1/6 is a lower proportion than I would anticipate – the employees are well trained, naturally wary, or the word got round quickly from the 1/6.
Don’t forget those employees are using the government’s computers, networks, email, and work time. If they were being fired I’d have a problem with it, but a class on security is very smart.