JPMorgan dupes 20% of staff into opening fake phishing email

JPMorgan dupes 20% of staff into opening fake phishing email

Just weeks after falling victim to a massive cyber theft of customer assets, JPMorgan sent a fake phishing email to all employees to test their reaction. You can probably guess what happened next.

It's an old axiom that the biggest threat to information security comes from the inside. In JPMorgan's case, while the simulated threat emanated from external actors, a massive 20% of staff clicked on the fake phishing email, according to the Wall Street Journal. In a real-life situation such an action would have downloaded a malicious payload directly onto the bank's networks.

In November, US prosecutors unveiled charges against three men accused of hacking into a host of major financial institutions, including JPMorgan Chase, and stealing the data of millions of people. Prosecutors described the JPMorgan hack - which resulted in the leaking of information from 76 million US housholds - as the "largest theft of customer data from a US financial institution in history".

JPMorgan has since vowed to double its cybersecurity budget over the next two years, raising its annual spend to $500 million, up from the $250 million outlay in 2014.

However, the results of the phishing simulation demonstrate just how difficult it is to run an effective perimeter defence against a determined hacking crew.

JPMorgan is not alone in running such simulated attacks, says the WSJ, pointing to the tactics employed by Canada's TD Bank, where a click on the bogus email opens a pop-up to a video on the importance of sustained vigilance in protecting the bank's data assets.

Comments: (6)

Andrew Miller
Andrew Miller - Net Effect Ltd - London 21 December, 2015, 17:572 likes 2 likes

Something doesn't add up here. Many would be astonished if, with a 250mn+ spend, JPM's security is so lax that a the download of a malicious payload would have passed through the firewall(s).  Even if it had not been blocked, surely anti-malware and pc lock-down would have prevented it running. If that is not the case, then I'd suggest that the $1000+ per employee per annum on cybersecurity could be spent more effectively.

Herbert Beyenbach
Herbert Beyenbach - HB Consulting Inc - BOCA RATON 21 December, 2015, 21:54Be the first to give this comment the thumbs up 0 likes

Andrew: I would assume that for this test, the phishing messages were most likely sent from inside the firewalls. If not, JPM has a much bigger problem.

Giovanni Amietta
Giovanni Amietta - Accenture - Milan 22 December, 2015, 07:39Be the first to give this comment the thumbs up 0 likes

I believe this type of tests are meant to check the "social" vulnerability rather than the technical one... Humans are often the weakest element in the security chain...

A Finextra member
A Finextra member 22 December, 2015, 09:421 like 1 like

Most of us have heard again and again that the user is the biggest threat. I simply don't agree. We need to design systems that removes security decisions from the users. For example: Attachments are supposed to be clicked on.. So why design a system where security brakes down if the user clicks on it?

This is another entry in a long list of examples that proves that user education consistently fails to deliver security. It does not work - it is expensive and its time to rethink client side security.

 

Andrew Miller
Andrew Miller - Net Effect Ltd - London 22 December, 2015, 12:32Be the first to give this comment the thumbs up 0 likes

@Herbert. That was one of the bits that didn't add up. "the simulated threat emanated from external actors" - presumably outside the firewalls. That plus "would have downloaded a malicious payload directly onto the bank's networks" suggest that you are correct.  I'd be worried if basic measures such as mentioned by Bjorn weren't in place :-)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 December, 2015, 16:52Be the first to give this comment the thumbs up 0 likes

Well said @BjornSoland. User education fails to deliver. Not just security. I for one have never believed that if people went thru' financial literacy training or used money management apps, they'd suddenly become more thrifty or investment ninjas or whatever. Money is something basic. "Earn more, spend less" should be all the lesson people need! But that's only me!

sponsored

Featured Job
All Jobs »