Breaking News
More () »

Phishing test: We sent a fake email to Portland employees

A Portland company let us send their employees fake emails to see if they’d take the bait. What they learned could help you protect your identity.

Kyle Iboshi (KGW Senior Investigative Reporter)

Play Video

Close Video

Published: 5/24/2017 4:47:41 PM
Updated: 10:16 AM PST November 9, 2017

PORTLAND, Ore. — We’ve all heard the warning about email phishing attacks: Don’t click on suspicious links or attachments in an email. Hackers can infect your computer with a virus or get access to sensitive information.

Earlier this month a massive global email attack crippled computer systems in nearly 100 countries.

Attacks like these got us thinking, would people know a fake phishing email if they saw one?

To find out, we set up a test. Portland-based company Chown Hardware let us send their employees fake emails to see if they’d take the bait and click on a link.

We enlisted cybersecurity analyst Ken Westin. He created two emails to test how Chown employees would respond when a phishing email showed up in their inboxes.

“A lot of people think, ‘I’ll never fall for these phishing emails,’ but I’ve even fallen for some of them,” Westin said.

Both of Westin’s test emails were harmless but allowed him to monitor whether a recipient clicked on the links. Hackers often try to lure people into clicking on email links to get access to computer networks.

Unlike a real hacker, our emails didn’t include any malware. We assured the bosses at Chown this was a test to see how many people clicked, not get anyone in trouble. They were involved in every step of our process.

“People always think hacking is very technical. But we always find, especially in security, that humans are the weakest link,” said Westin.

Chown’s 100 employees had no idea our fake phishing emails were coming.

The first email claimed to be from a new food cart in the neighborhood.

“Grand Opening: Free Speedy Burritos for Chown Employees!” read the subject line of the email. We included a link to receive a coupon good for a free burrito. (note: KGW blurred the faces and emails for this article, but not in the email sent to employees.)

22 of the 100 employees clicked on the link. All they saw was an error message, but those employees would have been vulnerable in a real attack.

The next email, sent a few days later, was more sophisticated. It appeared to come from the company’s human resources department.

The subject line read: “Update Contact Details for Company Directory.” The email instructed employees to click on a link to make sure their contact information was correct.

More than half of the recipients – 56 out of 100 workers – clicked on the fake directory link.

“Anything that is HR or financial related, be suspicious. Don’t ever click on those links,” said Westin. “It would be better to give a call to HR and verify, ‘Are you guys actually asking for this type of information?’”

Both emails included clues that they weren’t legitimate. Our goal was to mimic the techniques hackers use in the real world.

The burrito email featured a poorly executed Photoshop job on the sign on the food cart.

As one astute Chown employee noted, the picture also showed a pizza, not a burrito.

“I’ve never seen a burrito like this before in my life. Must be some kind of fusion cart,” the employee wrote to all his co-workers.

Another employee fired off a company-wide email warning people to not click.

“Please be careful in what you click,” the employee wrote. “Slow down and be alert.”

“We had an employee who caught on rather quickly and sent out an email to the whole company saying, ‘Don’t click on this. It doesn’t look right,” explained Kyle Chown, commercial division manager for Chown Hardware.

The directory email featured one big clue that mimics a tactic hackers often use: it came from a fake domain that was similar to the real Chown website.

Our email came from it@chown.co and instructed people to click on “employeedirectory.chown.co.” The company’s real domain is chown.com.

“We actually registered a domain that looks very similar to the organization and we’re going to make it look like it is coming from inside the company,” Westin explained. He turned over the .co domain to the company after the test.

Several employees sent the suspicious emails to the company’s IT department.

While this was only a test, it illustrates how cybercriminals operate. They’re clever.

“A lot of times they do their homework,” explained Westin. “They know a lot about the individuals so when they craft these emails they make them very convincing.”

These steps can help you avoid a phishing attack:

  • Use trusted security software and set it to update automatically. In addition, use these computer security practices.
  • Don't email personal or financial information. Email is not a secure method of transmitting personal information.
  • Only provide personal or financial information through an organization's website if you typed in the web address yourself and you see signals that the site is secure, like a URL that begins https (the "s" stands for secure). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
  • Review credit card and bank account statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of days, call to confirm your billing address and account balances.
  • Be cautious about opening attachments and downloading files from emails, regardless of who sent them. These files can contain viruses or other malware that can weaken your computer's security.

(Source: Federal Trade Commission)

Published May 23, 2017

Before You Leave, Check This Out