On Thursday, December 7 we sent a phishing test appearing to come from “CITS Support”. At first I was fairly happy with the results but then I found out only about 72 emails were actually delivered. I would imagine the spam filter saw the bulk of mail coming in from a single IP and closed it off or started throttling it (which is good but I need to do something different in the future). So, out of the 72 emails that were delivered 30 (41%) were opened (tracking image was downloaded), nine users (12%) clicked the link, of those six users (8%) submitted their username and password (although, for security, we did not capture passwords), and of those two users (2.7%) ran the program (end users should not be downloading and running software). The program did nothing but email us to notify us that it was run.
Only two users used the Phish Alert button to report the email (not all clients have this option), two users called us (which is great), and two users emailed me directly (please don’t email me directly and especially don’t forward spam/scams).
Clearly there is room for improvement. Even though our program was harmless, a real phishing email could have started encrypting the users’ data files and if the website had captured passwords (and they were accurately entered) then the phisher would have probably had at least some access to the client’s network (for example, Outlook Web Access).
In the next few weeks we will be delivering posters for our clients and their users that point out things to look for in emails but in the meantime, here is the email with comments in red.
From: CITS Support [mailto:citssupport@ns-cits.xyz] == this domain was setup specifically for this test. We would not use a “xyz” top level domain name and this email address (citssupport) has never been used. The email is also not from cits.*** – it’s from “ns-cits” . A “whois” search (a little more advanced) shows this domain was registered just over a month ago.
Sent: Thursday, December 07, 2017 9:07 AM
To: *********** <*****@*****>
Subject: Security Upgrade – your timely action is required! == phishing emails demand action
*******,
Due to the increase in the numbers of security breaches with other clients, Certified I.T. Solutions (we almost always include LLC) has launched preventative measures to ensure that your computer account remains secure. We have upgraded your office’s security to keep your personal details safe. To do this in the most secure and timely way possible we have temporarily limited access (phishing emails make you want to act) to applications that may contain sensitive data. == If we really needed to do something like this we would have made all users aware well ahead of time.
To begin your security upgrade and reestablish full access to your account please follow this link. Failure to do so will result in limited access to your profile. == Link is not to our domain.
Certified I.T. Solutions, LLC == Just FYI, this block was pulled straight from our website so it is legit but is not our usual signature.
PO Box 335
Euless, TX 76039
817-354-2487
fax 817-391-4094
http://www.cits.us
<Image not shown> == This image was stripped from our website and not our correct logo.
Administrator name is not mentioned in this email – red flag.
Going to ns-cits.xyz would have redirected the user to cits.us – red flag
Going to backend.ns-cits.xyz (from the link) would have shown a 404 Error – red flag