Two stolen email accounts led to 5 million spam messages

Why Kristiansand Municipality carried out a Phishing exercise

Read more about Phishing
Contact us
Kristiansand Municipality customer case

A few years ago, Kristiansand Municipality became the victim of a Phishing attack. Information was leaked via two email accounts, and within a short time the municipality had sent out 5 million spam messages to all of Norway. The hijacking led Microsoft to shut down the municipality's access to the email system, and Kristiansand Municipality was unable to communicate by email for 14 days. At that time, the municipality did not have two-factor authentication.

 

Ingunn-Kvivik

- We realized that we had to do something about awareness of IT security. We therefore decided to carry out a Phishing exercise to see what the real situation was.

Ingunn Kvivik, Head of Communications in Kristiansand Municipality

 

“The goal of the exercise was to show employees – and the municipality's management – how easy it is to be deceived,” Kvivik explains: "We quickly realized that we lacked basic security routines and awareness. If, for example, you use the same password for private accounts as at work, a hacker can suddenly gain access to your entire workplace if one of your private accounts is compromised."

Jarle Børven, who works as an ethical hacker and penetration tester at Netsecurity, set up and carried out the test together with Kristiansand Municipality. «I spoke a lot with Ingunn to map things out, then we created a scenario that was credible and in a natural context. Two key elements for getting people to "fall for it" in such tests are using tools such as urgency and fear. This causes people to become stressed and click on links before asking others for a second opinion," he says.

 

1336 employees took the bait

Kristiansand municipality contacted Netsecurity, and together we set up a fake email that was to be sent out to 9500 unsuspecting employees. 7000 people opened the email, and of these, 1336 clicked the link and provided sensitive information. The wording and content were designed to make it seem as though the email came from the municipality, but the email address was fake and the sender did not actually exist.

"We were a little surprised by how many were fooled, considering how many years we have participated in the security month and how much we have talked about it. It shows that it is not enough to talk about this, people have to feel it firsthand," says Ingunn Kvivik. So having a firewall and security in place is not sufficient, since hackers can easily get past this with the help of inattentive employees.

 

The Phishing exercise has led to increased confidence

Kristiansand municipality has noticed an increase in the number of employees who get in touch when they receive an email they are skeptical about. In addition, they see that awareness has increased generally among employees, which was also the goal of the exercise. The result is that IT security is better safeguarded now than before they carried out the exercise.

“After the exercise, we had an evaluation with Netsecurity, where they also gave advice on how we should proceed. The entire process was professional and trouble-free, with highly skilled people. Everything from planning to implementation and the subsequent evaluation worked superbly, and it felt very safe to have Netsecurity there,” says communications manager Kvivik.

 

Specific measures the municipality has introduced after the exercise are:

  • Internal campaign on how to detect a Phishing email, good password hygiene, and that "it is not embarrassing to make mistakes, report quickly to IT"
  • IT has established better routines for Phishing. Among other things, Report Message has been activated to make it easier for employees to report suspicious emails, and they have also tested adding a warning saying: "this message was sent from a sender outside your own organization"
  • Introduced what they call "everyday security rules" – a flyer given to employees and included with all new PCs
  • Established October as an annual security month in Kristiansand municipality

 

- By carrying out a Phishing exercise, the user becomes more aware of such attacks and what to watch out for. IT security is layered security, but Phishing bypasses many of these layers and goes straight for the human being. Therefore, it is extremely useful for all employees to practice what an attack can look like.

Jarle Børven, ethical hacker and penetration tester at Netsecurity

 

Recommends all companies carry out a risk assessment

What would it mean for your company if employees' accounts were taken over and unauthorized persons gained access to your systems? According to Kvivik, this is a risk assessment all companies should make.

"One tip is to get involved in the security month, which is in October every year. Here you get a lot “for free” because good information is gathered in one place, and you can participate in various seminars and similar activities. By putting security high on the agenda this month, it is easier to maintain awareness around it for the rest of the year," Kvivik concludes.

"Absolutely everyone should have two-factor authentication," advises Jarle Børven. "In addition, it is wise to have good password hygiene – do not use the same password in multiple places. Then access to your other accounts is very easy," he says.

 

Facts about Phishing

  • Phishing is a form of social engineering in which an attacker attempts to trick someone into performing an action, for example opening an email attachment, clicking a link, or paying a fake invoice.
  • Malware can be installed via attachments, for example ransomware ("ransomware"), which can spread further to other computers on the same network.
  • Via links, the attacker may ask for usernames and passwords for system solutions, and then use these, for example, to steal confidential information.

 

Would you like to know more about what a Phishing exercise involves?

Read more about Phishing