Even Highly Trained Employees Can Get Phished: Ipcos

Where phishing is concerned, things can move quickly – for better or for worse. Ipcos, a provider of engineering services, experienced this first-hand in August 2020.

After one employee fell victim to a phishing attack, all colleagues quickly received suspicious e-mails seemingly coming from the hacked person. However, the breach was quickly identified, the hacker was intercepted and neutralised before any data could be leaked, and the company was left with the conclusion that the damage was very limited – although it could have been much worse.

“At that point, fortunately, alarm bells went off in management,” says Bjorn Vandecraen, APC Technology Developer at Ipcos. “The realisation that our staff could use more information and guidance grew rapidly. Not long after, we were approached by Phished and soon started running regular simulations to train our staff in cybersecurity.”

As quickly as it went wrong, it went the other way: Ipcos achieved remarkable gains in cyber awareness in just four months. After the initial baseline measurement, in which 45% of all employees were caught making a mistake, that number had already dropped to 13% by February 2021. “And this time the difficulty was even higher,” says Vandecraen. “Information that only an insider could have had was being studied, which of course created a sense of reliability. Yet we saw many people had the right reflex not to act on it.”

However, during the baseline measurement, the decision was made to warn all employees a few days in advance that a phishing test was imminent. Proof that anyone, regardless of position or qualifications, is susceptible to phishing? “I think it has a lot to do with awareness,” says Peter Van Overschee, CEO of Ipcos. “The topic was known to everyone, but it was never really an issue. Today, we notice that there is much more talk about it and that people are more careful with every e-mail: every message is now carefully screened.”

“After the initial shock effect, everyone is now more aware of the consequences of phishing,” says Van Overschee, “although we make sure that everyone retains the necessary self-confidence to deal with legitimate messages. The last thing we want is for our people to stop opening e-mails because they are too suspicious. That's why we work with a positive approach, where someone who falls for a simulation is never disgraced.”

“This approach helps to make the topic open to discussion and still keep things motivating,” agrees Vandecraen. “We do inform our people about general figures per department, for example, but all other figures remain anonymous, for management as well. Our message is that there is room for improvement and we don’t want to promote a punitive culture. We received very good responses to that.”

Besides reporting, the simulations were the main eye-opener. Van Overschee: “We once had to deal with CEO fraud: someone pretending to be me tried to embezzle large sums of money through social engineering and typosquatting (phishing where a proper name is changed slightly, e.g. Ipcas instead of Ipcos). At the time, everyone was shocked for a moment, but apparently human memory is not capable of maintaining that vigilance after all.”

"By regularly coming into contact with possible phishing messages, we notice that everyone is now always alert and can spot the dangers," says Van Overschee. "We already had two-step verification and regularly discussed phishing during meetings, but it is clearly the frequent contact with simulations that makes the biggest difference."

After several incidents with real phishing attacks, it was decided to set up a structural training and coaching program for the 70 employees of Ipcos. After only four months on the Phished platform, cyber awareness had already increased significantly and the number of successful phishing attempts has decreased.

Ipcos opted for a positive and constructive approach towards employees, with guidance at the centre. Employees do not receive a personal follow-up, but they do have an overview of the company's general score. This ensures a culture in which cybersecurity is ‘alive’ as a topic and everyone is committed to doing better.