28 March 2017
visit nextgenbanking.co.uk

JPMorgan dupes 20% of staff into opening fake phishing email

21 December 2015  |  20921 views  |  6 hands at a keyboard

Just weeks after falling victim to a massive cyber theft of customer assets, JPMorgan sent a fake phishing email to all employees to test their reaction. You can probably guess what happened next.

It's an old axiom that the biggest threat to information security comes from the inside. In JPMorgan's case, while the simulated threat emanated from external actors, a massive 20% of staff clicked on the fake phishing email, according to the Wall Street Journal. In a real-life situation such an action would have downloaded a malicious payload directly onto the bank's networks.

In November, US prosecutors unveiled charges against three men accused of hacking into a host of major financial institutions, including JPMorgan Chase, and stealing the data of millions of people. Prosecutors described the JPMorgan hack - which resulted in the leaking of information from 76 million US housholds - as the "largest theft of customer data from a US financial institution in history".

JPMorgan has since vowed to double its cybersecurity budget over the next two years, raising its annual spend to $500 million, up from the $250 million outlay in 2014.

However, the results of the phishing simulation demonstrate just how difficult it is to run an effective perimeter defence against a determined hacking crew.

JPMorgan is not alone in running such simulated attacks, says the WSJ, pointing to the tactics employed by Canada's TD Bank, where a click on the bogus email opens a pop-up to a video on the importance of sustained vigilance in protecting the bank's data assets.

Comments: (6)

Andrew Miller
Andrew Miller - Net Effect Ltd - London | 21 December, 2015, 17:57

Something doesn't add up here. Many would be astonished if, with a 250mn+ spend, JPM's security is so lax that a the download of a malicious payload would have passed through the firewall(s).  Even if it had not been blocked, surely anti-malware and pc lock-down would have prevented it running. If that is not the case, then I'd suggest that the $1000+ per employee per annum on cybersecurity could be spent more effectively.

2 thumb ups! 2 thumb ups! (Log in to thumb up)
Herbert Beyenbach
Herbert Beyenbach - HB Consulting Inc - BOCA RATON | 21 December, 2015, 21:54

Andrew: I would assume that for this test, the phishing messages were most likely sent from inside the firewalls. If not, JPM has a much bigger problem.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Giovanni Amietta
Giovanni Amietta - Accenture - Milan | 22 December, 2015, 07:39

I believe this type of tests are meant to check the "social" vulnerability rather than the technical one... Humans are often the weakest element in the security chain...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 22 December, 2015, 09:42

Most of us have heard again and again that the user is the biggest threat. I simply don't agree. We need to design systems that removes security decisions from the users. For example: Attachments are supposed to be clicked on.. So why design a system where security brakes down if the user clicks on it?

This is another entry in a long list of examples that proves that user education consistently fails to deliver security. It does not work - it is expensive and its time to rethink client side security.

 

1 thumb up! 1 thumb up! (Log in to thumb up)
Andrew Miller
Andrew Miller - Net Effect Ltd - London | 22 December, 2015, 12:32

@Herbert. That was one of the bits that didn't add up. "the simulated threat emanated from external actors" - presumably outside the firewalls. That plus "would have downloaded a malicious payload directly onto the bank's networks" suggest that you are correct.  I'd be worried if basic measures such as mentioned by Bjorn weren't in place :-)

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 22 December, 2015, 16:52

Well said @BjornSoland. User education fails to deliver. Not just security. I for one have never believed that if people went thru' financial literacy training or used money management apps, they'd suddenly become more thrifty or investment ninjas or whatever. Money is something basic. "Earn more, spend less" should be all the lesson people need! But that's only me!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

US prosecutors lay out charges connected to huge JPMorgan hack

US prosecutors lay out charges connected to huge JPMorgan hack

10 November 2015  |  4727 views  |  0 comments | 6 tweets | 12 linkedin
JPMorgan Chase to double cybersecurity spending

JPMorgan Chase to double cybersecurity spending

05 August 2015  |  8405 views  |  0 comments | 21 tweets | 13 linkedin
Fraud arrests linked to JPMorgan hack

Fraud arrests linked to JPMorgan hack

22 July 2015  |  4151 views  |  0 comments | 3 tweets | 1 linkedin
JPMorgan staffer gets six years jail time for ID theft scam

JPMorgan staffer gets six years jail time for ID theft scam

15 May 2015  |  10245 views  |  0 comments | 3 tweets | 3 linkedin
Ex-JPMorgan staffer charged with selling customer account info

Ex-JPMorgan staffer charged with selling customer account info

01 May 2015  |  4347 views  |  0 comments | 2 tweets | 1 linkedin
Staples investigates data breach; Moscow cleared of JPMorgan hack

Staples investigates data breach; Moscow cleared of JPMorgan hack

21 October 2014  |  8555 views  |  1 comments | 2 tweets | 7 linkedin
JPMorgan denies hacking report

JPMorgan denies hacking report

02 October 2014  |  5505 views  |  0 comments | 2 tweets | 2 linkedin
JPMorgan yet to detect rise in fraud from recent cyber-attack

JPMorgan yet to detect rise in fraud from recent cyber-attack

12 September 2014  |  6665 views  |  0 comments | 3 tweets | 3 linkedin

Related company news

 

Related company information

JPMorgan Chase

Related blogs

Create a blog about this story (membership required)
Visit capgemini.comvisit abe-eba.eu

Top topics

Most viewed Most shared
French retailer Carrefour launches online bank accountFrench retailer Carrefour launches online...
57659 views comments | 17 tweets | 36 linkedin
European Commission opens public consultation on fintechEuropean Commission opens public consultat...
11245 views comments | 47 tweets | 28 linkedin
MAS to roll out national KYC utility for SingaporeMAS to roll out national KYC utility for S...
11103 views comments | 33 tweets | 44 linkedin
hands typing furiouslyTwo key technologies driving Machine Learn...
7951 views 0 | 15 tweets | 3 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job