It is quicker than many people admit: once you trust a wrong email and hackers or criminals have already opened the doors to your own email account, your computer or even your account. The company Gitlab wanted to check the vulnerability of its own employees and set them a phishing trap. A whole 20 percent fell for it. That should have been surprising at Gitlab. After all, it is not a question of technically inexperienced employees in a non-specialist field such as insurance or a craft company. Gitlab is a software company. A basic understanding of the dangers would have been expected from the programmers.
A Macbook Pro as bait
And indeed: Out of 50 randomly selected employees who received one of the emails, 17, i.e. more than a third, clicked on the link. Ten of them even entered their account details. Only the smallest part of the involuntary test participants was skeptical: only six employees reported the email to the IT department as suspicious.
But while the consequences of a real phishing attack could have been dramatic, they remained relatively minor when hacking yourself. The employees who actually entered their log-in data were only forwarded to the internal manual with security guidelines. Even the passwords were not saved, the fake page only logged e-mail and username of the junkie.
In fact, they could have noticed the attack. Numerous clues were hidden in the phishing email to make the trap recognizable. So the emails came from a similar but not identical address as company emails. The employees had received no other indication of an upcoming hardware upgrade, so they could have been taken aback. Mainly because the notebook mentioned in the mail was older than the models that were used by most employees. Then there were numerous technical warning signals, such as in the source code, which experienced employees could also have seen. The employees do not seem to fear special punishments. According to Gitlab, the main purpose of the action was to raise awareness of the possibility of an attack.