Just weeks after falling victim to a massive cyber theft of customer assets, JPMorgan sent a fake phishing email to all employees to test their reaction. You can probably guess what happened next.
It's an old axiom that the biggest threat to information security comes from the inside. In JPMorgan's case, while the simulated threat emanated from external actors, a massive 20% of staff clicked on the fake phishing email, according to the Wall Street Journal. In a real-life situation such an action would have downloaded a malicious payload directly onto the bank's networks.
In November, US prosecutors unveiled charges against three men accused of hacking into a host of major financial institutions, including JPMorgan Chase, and stealing the data of millions of people. Prosecutors described the JPMorgan hack - which resulted in the leaking of information from 76 million US housholds - as the "largest theft of customer data from a US financial institution in history".
JPMorgan has since vowed to double its cybersecurity budget over the next two years, raising its annual spend to $500 million, up from the $250 million outlay in 2014.
However, the results of the phishing simulation demonstrate just how difficult it is to run an effective perimeter defence against a determined hacking crew.
JPMorgan is not alone in running such simulated attacks, says the WSJ, pointing to the tactics employed by Canada's TD Bank, where a click on the bogus email opens a pop-up to a video on the importance of sustained vigilance in protecting the bank's data assets.