The results of an actual, recent phish attack was shared with Amway employees:
We all know that the InfoSafe team is sending out phishing tests to train us to be on the lookout for real cyber attacks. September was an unusual month. Not only did the InfoSafe team send out two phishing tests because of a technical error with the first test; but, we
also received a real threat.
On Monday, September 18, approximately 350 Amway employees across the globe received a spear–phishing attempt — an email claiming to be from Doug DeVos and containing a PDF attachment, which asked users to click on a link in order to view a secure online document.
The link actually led to a website which asked the user to download a file to read an important message from Doug. This document asked for a username and password in order to open it.
This phishing scam and the associated website were designed to steal users’ credentials once
So, how did we react to a real phishing attack?
• 43 people reported the email with the Phish Alert button within the first four hours.
• 160 people clicked on the link within the PDF file.
• 2 users actually entered data on this website.
Because some employees reported the email to information Security & Risk right away, that team was able to investigate the email origins, and block the link through our firewall within the first four hours, not allowing any additional users to access the malicious website. The two employees who gave their information were instructed to change their passwords immediately. And further investigation showed that no malicious payload was within the PDF attachment, limiting our exposure to risk.
In other words, we got lucky … this time.
See what the users should have noticed in this real attack on the next page, and then read on to see how our phishing tests are preparing us for similar attacks.
About half the employees fell for the phish, I’ll bet they wish half the prospects being shown the Amway marketing plan fell for Amway, or the company wouldn’t be shrinking like it has been for the past few years. However, the internet will not allow that to happen. Just more proof that the internet can be used for good (educating people about Amway and other MLM scams) or bad (phishing).