JPMorgan dupes 20% of staff into opening fake phishing email

Just weeks after falling victim to a massive cyber theft of customer assets, JPMorgan sent a fake phishing email to all employees to test their reaction. You can probably guess what happened next.

6 comments

JPMorgan dupes 20% of staff into opening fake phishing email

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

It's an old axiom that the biggest threat to information security comes from the inside. In JPMorgan's case, while the simulated threat emanated from external actors, a massive 20% of staff clicked on the fake phishing email, according to the Wall Street Journal. In a real-life situation such an action would have downloaded a malicious payload directly onto the bank's networks.

In November, US prosecutors unveiled charges against three men accused of hacking into a host of major financial institutions, including JPMorgan Chase, and stealing the data of millions of people. Prosecutors described the JPMorgan hack - which resulted in the leaking of information from 76 million US housholds - as the "largest theft of customer data from a US financial institution in history".

JPMorgan has since vowed to double its cybersecurity budget over the next two years, raising its annual spend to $500 million, up from the $250 million outlay in 2014.

However, the results of the phishing simulation demonstrate just how difficult it is to run an effective perimeter defence against a determined hacking crew.

JPMorgan is not alone in running such simulated attacks, says the WSJ, pointing to the tactics employed by Canada's TD Bank, where a click on the bogus email opens a pop-up to a video on the importance of sustained vigilance in protecting the bank's data assets.

Sponsored [Webinar] Preventing disaster: How banks can address operational resilience to prepare for global outages

Comments: (6)

Andrew Miller

Andrew Miller Managing Director at Net Effect Ltd

Something doesn't add up here. Many would be astonished if, with a 250mn+ spend, JPM's security is so lax that a the download of a malicious payload would have passed through the firewall(s).  Even if it had not been blocked, surely anti-malware and pc lock-down would have prevented it running. If that is not the case, then I'd suggest that the $1000+ per employee per annum on cybersecurity could be spent more effectively.

Herbert Beyenbach

Herbert Beyenbach Senior Consultant at HB Consulting Inc

Andrew: I would assume that for this test, the phishing messages were most likely sent from inside the firewalls. If not, JPM has a much bigger problem.

A Finextra member 

I believe this type of tests are meant to check the "social" vulnerability rather than the technical one... Humans are often the weakest element in the security chain...

A Finextra member 

Most of us have heard again and again that the user is the biggest threat. I simply don't agree. We need to design systems that removes security decisions from the users. For example: Attachments are supposed to be clicked on.. So why design a system where security brakes down if the user clicks on it?

This is another entry in a long list of examples that proves that user education consistently fails to deliver security. It does not work - it is expensive and its time to rethink client side security.

 

Andrew Miller

Andrew Miller Managing Director at Net Effect Ltd

@Herbert. That was one of the bits that didn't add up. "the simulated threat emanated from external actors" - presumably outside the firewalls. That plus "would have downloaded a malicious payload directly onto the bank's networks" suggest that you are correct.  I'd be worried if basic measures such as mentioned by Bjorn weren't in place :-)

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Well said @BjornSoland. User education fails to deliver. Not just security. I for one have never believed that if people went thru' financial literacy training or used money management apps, they'd suddenly become more thrifty or investment ninjas or whatever. Money is something basic. "Earn more, spend less" should be all the lesson people need! But that's only me!

[Webinar] Global Workforce Payments: Mastering a world of complexityFinextra Promoted[Webinar] Global Workforce Payments: Mastering a world of complexity