Council staff caught out by fake phishing emails to test cyber security

The promise of a new iPhone proved too tempting for some staff at West Sussex County Council who fell for a fake phishing email put out to check cyber security.

Phishing is a way for fraudsters to steal sensitive information such as passwords and usernames
Phishing is a way for fraudsters to steal sensitive information such as passwords and usernames

Members of the regulation, audit & accounts committee were told on Monday that, in order to assess weak points within the council’s cyber defence, a variety of emails were sent to 886 staff.

The messages, which were sent by a third party, included offers for cheap pizza and free iPhones. Another told them they needed to change their bank details, while another claimed to be from the council itself and told them they needed to reset their work passwords.

Sign up to our daily SussexWorld Today newsletter

The committee was told that the emails all contained ‘horribly obvious’ mistakes, but 611 people opened them anyway – not a disaster in itself – and 285 clicked on the link.

Had the email been a real attempt at phishing, it would have taken them to an unsafe website where malware would be waiting to invade their computers.

Instead, the users were met with an error message.

Members were told that the most worrying part of the results was that 200 people clicked on the link claiming to be from the council – even though ‘Sussex’ had been spelled incorrectly.

The next highest was ‘people looking for free iPhones’.

As well as being seen as a ‘learning experience’, the results will be used to educate council staff on cyber safety and security over the next 12 months.

Another security issue centred around passwords.

The council recently brought in a group of specialists – known as white hat hackers – to test the complexity of the passwords being used within the authority.

The meeting was told that the hackers managed to find their way through 150 passwords in ‘a relatively short period of time’.

After analysing the data, it was realised that most of them had been simple passwords such as ‘password1’ or ‘qwerty23’, meaning they were extremely easy to crack.

Roland Mezulis, chief information officer, told committee members that consideration was being given to changing all passwords to 14 characters rather than the current eight ‘which can be cracked within nanoseconds’.

Mr Mezulis also explained why the council’s cyber-security risk level was likely to stay high.

He said: “It’s one of those threats that probably will remain at a high level. While we can put mitigations in place, we’re never quite sure what the next risk around the corner is going to be.”