Skip to main content

Two stolen email accounts led to 5 million spam messages

That's why Kristiansand Municipality conducted a phishing exercise.

A few years ago, Kristiansand Municipality fell victim to a phishing attack. Information went astray via two email accounts, and in a short time the municipality had sent out 5 million spam messages to the whole of Norway. As a result of the hijacking, Microsoft closed the municipality's access to the email system, and Kristiansand Municipality was unable to communicate via email for 14 days. At this time, the municipality did not have two-factor authorization.

- "We realized that we had to do something about IT security awareness. We therefore decided to carry out a phishing exercise to see what was really going on.

Ingunn Kvivik, Communications Manager at Kristiansand Municipality

"The aim of the exercise was to show employees - and the management of the municipality - how easy it is to be tricked," explains Kvivik: "We quickly realized that we lacked basic security routines and awareness. For example, if you use the same password on your private accounts as you do at work, a hacker can suddenly gain access to your entire workplace if one of your private accounts is affected."

Jarle Børven, who works as an ethical hacker and penetration tester at Netsecurity, set up and carried out the test together with Kristiansand Municipality. "I talked a lot with Ingunn to map out, then we created a scenario that was credible and in a natural context. Two key elements in getting people to "go for it" in such tests are to use means such as haste and fear. This causes people to become stressed and click on links before asking for a second opinion from others," he says.

1336 employees fell into the trap

Kristiansand Municipality contacted Netsecurity, and together we set up a fake email to be sent to 9,500 unsuspecting employees. 7,000 people opened the email, and of these, 1,336 clicked on the link and provided sensitive information. The wording and content were designed to make it appear that the email came from the municipality, but the email address was fake and the sender did not actually exist.

"We were a little surprised at how many people were fooled, considering how many years we've participated in Safety Month and how much we've talked about it. It shows that it's not enough to talk about this, people need to experience it first hand," says Ingunn Kvivik. Having a firewall and security in place is not enough, as hackers can easily get past this with the help of inattentive employees.

Ingunn Kvivik

The phishing exercise has led to increased security

Kristiansand Municipality has noticed an increase in the number of employees who get in touch when they receive an email they are skeptical about. In addition, they see that awareness has generally increased among employees, which was also the goal of the exercise. The result is that IT security is better safeguarded now than before they carried out the exercise.

"After the exercise, we had an evaluation with Netsecurity, where they also provided advice on how to proceed. The whole process was professional and unproblematic, with skilled people. Everything from planning to execution and evaluation afterwards worked superbly and it felt very safe to have Netsecurity there," says Communications Manager Kvivik.


Concrete measures introduced by the municipality after the exercise include

  • An internal campaign on how to detect a phishing email, good password hygiene and "it's not embarrassing to make mistakes, report to IT quickly".
  • IT has established better routines for phishing. This includes activating Report Message to make it easier for employees to report suspicious emails, as well as testing adding a warning if: "this message was sent from a sender outside your organization"
  • Introduced what they call "everyday security rules" - a flyer given to employees and included with all new computers
  • Established October as an annual security month in Kristiansand municipality


- By conducting a phishing exercise, the user is made more aware of such attacks and what to watch out for. IT security is layer upon layer of security, but phishing bypasses many of these layers and goes straight to people. That's why it's extremely useful for all employees to receive training on what an attack might look like.

Jarle Børven, ethical hacker and penetration tester at Netsecurity


Recommends all companies to do a risk assessment

What would it mean for your company if your employees' accounts were taken and unauthorized persons gained access to your systems? It's a risk assessment every company should do, according to Kvivik.

"One tip is to get involved in Security Month, which is in October every year. Here you get a lot "for free" in that good information is gathered in one place, you can participate in various seminars and the like. By putting safety high on the agenda during this month, it's easier to maintain awareness of it for the rest of the year," Kvivik concludes.

"Absolutely everyone should have two-factor authorization," advises Jarle Børven. "In addition, it's smart to have good password hygiene - don't use the same password in several places. This makes it very easy to access your other accounts," he says.


Do you want to know more about what a phishing exercise involves?

Facts about phishing

  • Phishing is a form of social engineering in which an attacker attempts to trick someone into performing an action, such as opening an email attachment, clicking on a link or paying a fake bill.
  • Attachments can be used to install malware, such as ransomware, which can spread to other computers in the same network.
  • Via links, the attacker can request usernames and passwords to system solutions and use these to steal confidential information, for example.

Drammensveien 288

0283 Oslo


Sandviksbodene 1

5035 Bergen


Kanalsletta 4

4033 Stavanger


Bark Silas vei 5

4876 Grimstad


Dronningens gt 12

4610 Kristiansand


Kammakargatan 22

111 40 Stockholm